Getting Started
Concepts and Features
Backup and Restore
In Place Update
Instance Template
Trouble Shooting
References
Upgrade KubeBlocks
To ensure that the restored cluster can access the data properly, KubeBlocks encrypts the cluster's credentials during the backup process and securely stores it in the Annotation of the Backup object. Therefore, to protect your data security, it is strongly recommended to carefully assign Get/List permissions for backup objects and specify an encryption key during the installation or upgrade of KubeBlocks. These measures will help ensure the proper protection of your data.
KubeBlocks has integrated data encryption functionality for datasafed since v0.9.0. Currently, the supported encryption algorithms include AES-128-CFB, AES-192-CFB, and AES-256-CFB. This function allows backup data to be encrypted before being written to storage. The encryption key then will be used to encrypt connection passwords and also to back up data. You can reference existing keys or create different secret keys for database clusters according to actual needs.
If the secret already exists, you can choose to directly reference it without setting the dataProtection.encryptionKey. KubeBlocks provides a quick way to reference an existing key for encryption.
Assuming there is a pre-defined secret named dp-encryption-key and a key encryptionKey inside it. For example, a secret created by this command.
kubectl create secret generic dp-encryption-key \
--from-literal=encryptionKey='S!B\*d$zDsb='
And then you can reference it when installing or upgrading KubeBlocks.
kbcli kubeblocks install \
--set dataProtection.encryptionKeySecretKeyRef.name="dp-encryption-key" \
--set dataProtection.encryptionKeySecretKeyRef.key="encryptionKey"
# The above command is equivalent to:
# kbcli kubeblocks install --set dataProtection.encryptionKey='S!B\*d$zDsb='
If you do not need to enable backup encryption by default, or if you need to use a separate encryptionKey, just create a Secret and manually enable backup encryption by following the steps below.
Create a Secret to store the encryption key.
kubectl create secret generic backup-encryption \
--from-literal=secretKey='your secret key'
Enable encryption.
Remember to reference the key created before.
kubectl --type merge patch backuppolicy mysqlcluster-mysql-backup-policy \
-p '{"spec":{"encryptionConfig":{"algorithm":"AES-256-CFB","passPhraseSecretKeyRef":{"name":"backup-encryption","key":"secretKey"}}}}'
You can also use kbcli to simplify the process.
# enable encryption
kbcli cluster edit-backup-policy <backup-policy-name> --set encryption.algorithm=AES-256-CFB --set encryption.passPhrase="SECRET!"
# disable encryption
kbcli cluster edit-backup-policy <backup-policy-name> --set encryption.disabled=true
Now you can perform backups and restores as usual.
The secret created in Step 1 should not be modified or deleted; otherwise, decryption of backups may fail.
By default, the encrytpionKey is only used for encrypting the connection password, if you want to use it to encrypt backup data as well, add --set dataProtection.enableBackupEncryption=true to the above command. After that, all newly-created clusters are enabled for backup encryption by default.
Prepare a cluster for testing the backup and restore function. The following instructions use the MySQL cluster mycluster in the default namespace as an example.
# Create a MySQL cluster
kbcli cluster create mysql mycluster
# View backupPolicy
kbcli cluster list-backup-policies mycluster
>
NAME NAMESPACE DEFAULT CLUSTER COMPONENT CREATE-TIME STATUS
mycluster-mysql-backup-policy default true mycluster mysql May 26,2025 18:11 UTC+0800 Available
By default, all the backups are stored in the default global repository. You can execute the following command to view all BackupRepos. When the DEFAULT field is true, the BackupRepo is the default BackupRepo.
# View BackupRepo
kbcli backuprepo list
After creating a database cluster, a BackupPolicy is created automatically for databases that support backup. Execute the following command to view the BackupPolicy of the cluster.
kubectl get backuppolicy -l app.kubernetes.io/instance=mycluster
>
NAME BACKUP-REPO STATUS AGE
mycluster-mysql-backup-policy Available 83s
kbcli cluster list-backup-policies mycluster
>
NAME NAMESPACE DEFAULT CLUSTER COMPONENT CREATE-TIME STATUS
mycluster-mysql-backup-policy default true mycluster mysql May 26,2025 18:11 UTC+0800 Available
The backup policy includes the backup methods supported by the cluster. Execute the following command to view the backup methods.
kubectl get backuppolicy mycluster-mysql-backup-policy -o yaml
kbcli cluster describe-backup-policy mycluster
>
Summary:
Name: mycluster-mysql-backup-policy
Cluster: mycluster
Component: mysql
Namespace: default
Default: true
Backup Methods:
NAME ACTIONSET SNAPSHOT-VOLUMES
xtrabackup mysql-xtrabackup-br false
volume-snapshot mysql-volume-snapshot true
archive-binlog mysql-pitr false
For a MySQL cluster, two default backup methods are supported: xtrabackup and volume-snapshot. The former uses the backup tool xtrabackup to backup MySQL data to an object storage, while the latter utilizes the volume snapshot capability of cloud storage to backup data through snapshots. When creating a backup, you can specify which backup method to use.