Part2: Kubernetes Backup on Managed Services: What Changes When You Use EKS?

In my previous blog post, I covered Kubernetes backup strategies for self-managed clusters, highlighting cost, security, and availability. But what happens when you’re using a managed Kubernetes service like Amazon Elastic Kubernetes Service (EKS)? Let’s dive into the key differences and best practices for backing up Kubernetes on managed platforms.

The Big Shift: Managed Control Plane

With managed Kubernetes services like Amazon EKS, AWS handles the control plane—including etcd, the API server, and scheduler. You don’t have direct access to etcd or the control plane components. This means you can’t perform traditional etcd snapshots as you would on a self-managed cluster. Instead, your backup strategy must focus on what you can control:

• Kubernetes objects (Deployments, Services, ConfigMaps, Secrets, etc.)
• Persistent data (EBS volumes used by your workloads)
• Application configurations and manifests

What to Back Up on EKS

• Kubernetes Objects: Anything you create or manage via the Kubernetes API—workloads, configurations, and policies.
• Persistent Volumes: Data stored on EBS volumes attached to your pods.
• Networking and Security: Ingress, Network Policies, and RBAC rules.
• Application Data: For databases or stateful apps, use application-aware backups for consistency.

How to Back Up on EKS

Use Velero for Kubernetes Object Backup

Velero is the go-to tool for backing up and restoring Kubernetes resources on EKS. It works directly with the Kubernetes API, so it’s perfect for managed services where you can’t access etcd. Velero can back up:

• All resources in a namespace or across the cluster
• Persistent volumes (with the right configuration)
• Custom resources and configurations

Velero supports scheduling, retention policies, and can store backups in S3, which integrates well with AWS security and cost controls.

Back Up Persistent Data

For stateful applications, use Velero’s volume snapshot feature to back up EBS volumes. This ensures your data is protected and can be restored if needed. You can also use application-specific backup tools for databases (e.g., pg_dump, mysqldump) and store the output in S3.

Automate and Test

• Schedule regular backups to minimize data loss.
• Automate retention to delete old backups and control costs.
• Test restores to ensure your backups are valid and your recovery process works.

Security and Availability

• Encryption: Use AWS KMS to encrypt backups at rest and in transit.
• Immutable Backups: Store backups in S3 with Object Lock to prevent tampering or deletion.
• Multi-Region Storage: Replicate backups across regions for disaster recovery.
• Access Control: Use IAM and RBAC to restrict who can create, delete, or restore backups.

Cost Considerations

• Storage Tiering: Move older backups to cheaper storage like S3 Glacier to save money.
• Incremental Backups: Only back up changed data to reduce storage and bandwidth costs.
• Retention Policies: Automatically delete old backups to avoid unnecessary charges.

What You Can’t Back Up

• Control Plane/etcd: Managed by AWS, not accessible for direct backup.
• Node-Level State: Unless you use custom tools or scripts, node-level state is typically not backed up by default.

Summary Table

Best Practices

• Use Velero for disaster recovery and migration.
• Automate backups and retention to control costs.
• Encrypt and protect backups with AWS security features.
• Test your restore process regularly.
• Store backups in multiple regions for resilience.

Additional Resources

• AWS re:Post: Back up and restore an Amazon EKS cluster
• Trilio: EKS Backup Tutorial & Best Practices
• AWS Blog: Backup and restore your Amazon EKS cluster resources using Velero

In summary:
When using managed Kubernetes services like EKS, your backup strategy shifts to focus on Kubernetes objects, persistent data, and application configurations—leveraging tools like Velero and AWS storage features for a robust, cost-effective, and secure approach.