Skip to main content

Backup candidates

Resource Configuration

All Kubernetes object definitions (pods, deployments, services, etc.)

ETCD Cluster

The cluster’s state and configuration database

Persistent Volumes

Application data stored in persistent volumes

Resource configuration backup

Query the kube-apiserver using kubectl to export all objects as YAML and store them as a backup copy. 
# Export all resources across all namespaces
kubectl get all --all-namespaces -o yaml > backup.yaml

# Restore from the backup
kubectl apply -f backup.yaml
Tools like Velero and Kasten can automate Kubernetes resource backups and support scheduled snapshots and cross-cluster restores.

ETCD backup

ETCD is the database of the Kubernetes cluster, storing all cluster state — nodes, pods, secrets, and more. When configuring ETCD, a data directory is specified where all ETCD data is stored. You can back up this directory directly. 
# View the ETCD pod configuration to find the data directory
kubectl describe pod <etcd-pod> -n kube-system
etcd.service
ExecStart=/usr/local/bin/etcd \\
  ...
  --data-dir=/var/lib/etcd

Creating an ETCD snapshot

Set ETCDCTL_API=3 before running any etcdctl backup or restore commands.
export ETCDCTL_API=3
etcdctl version

ETCDCTL_API=3 etcdctl \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key \
  snapshot save /var/lib/etcd/snapshot.db

# View snapshot status
ETCDCTL_API=3 etcdctl \
  snapshot status /var/lib/etcd/snapshot.db
  • You can specify any path to save the snapshot.
  • Always provide the --cacert, --cert, --key, and --endpoints flags when saving a snapshot.

ETCD restore

1

Stop the kube-apiserver

The kube-apiserver depends on ETCD. Stop it before restoring so that ETCD can restart cleanly.
sudo service kube-apiserver stop
2

Run the ETCD restore command

When restoring from a snapshot, ETCD initializes a new cluster configuration and treats all members as new, which prevents a restored member from accidentally joining an existing cluster.
ETCDCTL_API=3 etcdctl \
  snapshot restore /var/lib/etcd/snapshot.db \
  --data-dir /var/lib/etcd-new
3

Update the ETCD configuration

Point the ETCD service at the new data directory. Use ps aux | grep etcd or kubectl describe pod <control-plane-pod> -n kube-system (not the etcd pod) to locate the configuration.
etcd.service
ExecStart=/usr/local/bin/etcd \\
  ...
  --data-dir=/var/lib/etcd-new
After updating the configuration file, reload and restart the service:
sudo systemctl daemon-reload
sudo service etcd restart
4

Start the kube-apiserver

sudo service kube-apiserver start

Build docs developers (and LLMs) love

Get started for freeTalk to us