Reference Guide: Optimizing Backup Strategies for Red Hat OpenShift Virtualization

Data protection is one of the most important parts of running your Kubernetes cluster. Data protection is about backing up and restoring data, but it goes beyond that: A complete data protection plan also keeps your data secure at multiple levels. Good data protection provides a safety net if you need to restore data after a loss, and you can use the same software to set up testing environments and disaster recovery sites. 

Many companies have established themselves in the data protection space, each with their own way of accomplishing this goal. This article looks at Velero and some Velero alternatives to consider once you are ready to look at enterprise-level data protection. 

Velero is a popular open-source solution for Kubernetes data protection. Its features, such as being open source and free to use, make it an easy product to begin with. However, as organizations scale and data protection needs become more complex, it is worth looking at some Velero alternatives for additional flexibility and feature sets.

In this article, we look at the top three Velero alternatives: Trilio for Kubernetes, Kasten, and Portworx Backup. We compare their capabilities and key strengths and highlight potential drawbacks. The goal is for you to be able to make informed decisions about the right data protection platform for your organization by understanding the alternatives.

Summary of key Kubernetes data protection software features to consider when assessing Velero alternatives

Because of its distributed nature, Kubernetes requires features that are different from traditional backup software. Let’s begin by briefly discussing the key features that every data protection software should have when working with Kubernetes. We will use these features to look at Velero and each alternative.

Feature

Description

Application-consistent backups and restores

At the core of any data protection software is the ability to back up and then restore data. You want to have features that support data-consistent backups, such as hooks or a way to run custom scripts as part of the backup process.

Ease of use

The software must be easy to install and use. Any administrator with any level of experience should quickly understand how to restore data even when under pressure during a data loss event. Having an integrated web interface and a command-line interface is key to this capability.

Data security and integrity

Data protection software should ensure that data is encrypted, immutable, and accessible only by those who need it. Encryption should be done both at rest and in transit, and role-based access controls should be used.

Integrations

The Kubernetes ecosystem is wide and varied. It is important that your data protection software be able to fit and work with the various cloud and storage providers.

Advanced capabilities

Advanced functions like disaster recovery, application migration, and multi-cloud support extend the features of a data protection system beyond basic backup and restore. These advanced features provide additional protections and flexibility.

Support options

Most companies offer support in several ways: tickets, technical forums, and technical documentation. Some companies charge a premium to access direct vendor support. You must ensure that you have access to vendor support when needed, which will be determined by your organization’s overall skill set. 

Cost

You need to understand the platform’s total cost of ownership (TCO) and balance that against its benefits and how they fit your needs. For example, if the software is free but lacks support, you might need to pay consultant fees; if it requires additional cloud computing resources to run, that cost must be taken into consideration.

Velero features

Let’s look at Velero from the perspective of the seven key features mentioned above. This will help you understand how it compares to the alternatives discussed below. 

As mentioned earlier, Velero is an open-source tool for backing up Kubernetes clusters. Initially released in 2017, it has continued to have an active community of developers behind it. Note that the breakdown that follows is not an exhaustive breakdown of all of Velero’s features. 

Automated Kubernetes Data Protection & Intelligent Recovery

Perform secure application-centric backups of containers, VMs, helm & operators

Use pre-staged snapshots to instantly test, transform, and restore during recovery

Scale with fully automated policy-driven backup-and-restore workflows

Application-consistent backups and restores

The first feature any data protection software should have is the ability to perform backups and restore that data. When we look at Kubernetes clusters, we must address the concept of application-consistent backups, which means that any operations that need to happen before backing up the data, such as flushing databases or caches, can be triggered pre-backup.

Velero follows the standard practice of Kubernetes controllers by providing custom resource definitions (CRDs) for backup and restore processes and the corresponding Kubernetes controllers to process those resources. You can create on-demand and scheduled backup resources and restore resources to fit your needs. You can control what resources you back up by filtering by namespace, label, or object type. 

You can create on-demand backups and schedule backups via a cron-like system. When Velero creates a backup, it first uploads a tarball of the Kubernetes objects and then creates a disk snapshot of any persistent volumes. This is important to highlight because that process complicates how Velero does its backups. It uses object storage for backups and integrates with storage providers for snapshots of persistent data. 

If you are running a database application, running any required pre-backup scripts is always recommended to ensure that data is properly flushed and that this is not done in the middle of any changes. With Velero, there are backup hooks to run any pre/post-backup commands.

Restores with Velero are straightforward: Using namespaces and labels for filtering, you can restore all or a subset of your backed-up files. You can also remap namespaces when restoring the files so that you don’t always have to restore them to the same namespace. This is good for testing your restore or setting up a second instance of your application. Like the backup hooks, you can run commands pre/post-restore through restore hooks.

Ease of use

This consideration encompasses both how easy the software is to install and how easy it is to use to manage day-to-day operations. With that in mind, Velero may be more difficult for some users because it does not provide a graphical interface. Velero has a command-line utility that can be installed on MacOS and Windows and via source code. Once the command-line utility is installed, you can install the Velero cluster components via either the Velero install CLI or a provided Helm chart.

As noted earlier, Velero uses object storage for backups and block storage via a storage provider for persistent volumes. This means you could have two providers (object and block) to configure upon installation. 

Since Velero does not have a graphical interface, other options have been created to fill this gap. For example, Cloud Casa offers a dedicated UI for managing Velero backups, while Trilio provides a UI for its own Kubernetes data protection platform.. 

Post-install, Velero’s CLI allows you to perform all of your day-to-day operations, such as creating or scheduling backups and performing restores via the command line. 

Data security and integrity

By default, Velero runs with cluster-admin permissions. Although these permissions can be restricted, the administrator must configure security more tightly. Ideally, you want data protection software that makes securing access to your operations easier. 

Data should be encrypted both in transit and at rest. Velero communicates with storage locations via HTTPS but has no native option for encrypting data at rest. Instead, it relies on storage providers’ options for that capability.

Creating immutable backups is a best practice for data security and integrity. An immutable backup cannot be changed after it has been created, which is helpful in recovering from data or ransomware attacks. Unfortunately, Velero cannot ensure backup data immutability due to how it performs its backups.

Integrations

Velero supports multiple Kubernetes distributions and storage providers and has a version compatibility matrix to align a version of Kubernetes with a version of Velero. Velero does not explicitly claim support for specific distributions such as OpenShift, Rancher, etc. or cloud offerings such as AKS, EKS, etc. Testing would be needed to verify that it works on any specific platform.

Velero maintains and develops a few plugins for integrations with storage providers, and the community develops a few additional ones. The software also supports a plugin framework that allows anybody to develop a provider without modifying the base code.

Velero maintains storage plugins for both object and block storage for the three major clouds: AWS, GCP, and Azure. This is not the case for VMWare vSphere, which does not support object storage. Velero’s AWS object-storage plugin uses the AWS S3 API, so it can also connect to any S3-compatible storage.

Watch this 1-min video to see how easily you can recover K8s, VMs, and containers

Advanced capabilities

 For data protection software,  the primary role is to back up and restore data. Beyond that, software platforms are often differentiated by their advanced features.

Velero offers some features that help it compete with other established and enterprise offerings. Of note is the ability to migrate data between clusters, modify resources while restoring them, and run application hooks pre and post backups.

For data migration, Velero considers the data in object storage to be the source of truth. In this scenario, you point your cluster to the object storage, and it syncs the cluster to what is in the object storage. This makes it easy to migrate data between clusters within the same cloud provider, AWS, for example. If you are migrating data between clusters in different cloud providers, you would have to take a few extra steps outlined in their documentation.

When restoring data, you can modify resources as you restore them, such as renaming resources. This is a good way to populate a test environment with production data. Here are a few ways you can modify resources.

version: v1
resourceModifierRules:
- conditions:
     groupResource: persistentvolumeclaims
     resourceNameRegex: "^mysql.*$"
     namespaces:
     - web-app
     labelSelector:
        matchLabels:
           env: prod
  patches:
  - operation: replace
    path: "/spec/storageClassName"
    value: "standard"
  - operation: remove
    path: "/metadata/labels/production"

In this example, PVCs that match the resourceNameRegex in the web-app namespace and have the env: prod label applied will be subject to the updates in the patches section. In this case, the value in /spec/storageClassName would be replaced with “standard,” and the label “production” would be removed.

Lastly, the pre/post backup hooks are important to ensure that you are collecting application-consistent backups. These are often used for backing up databases or distributed filesystems, scenarios where flushing all writes to disk before taking a backup is essential.

For example, before a backup, you may run a script to flush database caches to disk, pause writes, and afterward run a script that resumes writes to the database.

Support options

Velero does not offer traditional vendor support; instead, support is offered on a best-effort basis for the current and immediately previous version. If your installation is older, you may be required to upgrade before receiving best-effort support.

Velero has a specific support process, appointing a new person weekly to monitor public Slack channels. There is no response time SLA, which may be needed in larger organizations. The full support process can be reviewed here.

Cost

Velero is a free and open-source backup solution, which is one of its most attractive features for getting started. If your team is technically inclined, you may be able to work with Velero’s default level of support, providing benefits in terms of total cost of ownership.

Velero alternatives

In the rest of this article, we’ll look at some of the popular alternatives to Velero and the features they provide. Note that we are only scratching the surface of each of these alternatives due to the inherent space limitations of an article.

Feature summary of data protection solutions of Velero alternatives

FeatureKastenPortworx PX-BackupTrilio for Kubernetes
Primary features: backup/restore data protectionBackup, restore, disaster recovery, application mobilityBackup, restore, disaster recoveryBackup, restore migration, point-in-time recovery, incremental backups, continuous restore, and application mobility
Ease of useIntuitive interface, easy setupUser-friendly, straightforward setupEasily installed on multiple clouds, integrated user interface.
Data security and integrityUses native RBAC controls, supports data encryption and immutable backupsDefined RBAC roles,  data encrypted in transit and at rest,  immutable backupsIntegrated RBAC roles,  data encrypted in a common QCOW2 format and immutable backups
IntegrationsSupports various storage backends, integrates with cloud providersIntegration with Portworx Enterprise and multi-cloudIntegrates with major cloud providers, ACM/Kyverno, and Ansible
Advanced featuresAdvanced compliance and security features, application migrationApplication-consistent backups, advanced disaster recoveryAdvanced disaster recovery, application consistency, multi-cloud deployments, advanced compliance and security features. 
SupportCommercial support with SLAs, regular updatesCommercial support and community documentation Commercial support with SLAs, comprehensive documentation and regular updates
CostFree to use for five nodes or less, commercial may cost too much for a small businessFree for 1 cluster up to 1 TB, flexible pricing afterwardFlexible pricing options that grow with your cluster

Trilio for Kubernetes

Trilio for Kubernetes is designed to protect applications and data on Kubernetes clusters. Unlike the other alternatives, Trilio’s sole focus as a company is on data protection for cloud-native platforms such as Kubernetes, OpenShift, and OpenStack.

Trilio performs application-centric backups, meaning that it can back up entire applications and virtual machines based on namespaces or labels, backup operators, and Helm deployments. It executes application-specific hooks during the backup process to ensure that all data and writes are flushed to disk before backing up.

Trilio backs up container images, so you know you have the exact image your application was running on –  a unique feature that is missing from other alternatives. Trilio saves all resource metadata and application data in the QCOW2 format as part of the backup process. This format is disk-space-friendly and flexible in that each subsequent backup after the full backup can be an overlay to the base image.

It is easy to get started with Trilio. For many of the major cloud providers, it is available from the cloud marketplaces, and you have the option to install the software on any Kubernetes distro. Trilio provides a “pre-flight checklist” to ensure that your system meets all of the system requirements, and you can install the software via a Helm chart.

The Trilio UI makes it easy to click through the process of setting up backups and performing restores and migrations.

Trilio has multiple features that align it with data security and integrity best practices. It uses role-based access control to ensure that only specific users can perform certain actions. RBAC, along with namespace isolation, supports multi-tenancy, so data is protected across multiple teams and departments.

Data is encrypted in transit and at rest using industry standards such as TLS and AES-256. Trilio can store immutable backups on storage providers that support object locking, making it more secure against ransomware attacks. 

One feature that sets Trilio apart is Continuous Restore. This process pre-stages backup data to target clusters and reduces the time it takes to restore service in the event of a major failure. It is essential for disaster recovery but can also be used for other applications, such as blue/green deployments and easy application migrations.

For enterprise customers, Trilio supports its product through extensive documentation, multiple product videos, and a customer support portal. Trilio responds within 24 hours, so you know your request will be addressed by their technical experts quickly. If you have a trial license, you can submit issues to Trilio’s issue tracker, which is handled on a best-effort basis. Trilio also offers best-effort support through a Slack workspace, a nice feature not seen in other alternatives. Trilio has a trial license that lets you try out all of the features and an enterprise license that can be tailored to your enterprise needs. Overall, Trilio is a great Velero alternative. It has all the features needed to let you create application-consistent backups and additional features that really give you control of how you backup your data and how you restore that data. Advanced features like continuous restore make DR planning and blue/green deployments easy to implement.

For enterprise customers, Trilio supports its product through extensive documentation, multiple product videos, and a customer support portal. Trilio responds within 24 hours, so you know your request will be addressed by their technical experts quickly. If you have a trial license, you can submit issues to Trilio’s issue tracker, which is handled on a best-effort basis. Trilio also offers best-effort support through a Slack workspace, a nice feature not seen in other alternatives.

Trilio has a trial license that lets you try out all of the features and an enterprise license that can be tailored to your enterprise needs. 

Overall, Trilio is a great Velero alternative. It has all the features needed to let you create application-consistent backups and additional features that really give you control of how you backup your data and how you restore that data. Advanced features like continuous restore make DR planning and blue/green deployments easy to implement.

Learn about the features that power Trilio’s intelligent backup and restore

Veeam Kasten

Kasten is a data protection platform designed for Kubernetes that was founded in 2019 and later acquired by Veeam. Kasten can be installed on a wide array of Kubernetes distributions, including all popular cloud providers (EKS, GKE, and AKS) and has built-in application support for popular databases. This is one distinguishing factor between Kasten and Velero: Where Velero supports specific Kubernetes versions, Kasten outlines support for vendor-specific distros such as OpenShift and Rancher. 

The image below shows various applications, K8s distros, storage providers, and security services. 

Source: https://docs.kasten.io/latest/index.html

Source: https://docs.kasten.io/latest/index.html

Kasten meets all the basic requirements for data protection software. It can perform application-centric backups, meaning that Kasten can back up an application’s code and persistent data in a consistent state and restore it to the same location or a different one.

Kasten differentiates itself from Velero because you have more options for backing up the data and built-in support for popular databases such as MongoDB and MySQL. You generally also have finer-grained control over how you backup your applications, how you schedule them, and how and where you restore them. One of the nice features is a backup window, meaning that you can set a time interval for the backup. If the time window is too short, it will be canceled. This could be good if you find that creating backups puts stress on resources and do not want them running too long. 

Because Kasten is supported on so many different platforms, there are instructions for each platform, making it easy to follow. Installing Kasten using a Helm chart is easy, and there is support for individual marketplaces such as the Azure Marketplace or the OpenShift operator hub. 

Once installed, Kasten has a graphical user interface, which makes it easier to use than Velero. In addition to the GUI, it also has a CLI component that allows you to perform Kasten day-to-day operations.

When it comes to data security and integrity, Kasten implements role-based access controls native to Kubernetes. Kasten provides three predetermined RBAC roles to limit access to your backup operations, unlike Velero, where the default is a cluster-admin role. This makes Kasten more secure by default. All application data is encrypted by default, and the storage provider handles the encryption and protection of snapshots and volumes. Each provider can handle this part differently, so you must research your provider. Finally, Kasten supports immutable backups, which Velero cannot do. 

Kasten has some advanced features that separate it from Velero; we will only highlight a few of them. Kasten integrates with Kanister, allowing for application-specific data management through blueprints. For example, you can create a blueprint to back up and restore a MySQL database in a specific way. 

Here is an example of a blueprint for backing up and restoring all MySQL databases. Notice that you can run specific commands for backup and restore operations: 

apiVersion: cr.kanister.io/v1alpha1
kind: Blueprint
metadata:
  name: mysql-blueprint
actions:
  backup:
    phases:
    - func: KubeExec
      name: backup
      args:
        namespace: "{{ .StatefulSet.Namespace }}"
        pod: "{{ index .StatefulSet.Pods 0 }}"
        container: "mysql"
        command: ["sh", "-c", "mysqldump --all-databases > /mnt/backup/backup.sql"]
  restore:
    phases:
    - func: KubeExec
      name: restore
      args:
        namespace: "{{ .StatefulSet.Namespace }}"
        pod: "{{ index .StatefulSet.Pods 0 }}"
        container: "mysql"
        command: ["sh", "-c", "mysql < /mnt/backup/backup.sql"]

For more information on blueprints, take a look at their documentation.

In addition to Kanister, Kasten has more built-in controls for how and when you back up your application. You also have more options for restoring your application, including resource renaming and locations to restore to. If you are running multiple Kubernetes clusters, you can manage data protection for all your clusters through a multi-cluster management interface.

Kasten is free for five nodes, which makes it perfect for trying out in your environment. If you have more than five nodes, Kasten has a per-node subscription plan. Its website does not indicate how much each node costs, but looking at the RedHat MarketPlace, it appears to be $0.26 per server hour. For support, you have the options of documentation and their knowledge base and a customer portal where you can open cases.

Overall, Kasten checks many boxes for data protection software. It has all the basic functionality and extends on those functions with more options, making it a more complete product than Velero. If Kasten works for you, check out its Kasten Best Practices section and full documentation.

Portworx Backup (PX-Backup)

Portworx Backup, also known as PX-Backup, is just one product in a suite of offerings from Pure Storage. It might be a good solution if you are already using Portworx’s other services or intend to use them in the future. The company also provides storage and database management services.

PX-Backup is Kubernetes-focused data protection software that can back up and restore Kubernetes applications and persistent data, meeting the basic requirements for our comparisons. A nice feature that Velero does not have is that PX-Backup can back up VMs running under KubeVirt. 

Portworx allows you to use namespaces or labels to create your backups and schedule them using a schedule policy that defines when to create backups and how long they should be kept. The concept of backup rules helps create application-consistent backups, allowing pre- and post-backup actions to happen. 

Lastly, you can restore a backup over the same resources or map them to other resources or even a different cluster, which can be helpful with data migration. 

In terms of ease of use, PX-Backup can be installed on any Kubernetes cluster and is available in many cloud marketplaces. However, it does have specific lists of software requirements, which varies based on the platform and the number of backups you want to perform.

Portworx has its own central web dashboard from which you can configure backups and perform restores as well as get alerts for various events, such as failed backups or restores. This makes it easy to use and perform day-to-day operations. For those who prefer a CLI interface, there is pxctl, which can also perform all day-to-day operations.

For data security and integrity, PX-Backup has three built-in roles covering various application access levels, ranging from full infrastructure to application-specific access, which makes it good for a multi-tenant environment. PX-Backup also ensures that data is encrypted at rest and in transit whenever possible. Data stored on an S3-compliant object store can also be locked to prevent any change, following the best practice of making your backups immutable.

Looking at advanced features, PX-Backup builds upon the basic features with more options, including the ability to back up VMs. For example, with backups and restores, you can back up an application in one cluster and restore it to another entirely within the Portworx web dashboard. This makes application mobility easier to achieve. 

One nice feature is the ability to share single backups with other team members. This helps avoid duplicate data/work if multiple teams need a backup of specific resources. 

For disaster recovery, PX-Backup can keep a DR site in sync synchronously or asynchronously, depending on the latency between the clusters. For example, if you had two clusters in the same region, you might choose to keep them in sync synchronously so you always have an up-to-date DR site. If you are syncing a cloud outside of the same region, you would choose asynchronously, where the DR site is kept up to date, but this is done through incremental changes.

PX-Backup offers vendor support via customer portal as well as a community forum and extensive documentation. Their documentation is well laid out and easy to follow for each step of the product life cycle, from high-level concepts to day-to-day operations.

Overall, Portworx Backup has a complete set of features and great documentation. They have a 30-day free trial, so you can check it out for yourself before committing. The AWS marketplace shows the per-hour cost to be $0.20, slightly less than Kasten. 

PX-Backup is a great solution if you want to utilize and integrate more of Pure Storage’s offerings.

Learn about a lead telecom firm solved K8s backup and recovery with Trilio

Conclusion

As your Kubernetes environment grows and evolves, the software you use for data protection must be able to meet your changing needs. It is also important to consider the total cost of ownership, the level of support available, and how well each solution integrates with your existing infrastructure.

Velero is an easy entry point into Kubernetes backups. It is open source, free to use, and easy to install. However, it may not be able to meet the needs of your organization as it grows. Alternatives like Kasten, Portworx Backup, and Trilio for Kubernetes offer more advanced features, more flexibility, and the stronger security integrations needed for enterprise and multi-tenant environments. 

Trilio for Kubernetes is a strong choice for environments that can benefit from continuous data protection and fast recovery. Its Continuous Restore feature can significantly bring down the time it takes to restore operations from a disaster. It focuses on multi-tenancy, strong RBAC controls, and immutable backups. Trilio offers a high level of security and flexibility, making it the choice for enterprises needing fine-grained control over their backup and restore processes.

Like This Article?

Subscribe to our LinkedIn Newsletter to receive more educational content