Just-in

Kagent Tutorial: Build Cloud-Native AI Agents on Kubernetes

Running Ollama LLM on Kubernetes: A Complete Guide

From Docker to Kubernetes: The Orchestration Journey You Didn’t Know You Needed

What is Kubeflow and how can it be used?

Getting Started with Kubeflow: A Complete Beginner’s Guide

Orchestration

Secure Your Kubernetes: ETCD Backup & Restore

Introduction

In the dynamic world of Kubernetes, your cluster’s state is its most valuable asset. This state, encompassing all configurations, desired states, and metadata, is meticulously stored and managed by etcd, a highly available key-value store. Without a healthy etcd, your Kubernetes cluster is essentially a collection of inert machines. Imagine a sudden data corruption, a catastrophic hardware failure, or an accidental deletion; without a robust backup and restoration strategy for etcd, your entire cluster could be irrecoverably lost, leading to significant downtime and potential data loss for your applications.

This guide will demystify the critical process of backing up and restoring etcd for your Kubernetes cluster. We’ll explore the essential tools and techniques, focusing on both manual snapshots and automated solutions, ensuring you have the knowledge to safeguard your cluster’s brain. Whether you’re running a production workload or a development environment, understanding these procedures is paramount for maintaining the resilience and reliability of your Kubernetes infrastructure. Let’s dive in and fortify your cluster against unforeseen disasters.

TL;DR: etcd Backup & Restoration

etcd is the brain of your Kubernetes cluster. Backing it up is critical. Here’s the gist:

  • Backup: Use etcdctl snapshot save from an etcd pod or host.
  • Restore: Stop kube-apiserver, use etcdctl snapshot restore, replace etcd data directory, restart services.
  • Key Commands:

# Backup from an etcd pod
ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key \
  snapshot save /tmp/etcd-snapshot.db

# Restore (example, actual paths may vary)
# 1. Stop kube-apiserver/etcd on control plane nodes
# 2. etcdctl snapshot restore /tmp/etcd-snapshot.db \
#      --data-dir=/var/lib/etcd-restored \
#      --initial-cluster-token=etcd-cluster-1 \
#      --initial-advertise-peer-urls=https://:2380 \
#      --name= \
#      --initial-cluster==https://:2380
# 3. Replace /var/lib/etcd with /var/lib/etcd-restored
# 4. Restart services

Always test your backup and restore process in a non-production environment!

Prerequisites

Before embarking on your etcd backup and restoration journey, ensure you have the following:

  • A running Kubernetes cluster: This guide assumes you have a functional Kubernetes cluster, ideally one provisioned with kubeadm, as it provides a consistent setup for etcd.
  • Root or sudo access: You’ll need elevated privileges on your Kubernetes control plane nodes to access etcd configuration files and data directories.
  • Basic understanding of Kubernetes: Familiarity with Kubernetes concepts like Pods, Deployments, and Control Plane components is beneficial.
  • Basic understanding of etcd: While we’ll cover the essentials, knowing etcd’s role in Kubernetes helps.
  • etcdctl utility: This command-line client is essential for interacting with etcd. It’s usually available within the etcd container or can be installed separately.
  • Secure Copy Protocol (SCP) or similar: For transferring snapshot files securely between nodes or to external storage.
  • Sufficient storage: Ensure you have enough disk space on your control plane nodes or external storage for etcd snapshots.
  • Network connectivity: Critical for multi-node etcd clusters and for accessing remote storage. For securing pod-to-pod traffic, you might want to look into solutions like Cilium WireGuard Encryption.

Step-by-Step Guide: etcd Backup and Restoration

Step 1: Identify etcd Configuration and Endpoints

The first step is to locate the etcd configuration on your control plane nodes. In a kubeadm-managed cluster, etcd typically runs as a static Pod. You’ll need to find its endpoint, certificate authority (CA), client certificate, and client key files. These are crucial for authenticating with etcd.

The etcd static Pod manifest is usually located at /etc/kubernetes/manifests/etcd.yaml. Inspecting this file will reveal the necessary paths and arguments.


# SSH into your control plane node
ssh user@your-control-plane-ip

# View the etcd static Pod manifest
cat /etc/kubernetes/manifests/etcd.yaml

Expected Output (snippet):


apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/etcd.advertise-client-urls: https://192.168.1.10:2379
  creationTimestamp: null
  labels:
    component: etcd
    tier: control-plane
  name: etcd
  namespace: kube-system
spec:
  containers:
  - command:
    - etcd
    - --advertise-client-urls=https://192.168.1.10:2379
    - --cert-file=/etc/kubernetes/pki/etcd/server.crt
    - --client-cert-auth=true
    - --data-dir=/var/lib/etcd
    - --initial-advertise-peer-urls=https://192.168.1.10:2380
    - --initial-cluster=your-node-name=https://192.168.1.10:2380
    - --key-file=/etc/kubernetes/pki/etcd/server.key
    - --listen-client-urls=https://127.0.0.1:2379,https://192.168.1.10:2379
    - --listen-peer-urls=https://192.168.1.10:2380
    - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
    - --peer-client-cert-auth=true
    - --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
    - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
    - --snapshot-count=10000
    - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
    image: registry.k8s.io/etcd:3.5.9-0
    name: etcd
    resources: {}
    volumeMounts:
    - mountPath: /var/lib/etcd
      name: etcd-data
    - mountPath: /etc/kubernetes/pki/etcd
      name: etcd-certs
  hostNetwork: true
  priorityClassName: system-cluster-critical
  volumes:
  - hostPath:
      path: /var/lib/etcd
      type: DirectoryOrCreate
    name: etcd-data
  - hostPath:
      path: /etc/kubernetes/pki/etcd
      type: DirectoryOrCreate
    name: etcd-certs
status: {}

From this output, note down:

  • --advertise-client-urls: This is your etcd endpoint (e.g., https://192.168.1.10:2379).
  • --trusted-ca-file: Path to the CA certificate (e.g., /etc/kubernetes/pki/etcd/ca.crt).
  • --cert-file: Path to the client certificate (e.g., /etc/kubernetes/pki/etcd/server.crt).
  • --key-file: Path to the client key (e.g., /etc/kubernetes/pki/etcd/server.key).
  • --data-dir: The etcd data directory (e.g., /var/lib/etcd).

Step 2: Perform an etcd Snapshot Backup

Now that you have the necessary information, you can perform a snapshot backup. The etcdctl utility is used for this. It’s often easiest to run etcdctl from within the etcd static Pod itself, as it already has the correct environment and certificates mounted. Alternatively, you can run it from the host, ensuring you provide all the necessary certificate paths.

For robustness, it’s recommended to back up etcd from the leader node in a multi-node cluster, though any member can take a consistent snapshot. The snapshot is a consistent point-in-time backup of the etcd data directory.


# Option A: Run etcdctl from within the etcd static Pod (recommended)
# Find the etcd pod name
ETCD_POD=$(kubectl get pod -n kube-system -l component=etcd -o jsonpath='{.items[0].metadata.name}')

# Execute snapshot command within the etcd pod
kubectl exec -it $ETCD_POD -n kube-system -- sh -c "ETCDCTL_API=3 etcdctl \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key \
  snapshot save /var/lib/etcd/snapshot.db"

# Copy the snapshot from the pod to the host
kubectl cp -n kube-system $ETCD_POD:/var/lib/etcd/snapshot.db ./etcd-snapshot-$(date +%F_%H-%M-%S).db

# Option B: Run etcdctl directly on the control plane host (ensure etcdctl is installed)
# Replace with your actual values
export ETCDCTL_API=3
export ETCD_ENDPOINTS="https://127.0.0.1:2379" # Or your node's IP if listening externally
export ETCD_CACERT="/etc/kubernetes/pki/etcd/ca.crt"
export ETCD_CERT="/etc/kubernetes/pki/etcd/server.crt"
export ETCD_KEY="/etc/kubernetes/pki/etcd/server.key"

etcdctl snapshot save ./etcd-snapshot-$(date +%F_%H-%M-%S).db \
  --endpoints=$ETCD_ENDPOINTS \
  --cacert=$ETCD_CACERT \
  --cert=$ETCD_CERT \
  --key=$ETCD_KEY

Verify:


# Verify the snapshot file exists and check its size
ls -lh ./etcd-snapshot-*.db

# Check the snapshot status (optional, but good practice)
etcdctl snapshot status ./etcd-snapshot-*.db

Expected Output:


-rw-r--r-- 1 root root 23M Sep 26 10:30 ./etcd-snapshot-2023-09-26_10-30-00.db

# Output for snapshot status
23 MB, 30000 keys, 50000 revisions

Once the snapshot is created, immediately move it to a secure, off-cluster location (e.g., object storage like S3, Azure Blob Storage, or a dedicated backup server). This prevents data loss if your control plane node becomes completely inaccessible.

Step 3: Simulate a Cluster Failure (Optional, but Recommended for Testing)

Before restoring in a real-world scenario, it’s highly recommended to practice the restoration process in a non-production environment. This helps you understand the steps, identify potential issues, and refine your process. For instance, you could spin up a new cluster or use a dedicated staging environment. In a test environment, you might simulate data corruption by deleting the etcd data directory.


# !!! DANGER: DO NOT RUN ON A PRODUCTION CLUSTER !!!
# This will effectively destroy your etcd data and bring down your cluster.

# On your control plane node, stop the kube-apiserver static pod
mv /etc/kubernetes/manifests/kube-apiserver.yaml /tmp/

# Stop the etcd static pod (this will happen automatically if data-dir is gone, but explicit is better)
mv /etc/kubernetes/manifests/etcd.yaml /tmp/

# Wait for pods to terminate
kubectl get pods -n kube-system

# Delete the etcd data directory
rm -rf /var/lib/etcd/*

Verify:


# Your cluster should now be in a non-functional state.
# kubectl commands will likely fail.
kubectl get nodes

Expected Output:


The connection to the server localhost:8080 was refused - did you specify the right host or port?

Step 4: Stop Kubernetes Control Plane Components

To safely restore etcd, you must ensure no other components are writing to it. This means stopping the kube-apiserver and potentially the kube-controller-manager and kube-scheduler on all control plane nodes. Since etcd runs as a static Pod, the easiest way to stop it is to move its manifest file out of /etc/kubernetes/manifests/. The Kubernetes control plane will automatically terminate the Pod.


# SSH into ALL your control plane nodes
# On each control plane node:
sudo mv /etc/kubernetes/manifests/etcd.yaml /tmp/etcd.yaml.bak
sudo mv /etc/kubernetes/manifests/kube-apiserver.yaml /tmp/kube-apiserver.yaml.bak
sudo mv /etc/kubernetes/manifests/kube-controller-manager.yaml /tmp/kube-controller-manager.yaml.bak
sudo mv /etc/kubernetes/manifests/kube-scheduler.yaml /tmp/kube-scheduler.yaml.bak

# Wait for the pods to terminate (can take a minute)
# You can check with `crictl ps | grep etcd` or `docker ps | grep etcd`

Verify:


# From a node that still has access to the kubelet, or on the control plane node after moving manifests
sudo crictl ps | grep etcd # or docker ps | grep etcd

Expected Output: (No etcd container should be running)


# No output, or the etcd container should not be listed.

Step 5: Restore the etcd Snapshot

This is the core of the restoration process. You’ll use etcdctl snapshot restore to create a new etcd data directory from your backup file. This command requires several parameters specific to your cluster’s initial configuration. It’s crucial to get these right, especially in a multi-node etcd cluster.

  • --data-dir: The new directory where etcd will store its data. This should be different from the original /var/lib/etcd initially.
  • --initial-cluster-token: The unique token for the etcd cluster. This is typically found in your kubeadm-config ConfigMap or the original etcd static pod manifest.
  • --initial-advertise-peer-urls: The URL for peer communication for this specific node.
  • --name: The name of this etcd member (usually the hostname of the control plane node).
  • --initial-cluster: A comma-separated list of all etcd members in the cluster, in the format <name>=<peer-url>. For a single-node cluster, this will just be itself.

Before restoring, ensure you’ve copied your snapshot.db file back to the control plane node, for example, to /tmp/snapshot.db.


# SSH into your control plane node
# Ensure you have the snapshot file available, e.g., in /tmp/snapshot.db
# Clean up any old etcd data (if not already done in Step 3)
sudo rm -rf /var/lib/etcd/*

# Define your cluster-specific variables (replace with your actual values!)
NODE_NAME=$(hostname -s) # e.g., master-node-1
NODE_IP=$(hostname -I | awk '{print $1}') # e.g., 192.168.1.10

# For a multi-node cluster, you'd list all members here.
# Example: initial-cluster=master-node-1=https://192.168.1.10:2380,master-node-2=https://192.168.1.11:2380
INITIAL_CLUSTER="${NODE_NAME}=https://${NODE_IP}:2380"
INITIAL_CLUSTER_TOKEN="etcd-cluster-1" # This is often 'etcd-cluster-1' for kubeadm, check your etcd.yaml or kubeadm config

# Restore the snapshot
sudo ETCDCTL_API=3 etcdctl snapshot restore /tmp/etcd-snapshot-*.db \
  --data-dir=/var/lib/etcd-restored \
  --initial-cluster-token=$INITIAL_CLUSTER_TOKEN \
  --initial-advertise-peer-urls=https://${NODE_IP}:2380 \
  --name=$NODE_NAME \
  --initial-cluster=$INITIAL_CLUSTER

Verify:


# Check if the new data directory was created
ls -l /var/lib/etcd-restored

Expected Output:


total 8
drwx------ 2 root root 4096 Sep 26 10:45 member
-rw-r--r-- 1 root root    6 Sep 26 10:45 version.txt

Now, replace the original etcd data directory with the restored one.


sudo mv /var/lib/etcd-restored/* /var/lib/etcd/
sudo rm -rf /var/lib/etcd-restored # Clean up the temporary directory

Step 6: Restart Kubernetes Control Plane Components

With etcd restored, you can now bring your control plane back online by moving the static Pod manifests back to their original location. The kubelet will detect these files and recreate the Pods.


# SSH into ALL your control plane nodes
# On each control plane node:
sudo mv /tmp/etcd.yaml.bak /etc/kubernetes/manifests/etcd.yaml
sudo mv /tmp/kube-apiserver.yaml.bak /etc/kubernetes/manifests/kube-apiserver.yaml
sudo mv /tmp/kube-controller-manager.yaml.bak /etc/kubernetes/manifests/kube-controller-manager.yaml
sudo mv /tmp/kube-scheduler.yaml.bak /etc/kubernetes/manifests/kube-scheduler.yaml

Verify:


# Wait a few minutes for the pods to start and the cluster to stabilize.
# Then, check the status of control plane pods.
kubectl get pods -n kube-system -o wide

Expected Output: (All pods should be running)


NAME                                        READY   STATUS    RESTARTS   AGE     IP               NODE
coredns-774846f89b-756z6                    1/1     Running   0          5m      10.244.0.3       master-node-1
coredns-774846f89b-z9k9b                    1/1     Running   0          5m      10.244.0.2       master-node-1
etcd-master-node-1                          1/1     Running   0          1m      192.168.1.10     master-node-1
kube-apiserver-master-node-1                1/1     Running   0          1m      192.168.1.10     master-node-1
kube-controller-manager-master-node-1       1/1     Running   0          1m      192.168.1.10     master-node-1
kube-proxy-8x7vc                            1/1     Running   0          5m      192.168.1.10     master-node-1
kube-scheduler-master-node-1                1/1     Running   0          1m      192.168.1.10     master-node-1

Finally, check if your Kubernetes resources are back as expected:


kubectl get deployments --all-namespaces
kubectl get services --all-namespaces

Your cluster should now be fully functional with the state from your etcd snapshot. If you’re interested in further securing your cluster, consider implementing Kubernetes Network Policies.

Production Considerations

While the manual steps are crucial for understanding, production environments demand a more robust and automated approach:

  1. Automation: Manual backups are prone to human error and can be easily forgotten. Implement automated cron jobs or dedicated backup operators (like etcd-operator or Velero with an etcd plugin) to regularly take snapshots.
  2. Remote Storage: Never store backups on the same node as the etcd instance. Use highly durable and available remote storage such as AWS S3, Google Cloud Storage, Azure Blob Storage, or an NFS share. Ensure this storage is geographically redundant.
  3. Encryption: Encrypt your etcd snapshots at rest and in transit. This is critical for data security, especially if sensitive information is stored in Kubernetes secrets.
  4. Monitoring: Monitor your backup jobs. Ensure they are completing successfully and within expected timeframes. Alert on failures.
  5. Regular Testing: Implement a routine for periodically restoring backups to a test cluster. This validates your backup integrity and your restoration process. Don’t wait for a disaster to test your recovery plan!
  6. Retention Policy: Define and enforce a clear retention policy for your backups (e.g., daily for 7 days, weekly for 4 weeks, monthly for 6 months).
  7. Multi-node etcd Clusters: In a highly available etcd cluster, you typically only need to take a snapshot from one healthy member. However, the restore process requires careful coordination across all control plane nodes, ensuring they all point to the same restored data.
  8. Version Compatibility: Ensure your etcdctl version matches your etcd server version for compatibility, especially during restoration. Refer to the etcd documentation for specific version guidelines.
  9. Admission Controllers: Be aware that during a restore, your admission controllers might not be active, potentially allowing non-compliant resources to be created if not careful.
  10. Resource Management: Consider tools like Karpenter for cost optimization in your node autoscaling strategy, especially if you’re running large clusters where backup operations might temporarily consume more resources.

Troubleshooting

1. etcdctl command not found or permission denied

Issue: When trying to run etcdctl, you get “command not found” or “permission denied”.

Solution:

  • Command Not Found: If running on the host, etcdctl might not be installed or in your PATH. You can download the etcd release binaries and place etcdctl in /usr/local/bin. If running inside the etcd pod, ensure you’re using the correct kubectl exec command.
  • Permission Denied: Ensure you are running with sudo or as the root user, especially when accessing certificate files or writing to /var/lib/etcd.

# Install etcdctl (example for Linux)
ETCD_VERSION=v3.5.9 # Use your etcd version
wget https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz
tar -xvf etcd-${ETCD_VERSION}-linux-amd64.tar.gz
sudo mv etcd-${ETCD_VERSION}-linux-amd64/etcdctl /usr/local/bin/
rm -rf etcd-${ETCD_VERSION}-linux-amd64*

# Verify
etcdctl version

2. Failed to connect to etcd (x509: certificate signed by unknown authority)

Issue: During backup or status check, you receive certificate errors.

Solution:
This indicates an issue with your certificate paths or permissions. Double-check that:

  • --cacert, --cert, and --key paths are correct and point to the right files.
  • The files exist and are readable by the user executing etcdctl.
  • The etcd endpoint (--endpoints) is correct and etcd is listening on it.

# Example of common certificate paths for kubeadm
ls -l /etc/kubernetes/pki/etcd/ca.crt
ls -l /etc/kubernetes/pki/etcd/server.crt
ls -l /etc/kubernetes/pki/etcd/server.key

# If permissions are incorrect (e.g., owner is not root or group is not etcd)
sudo chmod 644 /etc/kubernetes/pki/etcd/server.crt
sudo chmod 600 /etc/kubernetes/pki/etcd/server.key

3. Cluster not coming up after restore

Issue: After moving manifests back, kube-apiserver or other control plane components fail to start, or kubectl get nodes doesn’t work.

Solution:

  • Check Pod logs: Use crictl logs <container-id> or docker logs <container-id> for kube-apiserver and etcd containers. The logs will often reveal the root cause.
  • Verify etcd health: Even if the etcd pod is running, check its health. 
    
# Replace with your etcd specific certs and endpoint
sudo ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key \
  endpoint health

    If not healthy, re-examine your restore parameters, especially --initial-cluster, --name, and --initial-advertise-peer-urls. These must precisely match the node’s configuration at the time of the snapshot.

  • Check for file corruption: Ensure the snapshot file was not corrupted during transfer.

4. Data mismatch or old state after restore

Issue: The cluster comes back online, but some resources are missing or are in an older state than expected.

Solution:

  • Incorrect Snapshot: You might have restored an older snapshot. Verify the timestamp of the snapshot file you used.
  • Snapshot Corruption: The snapshot file itself might be corrupted. Try restoring from a different, known-good snapshot if available.
  • Partial Restore: Ensure all necessary etcd data was overwritten. The etcdctl snapshot restore command creates a new directory; you must copy its contents to the active etcd data directory (e.g., /var/lib/etcd).

5. Multi-node etcd cluster restore issues

Issue: In a multi-node etcd setup, only one node comes back, or the cluster fails to form a quorum.

Solution:

  • Restore on all nodes: When restoring a multi-node etcd cluster, you must perform the etcdctl snapshot restore operation on all etcd members. Each member needs to be restored with the same snapshot data.
  • Consistent parameters: Ensure --initial-cluster-token, --initial-cluster, --name, and --initial-advertise-peer-urls are consistent and correctly configured for each specific node during its restore. The --initial-cluster should list all members of the etcd cluster.
  • Sequential restart: After restoring on all nodes, restart them sequentially, starting with the leader (if known) or one by one, giving them time to form a quorum.
  • Clean data directories: Ensure /var/lib/etcd (or your etcd data directory) is completely empty on all nodes before moving the restored data into place.

For complex networking scenarios in multi-node clusters, services like Istio Ambient Mesh can provide advanced traffic management and observability, but their setup is separate from etcd’s core backup/restore.

FAQ Section

Q1: How often should I back up etcd?

A: The frequency depends on your recovery point objective (RPO). For production clusters, daily backups are a minimum. For highly dynamic clusters with frequent changes, hourly or even more frequent backups might be necessary. Automated solutions are key here.

Q2: Can I restore an etcd snapshot to a different Kubernetes version?

A: Generally, it’s recommended to restore to the same Kubernetes version and etcd version from which the snapshot was taken. Restoring to a newer Kubernetes/etcd version might work if the versions are close (e.g., patch upgrades), but major version upgrades are generally not supported by direct etcd restore and could lead to API incompatibilities. Always consult the Kubernetes version skew policy and etcd release notes.

Q3: What’s the difference between etcd snapshots and backing up the entire data directory?

A: An etcdctl snapshot save creates a single, consistent file that represents the etcd database at a point in time. It’s the recommended method as it ensures data consistency. Backing up the entire /var/lib/etcd directory directly without stopping etcd can lead to an inconsistent or corrupted backup, as files might be in an incomplete state during the copy operation. Always use etcdctl snapshot save.

Q4: Do I need to back up anything else besides etcd?

A: Yes! While etcd holds the cluster state, other critical components include:

  • TLS Certificates: The PKI certificates in /etc/kubernetes/pki are crucial for cluster communication.
  • Kubeconfig Files: User and admin kubeconfig files.
  • Application Data: Persistent volumes (PVs) used by

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *