Compliant Kubernetes (CK8S) includes backup functionality through Velero, a backup tool for Kubernetes Resources and Persistent Volumes. For backup of container images, Harbor is used instead.
The requirements to comply with ISO 27001 are stated in ISO 27001:2013. The annexes that are relevant to backups are:
- Annex 12, article A.12.3.1 "Information Backup".
What is Velero?
Velero is an open source, cloud native tool for backing up and migrating Kubernetes Resources and Persistent Volumes. It has been developed by VMware since 2017. It allows for both manual and scheduled backups, and also allows for subsets of Resources in a cluster to be backed up rather than necessarily backing up everything.
Velero is deployed in both the workload cluster and the service cluster. Following are instructions for backing up and restoring resources.
Velero takes a daily backup of all Kubernetes Resources with the label
velero: backup. Persistent Volumes will be backed up if they are tied to a Pod with the previously mentioned label and if that Pod is annotated with
backup.velero.io/backup-volumes=<volume1>,<volume2>,..., where the value is a comma separated list of the volume names. For user applications deployed in the workload cluster, make sure to add these labels and annotations to the resources that need to be backed up.
In the service cluster, Grafana (and its associated Persistent Volume) is configured to be backed up.
Backups are stored for 720 hours (30 days).
Restoring from a backup with Velero is meant to be a type of disaster recovery. Velero will not overwrite existing Resources when restoring. As such, if you want to restore the state of a Resource that is still running, the Resource must be deleted first.
To restore a backup on demand, contact your Compliant Kubernetes operator.