Data protection is one of the most important parts of running your Kubernetes cluster. Data protection is about backing up and restoring data, but it goes beyond that: A complete data protection plan also keeps your data secure at multiple levels. Good data protection provides a safety net if you need to restore data after a loss, and you can use the same software to set up testing environments and disaster recovery sites.
Many companies have established themselves in the data protection space, each with their own way of accomplishing this goal. Velero is a widely adopted open-source solution for Kubernetes data protection, typically popular among organizations just starting their data protection journey. However, it is important to realize that Velero’s simplicity and open-source nature may not be suitable for enterprises with complex data protection requirements or those requiring advanced features, such as application-consistent snapshots, granular restore options, and integration with existing backup infrastructure.
In this article, we focus on the essential and advanced features that organizations need to keep their data safe and recoverable. We also discuss where Velero can and cannot help, and present a powerful alternative that addresses those limitations.
Summary of key Kubernetes data protection software features to consider when assessing Velero alternatives
Because of its distributed nature, Kubernetes requires features that are different from traditional backup software. Let’s begin by briefly discussing the key features that every data protection software should have when working with Kubernetes. We will use these features to look at Velero and each alternative.
Feature | Description |
Application-consistent backups and restores | At the core of any data protection software is the ability to back up and then restore data. You want to have features that support data-consistent backups, such as hooks or a way to run custom scripts as part of the backup process. |
Ease of use | The software must be easy to install and use. Any administrator with any level of experience should quickly understand how to restore data even when under pressure during a data loss event. Having an integrated web interface and a command-line interface is key to this capability. |
Data security and integrity | Data protection software should ensure that data is encrypted, immutable, and accessible only by those who need it. Encryption should be done both at rest and in transit, and role-based access controls should be used. |
Integrations | The Kubernetes ecosystem is wide and varied. It is important that your data protection software be able to fit and work with the various cloud and storage providers. |
Advanced capabilities | Advanced functions like disaster recovery, application migration, and multi-cloud support extend the features of a data protection system beyond basic backup and restore. These advanced features provide additional protections and flexibility. |
Support options | Most companies offer support in several ways: tickets, technical forums, and technical documentation. Some companies charge a premium to access direct vendor support. You must ensure that you have access to vendor support when needed, which will be determined by your organization’s overall skill set. |
Cost | You need to understand the platform’s total cost of ownership (TCO) and balance that against its benefits and how they fit your needs. For example, if the software is free but lacks support, you might need to pay consultant fees; if it requires additional cloud computing resources to run, that cost must be taken into consideration. |
Velero features
Let’s look at Velero from the perspective of the seven key features mentioned above. This will help you understand how it compares to the alternatives discussed below.
As mentioned earlier, Velero is an open-source tool for backing up Kubernetes clusters. Initially released in 2017, it has continued to have an active community of developers behind it. Note that the breakdown that follows is not an exhaustive breakdown of all of Velero’s features.
Automated Kubernetes Data Protection & Intelligent Recovery
Perform secure application-centric backups of containers, VMs, helm & operators
Use pre-staged snapshots to instantly test, transform, and restore during recovery
Scale with fully automated policy-driven backup-and-restore workflows
Application-consistent backups and restores
The first feature any data protection software should have is the ability to perform backups and restore that data. When we look at Kubernetes clusters, we must address the concept of application-consistent backups, which means that any operations that need to happen before backing up the data, such as flushing databases or caches, can be triggered pre-backup.
Velero follows the standard practice of Kubernetes controllers by providing custom resource definitions (CRDs) for backup and restore processes and the corresponding Kubernetes controllers to process those resources. You can create on-demand and scheduled backup resources and restore resources to fit your needs. You can control what resources you back up by filtering by namespace, label, or object type.
You can create on-demand backups and schedule backups via a cron-like system. When Velero creates a backup, it first uploads a tarball of the Kubernetes objects and then creates a disk snapshot of any persistent volumes. This is important to highlight because that process complicates how Velero does its backups. It uses object storage for backups and integrates with storage providers for snapshots of persistent data.
If you are running a database application, running any required pre-backup scripts is always recommended to ensure that data is properly flushed and that this is not done in the middle of any changes. With Velero, there are backup hooks to run any pre/post-backup commands.
Restores with Velero are straightforward: Using namespaces and labels for filtering, you can restore all or a subset of your backed-up files. You can also remap namespaces when restoring the files so that you don’t always have to restore them to the same namespace. This is good for testing your restore or setting up a second instance of your application. Like the backup hooks, you can run commands pre/post-restore through restore hooks.
Ease of use
This consideration encompasses both how easy the software is to install and how easy it is to use to manage day-to-day operations. With that in mind, Velero may be more difficult for some users because it does not provide a graphical interface. Velero has a command-line utility that can be installed on MacOS and Windows and via source code. Once the command-line utility is installed, you can install the Velero cluster components via either the Velero install CLI or a provided Helm chart.
As noted earlier, Velero uses object storage for backups and block storage via a storage provider for persistent volumes. This means you could have two providers (object and block) to configure upon installation.
Since Velero does not have a graphical interface, other options have been created to fill this gap. For example, Cloud Casa offers a dedicated UI for managing Velero backups, while Trilio provides a UI for its own Kubernetes data protection platform..
Post-install, Velero’s CLI allows you to perform all of your day-to-day operations, such as creating or scheduling backups and performing restores via the command line.
Watch this 1-min video to see how easily you can recover K8s, VMs, and containers
Data security and integrity
By default, Velero runs with cluster-admin permissions. Although these permissions can be restricted, the administrator must configure security more tightly. Ideally, you want data protection software that makes securing access to your operations easier.
Data should be encrypted both in transit and at rest. Velero communicates with storage locations via HTTPS but has no native option for encrypting data at rest. Instead, it relies on storage providers’ options for that capability.
Creating immutable backups is a best practice for data security and integrity. An immutable backup cannot be changed after it has been created, which is helpful in recovering from data or ransomware attacks. Unfortunately, Velero cannot ensure backup data immutability due to how it performs its backups.
Integrations
Velero supports multiple Kubernetes distributions and storage providers and has a version compatibility matrix to align a version of Kubernetes with a version of Velero. Velero does not explicitly claim support for specific distributions such as OpenShift, Rancher, etc. or cloud offerings such as AKS, EKS, etc. Testing would be needed to verify that it works on any specific platform.
Velero maintains and develops a few plugins for integrations with storage providers, and the community develops a few additional ones. The software also supports a plugin framework that allows anybody to develop a provider without modifying the base code.
Velero maintains storage plugins for both object and block storage for the three major clouds: AWS, GCP, and Azure. This is not the case for VMWare vSphere, which does not support object storage. Velero’s AWS object-storage plugin uses the AWS S3 API, so it can also connect to any S3-compatible storage.
Advanced capabilities
For data protection software, the primary role is to back up and restore data. Beyond that, software platforms are often differentiated by their advanced features.
Velero offers some features that help it compete with other established and enterprise offerings. Of note is the ability to migrate data between clusters, modify resources while restoring them, and run application hooks pre and post backups.
For data migration, Velero considers the data in object storage to be the source of truth. In this scenario, you point your cluster to the object storage, and it syncs the cluster to what is in the object storage. This makes it easy to migrate data between clusters within the same cloud provider, AWS, for example. If you are migrating data between clusters in different cloud providers, you would have to take a few extra steps outlined in their documentation.
When restoring data, you can modify resources as you restore them, such as renaming resources. This is a good way to populate a test environment with production data. Here are a few ways you can modify resources.
version: v1
resourceModifierRules:
- conditions:
groupResource: persistentvolumeclaims
resourceNameRegex: "^mysql.*$"
namespaces:
- web-app
labelSelector:
matchLabels:
env: prod
patches:
- operation: replace
path: "/spec/storageClassName"
value: "standard"
- operation: remove
path: "/metadata/labels/production"
In this example, PVCs that match the resourceNameRegex in the web-app namespace and have the env: prod label applied will be subject to the updates in the patches section. In this case, the value in /spec/storageClassName would be replaced with “standard,” and the label “production” would be removed.
Lastly, the pre/post backup hooks are important to ensure that you are collecting application-consistent backups. These are often used for backing up databases or distributed filesystems, scenarios where flushing all writes to disk before taking a backup is essential.
For example, before a backup, you may run a script to flush database caches to disk, pause writes, and afterward run a script that resumes writes to the database.
Learn about the features that power Trilio’s intelligent backup and restore
Support options
Velero does not offer traditional vendor support; instead, support is offered on a best-effort basis for the current and immediately previous version. If your installation is older, you may be required to upgrade before receiving best-effort support.
Velero has a specific support process, appointing a new person weekly to monitor public Slack channels. There is no response time SLA, which may be needed in larger organizations. The full support process can be reviewed here.
Cost
Velero is a free and open-source backup solution, which is one of its most attractive features for getting started. If your team is technically inclined, you may be able to work with Velero’s default level of support, providing benefits in terms of total cost of ownership.
Velero alternatives
When exploring alternatives to Velero for data protection, it’s essential to approach the evaluation process objectively. Among the several alternatives available, Trilio stands out as a powerful alternative to Velero due to its extensive feature set, ease of use, and ability to seamlessly integrate with diverse Kubernetes distributions and cloud providers.
Trilio for Kubernetes
Trilio for Kubernetes’ architecture is fundamentally designed to handle the complexities of Kubernetes environments. Unlike the other alternatives, Trilio’s sole focus as a company is on data protection for cloud-native platforms such as Kubernetes, OpenShift, and OpenStack.
Trilio performs application-centric backups, meaning that it can back up entire applications and virtual machines based on namespaces or labels, backup operators, and Helm deployments. It executes application-specific hooks during the backup process to ensure that all data and writes are flushed to disk before backing up.The platform also supports the backing up of container images, so you know you have the exact image your application was running on – a unique feature that is missing from other alternatives. Trilio saves all resource metadata and application data in the QCOW2 format as part of the backup process. This format is disk-space-friendly and flexible in that each subsequent backup after the full backup can be an overlay to the base image.
The feature that sets Trilio apart is the Continuous Restore process that pre-stages backup data to target clusters and reduces the time it takes to restore service in the event of a major failure. It is essential for disaster recovery but can also be used for other applications, such as blue/green deployments and easy application migrations.
Aligned with data security and integrity best practices, Trilio uses role-based access control to ensure that only specific users can perform certain actions. RBAC, along with namespace isolation, supports multi-tenancy, so data is protected across multiple teams and departments. Data is encrypted both in transit and at rest using industry standards such as TLS and AES-256. The platform can also store immutable backups on storage providers that support object locking, making it more secure against ransomware attacks.
For enterprise customers, Trilio supports its product through extensive documentation, multiple product videos, and a customer support portal. The company responds within 24 hours, so you know your request will be addressed by their technical experts quickly. If you have a trial license, you can submit issues to Trilio’s issue tracker, which is handled on a best-effort basis. Trilio also offers best-effort support through a Slack workspace, a nice feature not seen in other alternatives.
It is easy to get started with Trilio. For many of the major cloud providers, it is available from the cloud marketplaces, and you have the option to install the software on any Kubernetes distro. The platform provides a “pre-flight checklist” to ensure that your system meets all of the system requirements, and you can install the software via a Helm chart. Its user interface is intuitive, helping you easily set up backups, perform restores, and carry out migrations.
Trilio has a trial license that lets you try out all of the features and an enterprise license that can be tailored to your enterprise needs.
Learn about a lead telecom firm solved K8s backup and recovery with Trilio
Conclusion
As your Kubernetes environment grows and evolves, the software you use for data protection must be able to meet your changing needs. It is also important to consider the total cost of ownership, the level of support available, and how well each solution integrates with your existing infrastructure.
Velero is an easy entry point into Kubernetes backups. It is open source, free to use, and easy to install. However, it may not be able to meet the needs of your organization as it grows. Alternatives like Kasten, Portworx Backup, and Trilio for Kubernetes offer more advanced features, more flexibility, and the stronger security integrations needed for enterprise and multi-tenant environments.
Trilio for Kubernetes is a strong choice for environments that can benefit from continuous data protection and fast recovery. Its Continuous Restore feature can significantly bring down the time it takes to restore operations from a disaster. It focuses on multi-tenancy, strong RBAC controls, and immutable backups. Trilio offers a high level of security and flexibility, making it the choice for enterprises needing fine-grained control over their backup and restore processes.
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
