Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Cluster Backups

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Enable and configure backups for your Google Kubernetes Engine (GKE) clusters to ensure you can back up and restore your GKE workloads when needed. Backups are valuable for disaster recovery, CI/CD pipelines, workload cloning, and managing upgrades.

Security

Enabling backups for Google Kubernetes Engine (GKE) clusters provides a robust solution for disaster recovery, workload migration, and seamless CI/CD workflows. It captures both configuration and volume data, allowing selective or comprehensive restoration of workloads. This flexibility supports scenarios like rolling back single workloads, migrating between clusters, and adjusting storage parameters. Integrated with GKE's UI and APIs, the service simplifies backup management while helping organizations meet critical recovery point objectives and ensure operational continuity. Once enabled, GKE backups can protect your business from potential disruptions and data loss.

Backups for GKE are supported for clusters running Kubernetes version 1.24.2-gke.1900 or newer.

Audit

To determine if backups are enabled for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Features section, check the Backup for GKE attribute value to determine if backups are enabled for your GKE cluster. If Backup for GKE is set to Disabled, GKE backups are not enabled for the selected Google Kubernetes Engine (GKE) cluster.

08 Repeat steps no. 5 – 7 for each GKE cluster provisioned within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project: 

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions: 

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to examine as the identifier parameter and custom output filters to determine if GKE backups are enabled for the selected cluster: 

gcloud container clusters describe cc-gke-backend-cluster
	--region=us-central1
	--format="json(addonsConfig.gkeBackupAgentConfig.enabled)"

06 The command output should return the configuration status of the GKE backup agent responsible for managing cluster backups: 

null

If the container clusters describe command output returns "null", the GKE backup agent is not active. Therefore, GKE backups are not enabled for the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable and configure backups for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Features section, click on the Edit Backup for GKE button (i.e., pencil icon) available next to Backup for GKE to modify the backup feature settings.

08 Inside the Edit Backup for GKE configuration box, check the Enable Backup for GKE setting checkbox, and choose SAVE CHANGES to apply the changes. This will install the GKE backup agent and enable backups for the selected cluster. The backup agent is responsible for running the backup and restore activities for your cluster.

09 In the left navigation panel, under Resource Management, select Backup for GKE, choose CREATE A BACKUP PLAN, and perform the following actions to create a backup plan for your GKE cluster:

  1. For Enter plan details, provide a unique name for the new backup plan, and choose the GKE cluster that you want to back up.
  2. For Choose where to store your backups, select a location where the backups will be stored.
  3. (Optional) For Backup schedule, check the Enable backup schedule setting checkbox and configure your own backup schedule.
  4. For Retention policy, you can configure a policy to enforce retention and automatic deletion of your backups.
  5. (Optional) Choose SHOW ADVANCED OPTIONS and configure advanced settings such as backup scope and encryption.
  6. Choose CREATE PLAN to create your GKE backup plan.

10 Repeat steps no. 5 – 9 for each GKE cluster that you want to configure, created for the selected GCP project.

11 Repeat steps no. 2 – 10 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to configure as the identifier parameter, to enable backups for your GKE cluster. This command will install the GKE backup agent and enable backups for the selected cluster. The backup agent is responsible for running the backup and restore activities for your cluster: 

gcloud container clusters update cc-gke-backend-cluster
	--region=us-central1
	--update-addons=BackupRestore=ENABLED

02 The command output should return the full URL of the modified GKE cluster: 

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Run container backup-restore backup-plans create command (Windows/macOS/Linux) to create a backup plan for your Google Kubernetes Engine (GKE) cluster. As an example, the following command creates a GKE backup plan that schedules daily backups for all Kubernetes namespaces at 5:30 AM and retains the backups for seven days: 

gcloud beta container backup-restore backup-plans create cc-gke-cluster-backup-plan
	--project=cc-web-project-123123
	--location=us-central1
	--cluster=projects/cc-web-project-123123/locations/us-central1/clusters/cc-gke-backend-cluster
	--cron-schedule="30 5 * * *"
	--backup-retain-days=7
	--all-namespaces

04 The command output should return the name of the new GKE backup plan: 

Create request issued for: [cc-gke-cluster-backup-plan]
Waiting for operation [projects/cc-web-project-123123/locations/us-central1/operations/operation-abcd] to complete...done.
Created backup plan [cc-gke-cluster-backup-plan].

05 Repeat steps no. 1 - 4 for each GKE cluster that you want to configure, available within the selected GCP project.

06 Repeat steps no. 1 – 5 for each GCP project deployed in your Google Cloud account.

References

Publication date Dec 2, 2024

Related GKE rules