Scribd
Upload
77 views

NetBackup103 Kubernetes Installation and Configuration Guide

Uploaded by

badboy2th
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
77 views

NetBackup103 Kubernetes Installation and Configuration Guide

Uploaded by

badboy2th
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 60

NetBackup Kubernetes

Installation and Configuration Guide


Release 10.3
Ports and requirements

2 Copyright © 2023 Veritas Technologies, LLC


Ports required for communication
Port number From To Used for

Kubernetes HTTPS communications


(6)(8)443 Primary Server
cluster
Kubernetes HTTPS communications
443 Media Servers
cluster
For certificate deployment
1556 outbound Kubernetes cluster Primary Server and PBX communication
with the Primary Server
1556 outbound Kubernetes cluster Media Servers For certificate deployment

13724 bi-
Kubernetes cluster Primary Server VNETD for data movement
directional
13724 bi- VNETD for data movement
Kubernetes cluster Media Servers
directional
Deployment - Prerequisites for NetBackup Kubernetes Operators

➢ Check the SCL and HCL guide for supported configurations.


➢ Kubernetes operator requires 10Gi of storage, 100m CPU and 500Mi memory up to 150m max CPU and
600mi memory. All configuration is done during deployment.
➢ Kubernetes Operator requires administrative privileges to install.
➢ Customers either need access to a local repository to place the NBUKops and data mover packages for
deployment. Or customers need internet access to the Veritas Customer Repository and use whatever tools
customer generally use to copy mentioned packages into their local repository.
➢ A namespace must be configured to deploy the NBUKops image and data mover packages.
➢ Primary and Media servers must be created with FQDN, if they are created with short names. For more
information, refer the section Prerequisites for backup from snapshot and restore from backup operations
(Point 3 and 8) in the NetBackup Web UI Kubernetes Administrator’s Guide.
➢ Namespaces with persistent storage must use CSI enabled storage with snapshot support, for more details
refer to the HCL list. NBUKops supports only snapshot API version ‘v1’ for backup operations.
➢ Kubernetes supports DTE mode setting, Customer can configure DTE mode setting that is set on the
datamover via backupserver specific configmap. Data-in-transit encryption of backup images is carried out
based on the global DTE mode and the client DTE mode.
Upgrade

5 Copyright © 2023 Veritas Technologies, LLC


Upgrade
➢ All components (NBU Primary, Media, Kubernetes operators, and Data mover) must be same
version.
➢ Existing policies continue to take backups but must be restored manually until the Kubernetes
operator is updated.
Note: This is applicable to the NetBackup version 9.1 to 10.x upgrade.
Download the Veritas Kubernetes packages
and load NetBackup Kubernetes Operator
and Data mover into local registry

7 Copyright © 2023 Veritas Technologies, LLC


Download and extract Veritas Kubernetes packages
Get packages from VEMS

1. Go to the support.veritas.com, to log onto the Veritas Entitlement Management System (VEMS)
and the, sign in and click Licensing.
2. Click Entitlements (within Veritas Entitlement Management System main menu).
3. Click More Options to expand filters.
4. Set the Product Line filter to NetBackup and click Apply Filters.
5. Look for entitlement's references, the version matches to the release note mentioned in the subject
line.
6. To access your new software and license key(s) utilize the Download Software and Generate
License buttons located in the Actions column.
7. You must download two packages:
➢ NetBackup Kubernetes operator package (netbackupkops-10.3.tar.gz).
➢ NetBackup Data mover image (veritasnetbackup-datamover-10.3.tar).

8 Copyright © 2023 Veritas Technologies, LLC


Download and extract Veritas Kubernetes packages
Package names and content

9. Extract the package to the home directory of a system that has access to the cluster where you can
run kubectl commands. The netbackupkops-helm-chart is part of the KOps package and is in the
home directory.
10. To list all cluster contexts, run the following command: kubectl config get-contexts
11. To switch to the cluster where you want to deploy the operator service, run the following command:
kubectl config use-context <cluster-context-name>

9 Copyright © 2023 Veritas Technologies, LLC


Add the Kubernetes operator into your local registry
Follow these steps only if you have a private docker registry

1. Create a secret netbackupkops-docker-cred in the NetBackup namespace if container registry


requires authentication. This secret is not needed if authentication is not configured.
To log on to the private container registry, run the following command:
docker login -u <username> <container-registry-url>
2. After logging in, the config.json file containing the authorization token is created or updated. To view
the config.json file, run the following command:
cat ~/.docker/config.json
The output looks like below:
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "c3R...zE2"
}}
}

10 Copyright © 2023 Veritas Technologies, LLC


Add the Kubernetes operator into your local registry
Follow these steps only if you have a private docker registry

3. To create a secret named netbackupkops-docker-cred in the NetBackup namespace, run the


following command:
kubectl create secret generic netbackupkops-docker-cred \ --from-
file=.dockerconfigjson=.docker/config.json \ --type=kubernetes.io/dockerconfigjson -n <name of the
namespace where the NetBackup operator will be deployed>
4. To check if the secret netbackupkops-docker-cred is created in the NetBackup namespace, run the
following command:
kubectl get secrets -n <name of the namespace where the NetBackup operator will be deployed>

11 Copyright © 2023 Veritas Technologies, LLC


Add the Kubernetes operator into your local registry
Push the Kubernetes Operator images to your registry

5. To load the image to the docker cache and push the image to the docker image repository, run the
following commands:
➢ docker load -i <name of the tar file>
➢ docker tag <image name:tag of the loaded image> <repo-name/image-name:tag-name>
➢ docker push <repo-name/image-name:tag-name>

6. Open the netbackupkops-helm-chart/values.yaml file in a text editor and then replace the value for
image in the manager section, with your netbackupkops repo image name and tag repo-
name/image-name:tag-name and then save the file

12 Copyright © 2023 Veritas Technologies, LLC


Add the Data mover to your local registry

To load the image to the docker cache and push the image to the docker image repository, run the
following commands:
➢ docker load -i <name of the datamover image tar file>
➢ docker tag <datamover image name:tag of the loaded datamover image> <repo-name/image-
name:tag-name>
➢ docker push <repo-name/image-name:tag-name>

13 Copyright © 2023 Veritas Technologies, LLC


APPENDIX
The following slides show steps that have been replaced with an automated
process. If you want to run the manual configuration then, run the steps
manually.

14 Copyright © 2023 Veritas Technologies, LLC


Installation and configuration

15 Copyright © 2023 Veritas Technologies, LLC


Installation and configuration
NetBackup Kubernetes operator deployment and configuration

User can deploy and configure NBUKops in NetBackup web UI using the following methods:
1. Provide required parameters in values.yaml file to use Automated configuration:
➢ Before you run the helm install, you need to provide required values in the netbackupkops-helm-chart/values.yaml file.
➢ Follow the Helm install integrated manual configuration steps.
➢ As part of configuration deployment, a pod gets created each time user runs helm install. This pod runs the script to configure
Kubernetes workload protection.
➢ This process includes following operations:
• Prepares storage for backup and restore : Label volmesnapshotclass and storage classes for creating snapshots and
PVCs.
• Read service account token from nbukops namespace.
• Create NetBackup credentials for Kubernetes in NetBackup.
• Add Kubernetes Cluster to NetBackup.
• Create NetBackup token and fetch sha256 fingerprint.
• Create BackupServerCert for establishing secure communication for datamover pod.
• Configure primary server specific configmap for datamover image.

2. Use manual configuration steps.

16 Copyright © 2023 Veritas Technologies, LLC


NetBackup Kubernetes Operator deployment
and configuration using automated
configuration

17 Copyright © 2023 Veritas Technologies, LLC


Deployment High-level steps using automated configuration

Download the Helm


chart from Veritas Install Helm chart
repository

NGU
Kops

Update YAML(values.yaml) file


for configuration parameters

18 Copyright © 2023 Veritas Technologies, LLC


Automated configuration
Update netbackupkops-helm-chart/values.yaml configuration file
1. Untar netbackupkops.tar.gz file (Command : tar –xvf netbackupkops.tar.gz ) and provide inputs required for netbackupkops-helm-
chart/values.yaml
netbackup_config_pod:
➢ nbprimaryserver : <FQDN of NetBackup Primary Server>
➢ nbsha256fingerprint : <Copy sha256 fingerprint from NetBackup Primary Server Web UI>
(Go to NetBackup web UI → Security → Certificates → Click on Certificate Authority)
➢ k8sCluster : <FQDN of Kubernetes cluster API server (Run command : kubectl cluster-info)>
➢ k8sPort : <Port on which Kubernetes API server is listening>
➢ datamoverimage : <Container registry URL for pulling datamover image>
➢ storageclassblock : <Storage class used for provisioning block volumes (Run command : kubectl get storageclasses)>
➢ storageclassfilesystem : <Storage class used for provisioning filesystem volumes (Run command : kubectl get storageclasses)>
➢ volumesnapshotclassblock : <Volume snapshot class for creating block volume snapshots (Run command : kubectl get
volumesnapshotclass)>
➢ volumesnapshotclassfilesystem : <Volume snapshot class for creating filesystem volume snapshots (Run command : kubectl get
volumesnapshotclass)>
Note: Automated configuration is currently supported only for NBCA mode. To learn more about the volume snapshot class and storage class
names, refer to the Label Storage for Backup and Restore section in the NetBackup Kubernetes Administrator’s guide.

19 Copyright © 2023 Veritas Technologies, LLC


Automated configuration netbackupkops-helm-chart/values.yaml file
A sample: values.yaml

20 Copyright © 2023 Veritas Technologies, LLC


Automated configuration for Rancher managed RKE2 clusters
Create a secret for external cert and token configuration

3-a. If you are protecting a Rancher Managed RKE2 cluster, then follow the steps on this slide.

• Create a yaml file with the following format.

• Enter the first 2 values which you extracted earlier from your temporary files into this file

• Once the k8stoken and k8scacert values have been entered, move to the API Key creation phase to enter the value for apikey

Sample file : nb-config-deploy-secret.yaml

apiVersion: v1
kind: Secret
metadata:
name: <kops-namespace>-nb-config-deploy-secret
namespace: <kops-namespace>
type: Opaque
stringData:
# All the 3 fields are mandatory here to add a Rancher managed RKE2 cluster in Netbackup
apikey: A_YoUkgYQwkPLUkmyj9Q6A1-6RX8RNY-PtYX0SukbqCwIK_osPz8qVm9zCL9phje
k8stoken: kubeconfig-user-mvvgcm8sq8:nrsvcnx8hj46t24r2tjrxd2kn8tzo2bg4kj8waxpw36k8ktrchp826
k8scacert: |
-----BEGIN CERTIFICATE-----
MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtpbmdy
ZXNzLW9wZXJhdG9yQDE2ODc1MzY4NjgwHhcNMjMwNjIzMTYxNDI3WhcNMjUwNjIy
XtXqbaBGrXIuCCo90mxv4g==
-----END CERTIFICATE-----

21 Copyright © 2022 Veritas Technologies, LLC


Automated configuration : Custom CA cert config (Optional)
Create a secret for external cert configuration

3-b. External CA certificate configuration for non-rancher k8s clusters

Note: This configuration step is necessary if you have custom CA certificates configured on your cluster’s API server for external access. This
step can be ignored if there is no custom CA setup

• If you have the custom CA certificates available, then simply enter them directly in the configuration yaml file mentioned in the next slide.

• If you don’t have the certificates available, you can extract them using the command given below on your Netbackup primary host.

• You can also use the openssl command tool to perform the same step on any Linux host.
<NBU_Install_Path>/bin/goodies/vxsslcmd s_client -showcerts -connect <cluster-fqdn>:<port-no> 2>/dev/null </dev/null
| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

• Enter the certificate value which will be generated from the output of this command into the template file in the next step.

22 Copyright © 2023 Veritas Technologies, LLC


Automated configuration : Custom CA cert config (Optional)
Create a secret for external cert configuration
3-b. External CA certificate configuration for non-rancher k8s clusters using custom CA certs

• Prepare a yaml file based on the format shown below.

• Note:- Ensure the proper indentations are followed exactly like the template below.

• Enter the value which was extracted in the previous step into the k8scacert field & ensure the indentation is properly followed for the entire value.

apiVersion: v1
kind: Secret
metadata:
name: <kops-namespace>-nb-config-deploy-secret
namespace: <kops-namespace>
type: Opaque
stringData:
apikey: <Netbackup API Key>
k8scacert: |
-----BEGIN CERTIFICATE-----
MIIDDDCCAfSgAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtpbmdy
ZXNzLW9wZXJhdG9yQDE2ODc1MzY4NjgwHhcNMjMwNjIzMTYxNDI3WhcNMjUwNjIy
XtXqbaBGrXIuCCo90mxv4g==
-----END CERTIFICATE-----

23 Copyright © 2023 Veritas Technologies, LLC


Automated configuration : API Key creation
Check Config deployment pod and create Netbackup API Key for nb-config-deploy-secret
4. If an API key already exists, same could be used in next step without creating a new api key. The
details are hidden for already created apikey and must be collected from NetBackup admin.
To create a new API Key :
Go to the NetBackup web UI → Security → Access keys and click Add. Add Username and select
validity of 1 day to avoid misuse of API Key. You must delete the Secret after the configuration is done.

24 Copyright © 2023 Veritas Technologies, LLC


Automated configuration : API Key creation
Create secret for NetBackup configuration pod

Create a secret file as shown below containing NetBackup API key


Sample : nb-config-deploy-secret.yaml
Enter the API key value here which was extracted in the previous step.

apiVersion: v1
kind: Secret
metadata:
name: <kops-namespace>-nb-config-deploy-secret
namespace: <kops-namespace>
type: Opaque
stringData:
apikey: A_YoUkgYQwkPLUkmyj9Q6A1-6RX8RNY-PtYX0SukbqCwIK_osPz8qVm9zCL9phje

Once the file is ready with the values run :


kubectl apply -f nb-config-deploy-secret.yaml

25 Copyright © 2023 Veritas Technologies, LLC


Automated configuration : Deploy the NetBackup Kubernetes Operator
Install operator via the Helm Chart

1. Ensure the <kops-namespace>-nb-config-deploy-secret has been created before running the helm install
on the next step.
2. Run the following command to install the NetBackup Kubernetes Operator:
helm install <user defined name of the deployment> ./netbackupkops-helm-chart -n <kops-namespace>
An example:
helm install veritas-netbackupkops ./netbackupkops-helm-chart -n netbackup
3. To check the status of the deployments, run the command:
kubectl get pods -n <kops-namespace>
An example:
kubectl get pods -n netbackup
4. To verify that Kubernetes cluster is added to NetBackup, open NetBackup UI → Workloads → Kubernetes →
Kubernetes Clusters. Kubernetes cluster should be listed on this page.
If there is an issue, please check troubleshooting steps on next page.

26 Copyright © 2023 Veritas Technologies, LLC


Automated configuration
Troubleshooting the NetBackup configuration pod

Troubleshooting the configuration pod :

1. To check configuration pod logs using the following commands:


kubectl get pods -n <kops-namespace>
kubectl logs <netbackup-config-pod-name> -n <kops-namespace> > config-deploy.log

2. If you see any failures in the deployment due to incorrect input values, set the replica count to zero for
deployment <kops-namespace>-netbackup-config-deploy to remove the deploy pod.
kubectl scale deployment <kops-namespace>-netbackup-config-deploy -n <kops-namespace> --replicas=0

3. Correct the input values in deployment config.


kubectl edit deployment <kops-namespace>-netbackup-config-deploy -n <kops-namespace>

4. Again, set the replica count to 1 to restart configuration. Use below command to set the replica count:
kubectl scale deployment <kops-namespace>-netbackup-config-deploy -n <kops-namespace> --replicas=1

27 Copyright © 2023 Veritas Technologies, LLC


NetBackup Kubernetes Operator deployment
and configuration using manual steps

28 Copyright © 2023 Veritas Technologies, LLC


Label storage for backup and restore

30 Copyright © 2023 Veritas Technologies, LLC


Prepare storage
Check for the valid volume snapshot class available in your environment

1. To see what volume snapshot classes are available in the environment, run the following command:
➢ kubectl get volumesnapshotclass
➢ Following is the output example, you can see:

➢ The parameter you will use is the value in the name field from this command that is associated
with the appropriate CSI driver.
2. User must label a valid volume snapshot classes on the block and file system volume snapshot
classes to create a block and file system volume snapshots for NetBackup usage.

31 Copyright © 2023 Veritas Technologies, LLC


Prepare storage
Label a valid volume snapshot class for NetBackup usage

3. Add the following label on the block and file system volume snapshot classes to create block and file
system volume snapshots:
netbackup.veritas.com/default-csi-volume-snapshot-class=true
4. Run the following commands:
➢ kubectl label volumesnapshotclass <block-vol-snap-class-name>
netbackup.veritas.com/default-csi-volume-snapshot-class=true
➢ kubectl label volumesnapshotclass <filesystem-vol-snap-class-name>
netbackup.veritas.com/default-csi-volume-snapshot-class=true
5. If the NetBackup labeled VolumeSnapshotClass class is not found, then snapshot of a namespace
consisting of persistent volume fails with an error message: Failed to create snapshot of the
Kubernetes namespace.

32 Copyright © 2023 Veritas Technologies, LLC


Prepare storage
Check for the storage available in your environment

6. To see storage classes available in the environment, run the following command:
➢ kubectl get sc
➢ Following is the output example, you can see:

7. Look for the storage that has CSI drivers listed under provisioner which consists of CSI in the name.
8. You must label each of the CSI supported storage classes with the labels in this section.

33 Copyright © 2023 Veritas Technologies, LLC


Prepare storage
Validate the storage you use for deploying namespaces

9. The command ‘kubectl get sc’ you ran earlier takes note of the default storage listed:

10. If the default storage for the cluster is not associated with the CSI storage you labeled. Then, any
namespaces created with default storage will not be able to protect.
11. Customers either must change the default storage to CSI storage which needs to protect, or
explicitly point to the CSI storage when the namespaces are created.

34 Copyright © 2023 Veritas Technologies, LLC


Prepare storage
Label a valid storage class for NetBackup usage

12. Add the following labels on CSI supported storage class:


➢ netbackup.veritas.com/default-csi-storage-class=true is used to label where storage class
provisions volumes based on raw block.
➢ netbackup.veritas.com/default-csi-filesystem-storage-class=true is used to label where
storage class provisions volumes based on file system.
13. Run the following commands:
➢ kubectl label sc <storage class> netbackup.veritas.com/default-csi-storage-class=true
➢ Kubectl label sc <storage class> netbackup.veritas.com/default-csi-filesystem-storage-
class=true
➢ <Storage class> will be from the name section of the ‘kubectl get sc’ command for each
CSI compliant storage you will need to protect.
14. If NetBackup labeled storage class is not found, then backup from snapshot job for metadata image
and restore jobs fails with an error message No eligible storage classes found.

35 Copyright © 2023 Veritas Technologies, LLC


Prepare storage
Validate that labels were applied

1. To verify the result, run the following commands:


▪ kubectl get sc --show-labels

▪ kubectl get volumesnapshotclass --show-labels

36 Copyright © 2023 Veritas Technologies, LLC


Prerequisites for NetBackup backup
from snapshot and restore from
backup operations

38 Copyright © 2023 Veritas Technologies, LLC


Prerequisites for NetBackup BFS and RFS operations

➢ Ensure that the user label a valid storage class (Block and Filesystem) for NetBackup
usage. (Refer :Prepare Storage section)

➢ Ensure that the user label a valid snapshotvolumeclass for NetBackup usage. (Refer:
Prepare PV for Backup section)

➢ Each primary server which runs the backup from snapshot and restore from backup copy
operations, needs to create a separate ConfigMap with the primary server's name. (Refer:
Deploy the NetBackup Kubernetes Operator - Create configmap.yaml file for each Primary
Server protecting the cluster)

➢ Ensure that the user deployed certificates on the Kubernetes operator. (Refer: Deploy
certificates on the Kubernetes Operator section)

39 Copyright © 2023 Veritas Technologies, LLC


Configure
Duplication

40 Copyright © 2023 Veritas Technologies, LLC


Configure Duplication

1. Create Storage Unit to


keep duplicate image
copies.

41 Copyright © 2023 Veritas Technologies, LLC


Configure Duplication

2. Create Protection plan


with duplication.
3. Enter retention period of
each copies.

42 Copyright © 2023 Veritas Technologies, LLC


Configure Duplication

1. Enter storage for each


copies during protection
plan creation step.
2. Click Finish.

43 Copyright © 2023 Veritas Technologies, LLC


Configure Duplication

3. Start backup of
Kubernetes asset using
the protection plan.
4. Duplication jobs gets
triggered only after
backup completed.
5. Duplication happen using
the backup from snapshot
copy

44 Copyright © 2023 Veritas Technologies, LLC


Configure Client-side Deduplication

45 Copyright © 2023 Veritas Technologies, LLC


Configure Client-side Deduplication

Click Host Properties to connect


to the primary server.

46 Copyright © 2023 Veritas Technologies, LLC


Configure Client-side Deduplication
➢ Edit Primary server Client
attributes, add Kubernetes
cluster name under Clients
tab.
➢ You can retrieve the
Kubernetes cluster name
running the following
command on the cluster.
kubectl cluster-info

➢ Cluster name can also be


found on the NetBackup web
UI.
➢ Workloads > Kubernetes >
Kubernetes clusters >
Name column.

47 Copyright © 2023 Veritas Technologies, LLC


Configure Client-side Deduplication
➢ Select Always use client
side deduplication from
deduplication location
dropdown list.
➢ Click Save.
Note: Storage unit configured in
Protection Plan for Backup from
snapshot should be of MSDP
type.

48 Copyright © 2023 Veritas Technologies, LLC


Configure Auto Image Replication(AIR)

49 Copyright © 2023 Veritas Technologies, LLC


Configure Auto Image Replication

Pre-requisite for AIR:


❑ Source and target NetBackup primary servers must have MSDP storage
configured as storage unit.
❑ Source and target primary servers must be reachable to each other.

50 Copyright © 2023 Veritas Technologies, LLC


Configure Auto Image Replication

Configuration on the
source primary server.
Step 1
➢ Add target primary server
entry under trusted
servers.
➢ In the NetBackup web UI
navigate to the Host
properties
➢ Select primary server in host
entries, and connect.

51 Copyright © 2023 Veritas Technologies, LLC


Configure Auto Image Replication
Configuration on source
primary server.
Step 2

➢ Navigate to Servers in Edit


Primary server page
➢ Under Trusted primary server
tab Add entry of target primary
server.
➢ Click Validate Certificate
Authority
➢ Enter Target primary server
credentials and click Create
Trust.

52 Copyright © 2023 Veritas Technologies, LLC


Configure Auto Image Replication
Configuration on source primary
server.
Step 3

➢ Navigate to Storage > Storage


Configuration in the NetBackup
web UI
➢ Select Disk-pools tab.
➢ Select disk-pool having MSDP
category
➢ Add entry for Replication targets.
➢ Select trusted primary server
➢ Enter the primary server
credentials.
➢ Click Add.

53 Copyright © 2023 Veritas Technologies, LLC


Configure Auto Image Replication
Configuration on Target primary server.
Step 1
Follow the Configuration of source primary
server Step 1 and 2 to add trusted primary
servers.
Step 2
➢ Create Storage lifecycle policies
➢ Navigate to Storage > Storage lifecycle
policies in Target machine NetBackup
web UI.
➢ Create SLP with operation import.
➢ Select Destination storage of MSDP
type.
➢ Select Retention type.
➢ Click Create.
➢ Same SLP name is visible during
configuration of source primary server
step 5
54 Copyright © 2023 Veritas Technologies, LLC
Configure Auto Image Replication
Configuration on source
primary server.
Step 4
➢ Create protection plan for
Kubernetes workload, with
Create a replica copy (Auto
Image Replication) of the
backup from snapshot
option selected.
➢ Add Schedules of protection
plan.

55 Copyright © 2023 Veritas Technologies, LLC


Configure Auto Image Replication
Configuration on source primary server.
Step 5
➢ In Create protection plan storage
options, select storage unit for backup
from snapshot as local MSDP storage
unit.
➢ For Replica copy of the backup from
snapshot
➢ Select target primary server.
➢ Click Next.
➢ Select storage lifecycle policy, this
is created in “Configuration of
target primary server step 2”
➢ Click Next.
➢ Select Resource for Protection, and
click Next.
➢ Select the roles you want to have
access to this protection plan.
➢ Click Finish.

57 Copyright © 2023 Veritas Technologies, LLC


FIPS Enablement

58 Copyright © 2023 Veritas Technologies, LLC


Configure FIPS enablement

Starting with NetBackup 10.2.1 (Sequoia) release, NetBackup K8s workload


has started providing FIPS Support for Redhat based NetBackup deployments.
All the K8s-WL component involving in NetBackup, NetBackup Kubernetes
operator and NetBackup DataMover should be running in FIPS mode. In-order
to achieve the FIPS support, there are certain requirements that needs to be
met across all these components.

59 Copyright © 2023 Veritas Technologies, LLC


Configure FIPS enablement
System Requirement -
➢ NetBackup Primary and NetBackup Media
❑ Both Primary and Media should be deployed on NetBackup 10.2.1 with underlying RHEL-8 system which is enabled with FIPS.
❑ RHEL OS version should be greater than REHL8.
o You can check version of Redhat machine.
▪ cat /etc/Redhat-release
o You can check if underlying system has FIPS is enabled using below command
▪ fips-mode-setup --check
▪ For more information, you can check man page entry for command fips-mode-setup

➢ Kubernetes Cluster
❑ Kubernetes cluster should be deployed with FIPS enabled mode.
❑ The process to deploy K8s cluster in FIPS mode in vendor dependent.
❑ For example, deploying Openshift with FIPS Enabled.

60 Copyright © 2023 Veritas Technologies, LLC


Configure FIPS enablement
Configuration -
➢ NetBackup Primary and NetBackup Media
❑ Enabling NetBackup process to run in FIPS mode –
o Update <Netbackup-Installation-Path>/netbackup/bp.conf with below key
o NB_FIPS_MODE = ENABLE

➢ NetBackup Kubernetes Operator


❑ User can follow any one of the below steps to enable FIPS mode.
o Update the value of parameter fipsMode to ENABLE in values.yaml file from the Helm Chart.
OR
o Update the value of parameter NB_FIPS_MODE to ENABLE in backup-operator.

Note – Customer need to make sure all the system on which K8s-WL is running are FIPS compliant.

61 Copyright © 2023 Veritas Technologies, LLC


Advanced troubleshooting

62 Copyright © 2023 Veritas Technologies, LLC


Troubleshooting
Troubleshooting of some known issues

➢ If Kubernetes add cluster operation fails in NetBackup with an error message Failed to validate cluster <cluster-name>. An

unknown error occurred. Then, there may be the following reasons for failure:

❑ User might have created credentials with incomplete ca.crt value in NetBackup.

❑ The ca.crt value was properly copied but the cluster’s service account and API endpoint have a different Certifying

Authority (CA). User can check CA by extracting CA certificate from the cluster API endpoint.

❑ Verify if <kops-namespace>-nb-config-deploy-secret has proper values for k8scacert,k8stoken with the right indentation.

➢ Solution: Refer to the techNote x509 certificate signed by unknown authority error during discovery and backupservercert

configuration of NetBackup Kubernetes setup

➢ In customer environment, where access to external repositories is limited, to pull ‘kube-rbac-proxy’ image while deploying

NetBackup Kops. NBUKops pod will fail to pull ‘kube-rbac-proxy’ image from external repositories.

63 Copyright © 2023 Veritas Technologies, LLC

You might also like