In the landscape of modern application development and deployment, Kubernetes has transcended its adoption phase to become a cornerstone technology for organizations worldwide.
According to the Cloud Native Computing Foundation (CNCF), a staggering 96% of organizations are actively using or evaluating Kubernetes, with over 5.6 million developers worldwide embracing its capabilities. In addition, Datadog’s Container Report highlights that nearly 90% of Kubernetes users rely on cloud-managed services, showcasing the platform's widespread integration into cloud infrastructures along with on-premises infrastructure.
New Paradigm: More Stateful Applications
Traditionally, Kubernetes was used to manage stateless applications, where data doesn’t need to persist after the application is shut down. However, as businesses demand more complex operations and storage solutions, there has been a significant shift toward stateful applications within Kubernetes environments. This transition brings about a new set of challenges, particularly in the realm of data protection. With more persistent data being stored, the stakes for ensuring data integrity and security are higher than ever.
Protecting Kubernetes data in a stateful environment is no small feat. As applications become increasingly reliant on persistent storage, the complexity of managing and safeguarding this data grows exponentially. Unlike stateless applications where data can be easily replicated and does not require persistent storage, stateful applications involve managing databases, user sessions, and intricate transaction data that must be preserved across sessions and pod restarts.
This persistence necessitates robust backup strategies, efficient disaster recovery plans, and stringent access controls to protect against data loss and unauthorized access. Furthermore, the dynamic nature of containerized environments, with pods being created and destroyed frequently, adds another layer of complexity to data protection efforts.
This blog will dive into the intricacies of navigating these challenges, providing insights and strategies to bolster the security posture of Kubernetes deployments in the evolving landscape of mainstream adoption.
Rubrik for Kubernetes Protection
Rubrik Security Cloud (RSC) is a software-as-a-service (SaaS) platform that enables you to keep your data secure, monitor data risk, and quickly recover data wherever it lives: across the enterprise, in the cloud, and in SaaS applications.
More specifically, RSC enables the backup and recovery of persistent volumes and Kubernetes objects associated with applications, ensuring protection and the ability to restore from a specific point in time. The underlying technology is designed to provide the following benefits:
Unified platform
Centralized view of Kubernetes environments across cloud and on-premises
Data protection through a global SLA policy engine
Support for namespace recovery using in-place or export options
Support for granular app-level recovery
Secure backups
In-flight and at-rest database data encryption
Air-gapped, immutable backups
RBAC for controlled access
Scalable application-consistent protection
Protect unlimited K8s clusters and nodes
Protect app state, data, and metadata
Protect any CSI-compatible storage
Comprehensive support
24x7, global support
Dedicated support team to deliver the best customer experience
What’s protected?
Your Kubernetes application state and persistent data need protection. But why now?
Persistent Volumes
Developers now leverage persistent volumes within the Kubernetes cluster to facilitate application mobility. Previously, these applications relied on storing data externally, often to a data service or NAS. Protected persistent volumes allow for faster recovery and minimize downtime in case of system failures, disasters, or cyberattacks.
Application State: Configuration and Metadata
As the risks and threats to your organization's build and deployment pipelines rise, safeguarding the application state becomes of utmost importance. This safeguarding ensures a pristine backup copy is available should redeployment from code not be feasible.
Rubrik protects the persistent volumes and application state across cloud and on-premises Kubernetes deployments.
Rubrik for Kubernetes Protection Architecture:
The following diagram gives a high-level overview of how Rubrik integrates with Kubernetes to provide backup and recovery functions.
There are three main components associated with the Rubrik protection architecture:
Rubrik Security Cloud
A Rubrik cluster connected to Rubrik Security Cloud
The Kubernetes cluster to be protected
Rubrik Security Cloud serves as the centralized management plane for Kubernetes protection and provides the user interface for backup, recovery, and reporting of Kubernetes cluster data. The connected Rubrik cluster serves as the immutable storage target to store the Persistent Volume (PV) data backups and app namespace metadata backups of the Kubernetes cluster.
In addition, a Kubernetes protection agent is auto-deployed on the Kubernetes clusters and leverages the load balancer to communicate with the Rubrik clusters for any backup or recovery operations. Rubrik uses the control path flow to retrieve the metadata, which it then uses to add the Kubernetes cluster and namespaces.
An agent pod is deployed during the backup and recovery operation. After the operations are completed, the agent pod is automatically deleted from the namespace. The agent pod uses the data path flow to ingest the data to Rubrik’s immutable file system and retrieve the backups for restores. The same architecture and functionalities are used across on-premises and supported public clouds.
Protection Set
Using the new protection set filtering feature, you can use Rubrik Security Cloud to secure your on-premises or public cloud Kubernetes clusters by protecting either entire Kubernetes namespaces or specific subsets within a namespace.
A protection set is a protectable Kubernetes workload that you define in RSC. The subset can comprise Kubernetes resources or objects, such as deployments, services, or pods, along with the associated persistent volumes.
Recovery with Rubrik
Rubrik offers multiple options to recover your Kubernetes application as well. Let's discuss some of the current capabilities:
Restore Protection Set
Rubrik provides multiple ways to recover your protection set.
In-place recovery: Restore missing objects or corrupted data
Export to same namespace or cluster: Restore all resources under the protection set or tagged with a label
Export to another namespace or cluster: Restore all resources under the protection set or tagged with a label
Restore PVC
Rubrik provides multiple ways to recover your PVCs.
In-place recovery: Restore missing objects or corrupted data
Export to same namespace or cluster: Restore all selected PVCs or PVCs tagged with a label
Export to another namespace or cluster: Restore all selected PVCs or PVCs tagged with a label
Get started with Rubrik for Kubernetes
It’s simple to get started. If you haven’t tried the Rubrik solution for Kubernetes or haven't seen a demo, try our hands-on lab for Kubernetes.