A comprehensive backup tool for Kubernetes Persistent Volume Claims (PVCs) backed by CEPH CSI. This tool automates the process of backing up CEPH RBD images by:
- Listing PVCs in a specified namespace
- Extracting CEPH pool and image information from attached Persistent Volumes
- Exporting RBD images using the
rbdcommand - Compressing the exports with gzip
- Encrypting with GPG
- Uploading to MinIO/S3 storage
- Go 1.21 or later
- Access to a Kubernetes cluster with CEPH CSI
rbdcommand-line tool installed and configuredgpgcommand-line tool installed with encryption keys- MinIO server or S3-compatible storage
# Clone the repository
git clone <repository-url>
cd k8s-ceph-backup-tool
# Build the binary
go build -o k8s-ceph-backup
# Or install directly
go installCopy the example configuration and customize it:
cp config.yaml.example ~/.k8s-ceph-backup.yamlEdit the configuration file with your specific settings:
# CEPH settings
ceph:
rbd_path: "rbd"
config_path: "/etc/ceph/ceph.conf"
keyring_path: "/etc/ceph/keyring"
# GPG settings
gpg:
recipient: "backup@example.com"
# MinIO settings
minio:
endpoint: "minio.example.com:9000"
access_key: "your-access-key"
secret_key: "your-secret-key"
bucket_name: "k8s-ceph-backups"Backup all CEPH-backed PVCs in the default namespace:
./k8s-ceph-backupBackup PVCs in a specific namespace:
./k8s-ceph-backup --namespace production--namespace, -n: Kubernetes namespace to backup (default: "default")--config: Path to configuration file (default: ~/.k8s-ceph-backup.yaml)--verbose, -v: Enable verbose logging--help, -h: Show help
# Backup production namespace with verbose output
./k8s-ceph-backup -n production -v
# Use custom config file
./k8s-ceph-backup --config /path/to/config.yaml
# Backup specific namespace
./k8s-ceph-backup --namespace database-cluster- PVC Discovery: The tool connects to Kubernetes and lists all PVCs in the specified namespace
- CEPH Detection: For each bound PVC, it examines the associated PV to identify CEPH CSI volumes
- Metadata Extraction: Extracts the CEPH pool name and RBD image name from the PV's CSI volume attributes
- RBD Export: Uses the
rbd exportcommand to create a backup of the RBD image - Compression: Compresses the exported image using gzip to save space
- Encryption: Encrypts the compressed file using GPG for security
- Upload: Uploads the encrypted backup to MinIO/S3 storage
Backup files are named using the following pattern:
{pvc-name}-{pool-name}-{image-name}.rbd.gz.gpg
Example: app-data-rbd-pool-csi-vol-12345.rbd.gz.gpg
- GPG Encryption: All backups are encrypted using GPG before upload
- Access Control: Ensure proper RBAC permissions for the Kubernetes service account
- Credentials: Store MinIO credentials securely (consider using Kubernetes secrets)
- Network Security: Use TLS for MinIO connections in production
The tool provides comprehensive logging with different levels:
DEBUG: Detailed operation informationINFO: General operation statusWARN: Non-critical issuesERROR: Critical errors
Enable verbose logging with the -v flag for troubleshooting.
The tool requires the following Kubernetes RBAC permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: k8s-ceph-backup
rules:
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get"]- "rbd command not found": Install ceph-common package
- "GPG recipient not found": Ensure GPG keys are properly imported
- "Access denied to MinIO": Verify MinIO credentials and bucket permissions
- "No CEPH volumes found": Check that PVCs are using CEPH CSI driver
Enable debug logging for detailed troubleshooting:
./k8s-ceph-backup -v- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.