# REQUIRES -Version 2.0
<#
Synopsis: The following Powershell script serves as a partial example
towards backup and restore of an AKS cluster.
The concept behind this form of BCDR solution is described here:
https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-backup-concept
#>
param (
[Parameter(Mandatory=$true)][string]$resourceGroupName,
[Parameter(Mandatory=$true)][string]$accountName,
[Parameter(Mandatory=$true)][string]$subscriptionId,
[Parameter(Mandatory=$true)][string]$aksClusterName,
[Parameter(Mandatory=$true)][string]$aksClusterRG,
[string]$backupVaultRG = "testBkpVaultRG",
[string]$backupVaultName = "TestBkpVault",
[string]$location = "westus",
[string]$containerName = "backupc",
[string]$storageAccountName = "sabackup",
[string]$storageAccountRG = "rgbackup",
[string]$environment = "AzureCloud"
)
Connect-AzAccount -Environment "$environment"
Set-AzContext -SubscriptionId "$subscriptionId"
$storageSetting = New-AzDataProtectionBackupVaultStorageSettingObject -Type LocallyRedundant -DataStoreType OperationalStore
New-AzDataProtectionBackupVault -ResourceGroupName $backupVaultRG -VaultName $backupVaultName -Location $location -StorageSetting $storageSetting
$TestBkpVault = Get-AzDataProtectionBackupVault -VaultName $backupVaultName
$policyDefn = Get-AzDataProtectionPolicyTemplate -DatasourceType AzureKubernetesService
$policyDefn.PolicyRule[0]. Trigger | fl
ObjectType: ScheduleBasedTriggerContext
ScheduleRepeatingTimeInterval: {R/2023-04-05T13:00:00+00:00/PT4H}
TaggingCriterion: {Default}
$policyDefn.PolicyRule[1]. Lifecycle | fl
DeleteAfterDuration: P7D
DeleteAfterObjectType: AbsoluteDeleteOption
SourceDataStoreObjectType : DataStoreInfoBase
SourceDataStoreType: OperationalStore
TargetDataStoreCopySetting:
New-AzDataProtectionBackupPolicy -ResourceGroupName $backupVaultRG -VaultName $TestBkpVault.Name -Name aksBkpPolicy -Policy $policyDefn
$aksBkpPol = Get-AzDataProtectionBackupPolicy -ResourceGroupName $backupVaultRG -VaultName $TestBkpVault.Name -Name "aksBkpPolicy"
Write-Host "Installing Extension with cli"
az k8s-extension create --name azure-aks-backup --extension-type microsoft.dataprotection.kubernetes --scope cluster --cluster-type managedClusters --cluster-name $aksClusterName --resource-group $aksClusterRG --release-train stable --configuration-settings blobContainer=$containerName storageAccount=$storageAccountName storageAccountResourceGroup=$storageAccountRG storageAccountSubscriptionId=$subscriptionId
az k8s-extension show --name azure-aks-backup --cluster-type managedClusters --cluster-name $aksClusterName --resource-group $aksClusterRG
az k8s-extension update --name azure-aks-backup --cluster-type managedClusters --cluster-name $aksClusterName --resource-group $aksClusterRG --release-train stable --config-settings blobContainer=$containerName storageAccount=$storageAccountName storageAccountResourceGroup=$storageAccountRG storageAccountSubscriptionId=$subscriptionId # [cpuLimit=1] [memoryLimit=1Gi]
az role assignment create --assignee-object-id $(az k8s-extension show --name azure-aks-backup --cluster-name $aksClusterName --resource-group $aksClusterRG --cluster-type managedClusters --query identity.principalId --output tsv) --role 'Storage Account Contributor' --scope /subscriptions/$subscriptionId/resourceGroups/$storageAccountRG/providers/Microsoft.Storage/storageAccounts/$storageAccountName
az aks trustedaccess rolebinding create \
-g $aksClusterRG \
--cluster-name $aksClusterName\
–n randomRoleBindingName \
--source-resource-id $TestBkupVault.Id \
--roles Microsoft.DataProtection/backupVaults/backup-operator
Write-Host "This section is detailed overview of TrustedAccess"
az extension add --name aks-preview
az extension update --name aks-preview
az feature register --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview"
az feature show --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview"
az provider register --namespace Microsoft.ContainerService
# Create a Trusted Access RoleBinding in an AKS cluster
az aks trustedaccess rolebinding create --resource-group $aksClusterRG --cluster-name $aksClusterName -n randomRoleBinding
Name -s $connectedServiceResourceId --roles backup-operator,backup-contributor #,Microsoft.Compute/virtualMachineScaleSets/test-node-reader,Microsoft.Compute/virtualMachineScaleSets/test-admin
Write-Host "Update an existing Trusted Access Role Binding with new roles"
# Update RoleBinding command
az aks trustedaccess rolebinding update --resource-group $aksClusterRG --cluster-name $aksClusterName -n randomRoleBindingName --roles backup-operator,backup-contributor
Write-Host "Configure Backup"
$sourceClusterId = "/subscriptions/$subscriptionId/resourcegroups/$aksClusterRG /providers/Microsoft.ContainerService/managedClusters/$aksClusterName"
Write-Host "Snapshot resource group"
$snapshotRG = "/subscriptions/$subscriptionId/resourcegroups/snapshotrg"
Write-Host "The configuration of backup is performed in two steps"
$backupConfig = New-AzDataProtectionBackupConfigurationClientObject -SnapshotVolume $true -IncludeClusterScopeResource $true -DatasourceType AzureKubernetesService -LabelSelector "env=$environment"
$backupInstance = Initialize-AzDataProtectionBackupInstance -DatasourceType AzureKubernetesService -DatasourceLocation $dataSourceLocation -PolicyId $aksBkpPol.Id -DatasourceId $sourceClusterId -SnapshotResourceGroupId $snapshotRG -FriendlyName "Backup of AKS Cluster $aksClusterName" -BackupConfiguration $backupConfig
Write-Host "Assign required permissions and validate"
$aksCluster = $(Get-AzAksCluster -Id $sourceClusterId)
Set-AzDataProtectionMSIPermission -BackupInstance $aksClusterName -VaultResourceGroup $backupVaultRG -VaultName $backupVaultName -PermissionsScope "ResourceGroup"
test-AzDataProtectionBackupInstanceReadiness -ResourceGroupName $resourceGroupName -VaultName $vaultName -BackupInstance $aksCluster.Property
Write-Host "Protect the AKS cluster"
New-AzDataProtectionBackupInstance -ResourceGroupName $aksClusterRG -VaultName $TestBkpVault.Name -BackupInstance $aksCluster.Property
Write-Host "Run on-demand backup"
$instance = Get-AzDataProtectionBackupInstance -SubscriptionId $subscriptionId -ResourceGroupName $backupVaultRG -VaultName $TestBkpVault.Name -Name $aksClusterName
Write-Host "Specify Retention Rule"
$policyDefn.PolicyRule | fl
BackupParameter: Microsoft.Azure.PowerShell.Cmdlets.DataProtection.Models.Api20210201Preview.AzureBackupParams
BackupParameterObjectType: AzureBackupParams
DataStoreObjectType: DataStoreInfoBase
DataStoreType: OperationalStore
Name: BackupHourly
ObjectType: AzureBackupRule
Trigger: Microsoft.Azure.PowerShell.Cmdlets.DataProtection.Models.Api20210201Preview.ScheduleBasedTriggerContext
TriggerObjectType: ScheduleBasedTriggerContext
IsDefault: True
Lifecycle: {Microsoft.Azure.PowerShell.Cmdlets.DataProtection.Models.Api20210201Preview.SourceLifeCycle}
Name: Default
ObjectType: AzureRetentionRule
Write-Host "Trigger on-demand backup"
$AllInstances = Get-AzDataProtectionBackupInstance -ResourceGroupName $backupVaultRG -VaultName $TestBkpVault.Name
Backup-AzDataProtectionBackupInstanceAdhoc -BackupInstanceName $AllInstances[0].Name -ResourceGroupName $backupVaultRG -VaultName $TestBkpVault.Name -BackupRuleOptionRuleName "Default"
Write-Host "Tracking all the backup jobs"
$job = Search-AzDataProtectionJobInAzGraph -Subscription $sub -ResourceGroupName $backupVaultRG -Vault $TestBkpVault.Name -DatasourceType AzureKubernetesService -Operation OnDemandBackup