Skip to main content

Prerequisites

Currently automated backups are dependent on Velero, with Amazon S3 as the offsite storage. The backup scripts handle the installation and setup of Velero, but an S3 bucket with AWS credentials must be setup prior to running the backup or restore scripts.

Storage Setup For Multi-Node Production Clusters

CSI-enabled storage provides several modern features for Kubernetes storage and enables the use of volume resizing, storage snapshots, and automated backups. Storage drivers depend on your Kubernetes provider. See a full list of vendor maintained drivers here.

EKS

If NetFoundry On-Prem is being installed on an existing EKS cluster, the following script can be run to initialize the ebs.csi.aws.com driver with the desired settings:

./installers/setup_eks_storage.sh

S3 / IAM Setup

Velero requires an object storage bucket to store backups in, preferably unique to a single Kubernetes cluster. It also requires a set of IAM credentials that are persisted to a credentials file ./velero/s3-credentials-velero. These credentials must be persistent in order for scheduled backups to run regularly, temporary credentials should not be used.

Below is an example for setting up an S3 bucket with the appropriate IAM credentials to access it. Note that the instructions below require admin permissions to an AWS account.

Create an S3 Bucket

BUCKET=<YOUR_BUCKET>
REGION=<YOUR_REGION>
aws s3api create-bucket \
    --bucket $BUCKET \
    --region $REGION \
    --create-bucket-configuration LocationConstraint=$REGION

Create a velero user

aws iam create-user --user-name velero

Create an IAM policy document ./velero-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET}"
            ]
        }
    ]
}

Attach the policy document:

aws iam put-user-policy \
  --user-name velero \
  --policy-name velero \
  --policy-document file://velero-policy.json

Create an access key for the service account:

aws iam create-access-key --user-name velero

The result should look like:

{
  "AccessKey": {
        "UserName": "velero",
        "Status": "Active",
        "CreateDate": "2025-07-31T21:21:41.556Z",
        "SecretAccessKey": <AWS_SECRET_ACCESS_KEY>,
        "AccessKeyId": <AWS_ACCESS_KEY_ID>
  }
}

Update the ./velero/s3-credentials-velero file, or add these credentials to the environment prior to running the backup or restore scripts.

[default]
aws_access_key_id=<AWS_ACCESS_KEY_ID>
aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>