Step 3.1 Installing Veeam Kasten for Kubernetes on Microsoft Azure Kubernetes Service (AKS)

This guide helps you install Veeam Kasten for Kubernetes. Veeam Kasten for Kubernetes helps backup, restore, and disaster recovery for your Kubernetes applications. Two of the most common install methods are Helm installations and Operator-based installations. The steps in this section will show examples of a Helm installation using Azure AKS. For Operator-based installations, see the demo in Step 3.4 for an example using Red Hat OpenShift. Other environment-specific examples can be found in our official Veeam Kasten for Kubernetes documentation.

• Installing Veeam Kasten for Kubernetes on AWS 
• Installing Veeam Kasten for Kubernetes on AWS Marketplace for Containers Anywhere 
• Installing Veeam Kasten for Kubernetes on AWS EKS using EKS Add-on 
• Installing Veeam Kasten for Kubernetes on Azure 
• Installing Veeam Kasten for Kubernetes on Red Hat OpenShift 
• Installing Veeam Kasten for Kubernetes on Google Cloud 
• Installing Veeam Kasten for Kubernetes on DigitalOcean 
• Installing Veeam Kasten for Kubernetes on VMware vSphere 
• SUSE Rancher Apps & Marketplace Based Installation 
• Installing Veeam Kasten for Kubernetes on K3S 
• Installing Veeam Kasten for Kubernetes on Other Kubernetes Distributions 

Before you begin

• Ensure your K8 cluster meets the installation prerequisites: install prerequisites

Installation Steps 

The helm command mentioned below can be used to install Veeam Kasten for Kubernetes in a namespace called kasten-io with token-based authentication and a loadBalancer type of service to expose Veeam Kasten for Kubernetes UI.  

Veeam Kasten for Kubernetes assumes that SSDs or similar fast storage media support the default storage class. If the default storage class doesn't meet the performance requirements, use the following option global.persistence.storageClass to specify a custom storageClass to the Veeam Kasten for Kubernetes Helm installation command.

helm install k10 kasten/k10 --namespace=kasten-io --create-namespace \ 

    --set auth.tokenAuth.enabled=true \ 

    --set externalGateway.create=true \ 

    --set global.persistence.storageClass=<StorageClassName> 

There are other supported mechanisms to expose Veeam Kasten for Kubernetes UI and to integrate with existing/external authentication providers. Please look at the Authentication and Dashboard Access part of the documentation for further customization of Veeam Kasten for Kubernetes configurations. 

Validating the Installation 

To validate that Veeam Kasten for Kubernetes has been installed properly, the following command can be run in Veeam Kasten for Kubernetes namespace (the install default is kasten-io) to watch for the status of all Veeam Kasten for Kubernetes pods:

Watch kubectl get pods --namespace kasten-io 

It may take a couple of minutes for all pods to come up but all pods should ultimately display the status of Running.

kubectl get pods --namespace kasten-io 

NAMESPACE     NAME                                    READY   STATUS    RESTARTS   AGE 

kasten-io     aggregatedapis-svc-b45d98bb5-w54pr      1/1     Running   0          1m26s 

kasten-io     auth-svc-8549fc9c59-9c9fb               1/1     Running   0          1m26s 

kasten-io     catalog-svc-f64666fdf-5t5tv             2/2     Running   0          1m26s 

Accessing Veeam Kasten for Kubernetes Dashboard (Optional) 

The Veeam Kasten for Kubernetes dashboard will be available at the http://<external-ip-or-path>/k10/ URL path of the DNS or External IP address of the loadbalancer. You can find the External IP by running the command:

kubectl get svc -n kasten-io gateway-ext 

NAME          	TYPE           	   CLUSTER-IP          EXTERNAL-IP       PORT(S)       	    AGE 

gateway-ext   LoadBalancer   10.245.209.113   198.51.100.15	80:31652/TCP   2m49s

If you installed Veeam Kasten for Kubernetes with a different release name than Veeam Kasten for Kubernetes (specified via the --name option in the install command), the dashboard will be available at the /<release-name>/ URL path.

You can also use kubectl port-forward to access it locally if you have not enabled external loadbalancer.

This will make the dashboard available at http://127.0.0.1:8080/k10/#/

Step 3.2 Preparing for an Air-Gapped Installation of Veeam Kasten for Kubernetes (Optional)

If an air-gapped installation is required, it is possible to use your own private container registry to install Veeam Kasten for Kubernetes. While this can always be done manually, the ``k10offline`` tool makes it easier to automate the process.  

Fetching the Helm Chart for Local Use  

To fetch the most recent Veeam Kasten for Kubernetes Helm chart for local use, run the following command to pull the latest Veeam Kasten for Kubernetes chart as a compressed tarball (.tgz) file into the working directory.  

helm repo update && \

	helm repo update && \

If you need to fetch a specific version, please run the following command:  

 helm repo update && \  

	 helm fetch kasten/k10 --version=<k10-version>  

Preparing Veeam Kasten for Kubernetes Container Images for Air-Gapped Use

There are multiple ways to use a private repository including setting up a caching or proxy image registry that points to the Veeam Kasten for Kubernetes image repositories using tools such as JFrog Artifactory. However, if images need to be manually uploaded or an automated upload pipeline is required to add Veeam Kasten for Kubernetes images into your private repository, the following documentation should help.  

The following command will list all images used by the current Veeam Kasten for Kubernetes version, this can be helpful if there is a requirement to tag and push Veeam Kasten for Kubernetes images into your private repository manually instead of using the Kasten provided tool documented below.

docker run --rm -it gcr.io/kasten-images/k10offline:6.5.12 list-images

Finally, to completely automate the download and re-upload of Veeam Kasten for Kubernetes container images, the following command will pull all Veeam Kasten for Kubernetes images into your local repository, re-tag them for a repository located at repo.example.com and push them to this specified registry.

docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock \

    -v ${HOME}/.docker:/root/.docker \

    gcr.io/kasten-images/k10offline:6.5.12 pull images --newrepo repo.example.com

Note that k10offline tool will use your local docker config if the private registry requires authentication. To access the private registry, you may need to log in manually within the k10offline container shell if your local docker config does not have the credentials stored. You can execute below commands to access k10offline container shell.

#Attach to the k10offline container

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \

    -it --entrypoint /bin/sh gcr.io/kasten-images/k10offline:6.5.12

#Manually do a docker login

docker login repo.example.com



#Once logged in, push the image to the external repository.

/k10offline pull images --newrepo repo.example.com

Providing Credentials if Local Container Repository is Private

If the external registry that you are using is private, credentials for that repository can be provided using secrets.dockerConfig and global.imagePullSecret flags, as below, with the helm install command.

--set secrets.dockerConfig=$(base64 -w 0 < ${HOME}/.docker/config.json) \

--set global.imagePullSecret="k10-ecr"

If you already have a custom secret with the docker config to connect to your private registry, global.imagePullSecret flag can be used to refer the name of the secret

--set global.imagePullSecret="<custom-docker-config-secret-name>"

Providing Installing Veeam Kasten for Kubernetes with Local Helm Chart and Container Images

If the Veeam Kasten for Kubernetes container images were uploaded to a registry at repo.example.com, an air-gapped installation can be performed by setting `global.airgapped.repository=repo.example.com` as shown in the below command:  

helm install k10 k10-6.5.12.tgz --namespace kasten-io --create-namespace \

    --set global.airgapped.repository=repo.example.com \

    --set secrets.dockerConfig=$(base64 -w 0 < ${HOME}/.docker/config.json) \

    --set global.imagePullSecret="k10-ecr" --set metering.mode=airgap

Step 3.3 Veeam Kasten for Kubernetes License management

This guide explains Veeam Kasten for Kubernetes licensing options and how to manage them for your Kubernetes cluster.

Free vs. Enterprise Edition

Veeam Kasten for Kubernetes offers two main license types:

• Veeam Kasten for Kubernetes comes with a default free edition license.  
• The free edition allows usage on a cluster with a maximum of 50 worker nodes for the first 30 days, then limited to 5 nodes after.  
• Regular updates are required to maintain the free license within the 6-month support window.  
• Enterprise Edition: This paid version removes the node restriction and offers additional features. You'll need a license from the Kasten team to use it.  

Applying a License During Installation

To install a license (Enterprise license) that removes the node restriction, please add the following to any of the helm install commands:

--set license=<license-text>

or, to install a license from a file:

--set-file license=<path-to-license-file>

Changing Licenses After Installation

You can change or add a new license anytime after installation. Here's how: 

1. Create a Kubernetes Secret : 

To add a new license to Veeam Kasten for Kubernetes, a secret needs to be created in the Veeam Kasten for Kubernetes namespace (default is kasten-io) with the requirement that the license text be set in a field named license. To do this from the command line, run:  

$ kubectl create secret generic <license-secret-name> \

    --namespace kasten-io \

    --from-literal=license="<license-text>"

or, to add a license from a file:

$ kubectl create secret generic <license-secret-name> \

    --namespace kasten-io \

    --from-file=license="<path-to-license-file>"

Add Licenses via Dashboard:

• Licenses can also be added via the Licenses page in the Settings menu of the navigation sidebar, either by pasting the license text or loading it from a file.

Step 3.4 Veeam Kasten for Kubernetes RBAC (Authorization)

This guide explains Veeam Kasten for Kubernetes Role-Based Access Control (RBAC) roles and how they are used to manage user permissions.

Understanding Veeam Kasten for Kubernetes Roles

Veeam Kasten for Kubernetes comes with three default ClusterRoles:

• k10-admin: Provides full access to all Veeam Kasten for Kubernetes features for administrators.
• k10-basic: Grants users permission to backup, restore, and view applications in namespaces they have access to.
• k10-config-view: Allows users to view Veeam Kasten for Kubernetes configuration details (profiles, policies, etc.) on the dashboard.

How Roles are Assigned

• ClusterRoles: Apply across the entire cluster.
• Roles: Apply within a specific namespace.
• ClusterRoleBindings: Bind ClusterRoles to users or groups (cluster-wide access).
• RoleBindings: Bind Roles to users or groups within a namespace.

Pre-defined Veeam Kasten for Kubernetes Roles

• k10-admin:
• This role grants full access to everything Veeam Kasten for Kubernetes can do.
• It's assigned to the k10:admins group by default.
• You can add users to this group for admin access.
• k10-ns-admin:
• Provides access to secrets and config maps within the Veeam Kasten for Kubernetes namespace.
• Assigned to the k10:admins group within the Veeam Kasten for Kubernetes namespace by default
• k10-basic:
• Allows users to backup, restore, and view applications in assigned namespaces.
• Assigned to a RoleBinding within the relevant namespace(s).
• k10-basic-config:
• Grants access to specific profiles or blueprints in the Veeam Kasten for Kubernetes namespace.
• Assigned to a RoleBinding within the Veeam Kasten for Kubernetes namespace.
• k10-config-view:
• Allows users to view Veeam Kasten for Kubernetes configuration details on the dashboard.
• Assigned to a ClusterRoleBinding by default (cluster-wide access).

Additional Notes

• You can modify these roles or create new ones for granular access control.
• To view Kubernetes RBAC objects on the Veeam Kasten for Kubernetes dashboard, additional RBAC permissions are required. An example ClusterRole and ClusterRoleBinding are provided for this purpose. 

Step 3.5 Operator based Installation

Veeam Kasten for Kubernetes Operator Editions

• Veeam Kasten for Kubernetes (Free): Free edition for clusters up to 5 nodes.
• Veeam Kasten for Kubernetes (Enterprise - PAYGO): Enterprise edition billed per node-hour usage.
• Veeam Kasten for Kubernetes (Enterprise - Term): Enterprise edition with a term license.  

This step is optional but recommended. It checks if your cluster meets Veeam Kasten for Kubernetes requirements and validates CSI (Container Storage Interface) functionality (if applicable).

Run the following command to deploy the pre-check tool:

$ curl https://docs.kasten.io/tools/k10_primer.sh | bash

Prerequisites

• A functional Red Hat OpenShift environment.
• (Optional) A namespace (project) for Veeam Kasten for Kubernetes. By default, this guide uses kasten-io.

oc new-project kasten-io \

  --description="Kubernetes data management platform" \

  --display-name="Kasten K10"

Step 3.6 OpenShift Authentication Setup for Veeam Kasten for Kubernetes

• Before installing or upgrading Veeam Kasten for Kubernetes, a Service Account must be created in the namespace where Veeam Kasten for Kubernetes will be installed or upgraded.
• The Service Account represents an OAuth client that interacts with OpenShift's OAuth server.
• If the Veeam Kasten for Kubernetes namespace doesn't exist, it must be created.
• A Service Account named k10-dex-sa annotated with serviceaccounts.openshift.io/oauth-redirecturi.dex needs to be created in the Veeam Kasten for Kubernetes namespace.
• After Service Account creation, Veeam Kasten for Kubernetes automatically generates the corresponding client secret required for connection to the OpenShift OAuth server.

$ cat > oauth-sa.yaml <<EOF

apiVersion: v1

kind: ServiceAccount

metadata:

  name: k10-dex-sa

  namespace: kasten-io

  annotations:

    serviceaccounts.openshift.io/oauth-redirecturi.dex: <https://example.com/k10/dex/callback>

EOF

$ kubectl create -f oauth-sa.yaml

Install Root CA in K10's Namespace

• Depending on OpenShift cluster configuration, obtain a certificate.
• Two methods are provided: Method 1 (Obtain certificates from OpenShift Ingress and External Load Balancer) and Method 2 (Obtain certificate from OpenShift cluster-wide proxy).
• After obtaining the certificate, create a ConfigMap in the Veeam Kasten for Kubernetes namespace containing the certificate.

Install or Update K10 with OpenShift Authentication

There are two options depending on your installation method:  

A. Red Hat OpenShift Operator

B. Helm Chart:

Use these Helm options during installation/upgrade:  

$ helm upgrade k10 kasten/k10 --namespace kasten-io --reuse-values \

  --set auth.openshift.enabled=true \

  --set auth.openshift.serviceAccount="service account" \

  --set auth.openshift.dashboardURL="<K10's dashboard URL>" \

  --set auth.openshift.openshiftURL="<OpenShift API server's URL>" \

  --set auth.openshift.insecureCA=false \

  --set cacertconfigmap.name=<name-of-the-configmap>

Replace the placeholders with your actual values.  

Get ready for Step 4 of your onboarding journey. At the next step, we will learn essential policy configurations, explore Veeam Kasten Console, and create your first backup Policy.

If you need more help getting started, you can post your question in the comments section below or contact us at veeam.university@veeam.com any time and someone from the Customer Success team will be there to assist you. 

Continue to Step 4: Operating K10

Return to Course Outline