Control Plane Backup
This guide explains how to back up the core data of your Kubernetes cluster — etcd snapshots and PKI certificates — as a single bundle to object storage.
A control plane backup provides cluster-level disaster recovery (DR) that Velero does not cover. etcd is the "brain" of the cluster, holding all resource information, while PKI certificates (/etc/kubernetes/pki) protect cluster communication. Both must be backed up together to fully recover a cluster.
Data Stored in a Control Plane Backup
- etcd snapshot: Includes the definitions of all K8s resources such as Pods, Deployments, Services, ConfigMaps, and Secrets.
- PKI certificates (
/etc/kubernetes/pki): Includes the full certificate bundle used for cluster communication — CA certificates, API server certificates, etcd certificates, and more.
A control plane backup stores K8s resource definitions and certificates. Actual application data stored in PersistentVolumes must be protected separately using Velero backups.
Backup Creation Procedure
Step 1: Navigate to Backup Management
- Click [Backup Management] in the left menu.
- In the Backup List tab, switch the K8s backup Segmented control to Control Plane. (Choose between Velero / Control Plane.)
- Click the Create Backup button.
Step 2: Enter Infrastructure and Backup Information
Configure the following in the backup creation modal (ControlplaneBackupModal).
- Select infrastructure: Choose the Kubernetes cluster to back up. Master node information is loaded automatically upon selection.
- Backup name: Enter an identifier. The default is auto-generated in the format
cp-YYYYMMDD-HHmmss.
Verify that the Kubernetes cluster is properly registered on the [Runtime Environment] page.
Step 3: Enter Master Node SSH Credentials
The backup is performed by connecting directly to the master node via SSH.
- SSH username: SSH account for the master node
- SSH password: SSH password for the master node
- sudo password: sudo password required to run
etcdctl snapshot save
The SSH credentials you enter are not saved on the server. You will need to re-enter them at restore time, so keep the credentials in a secure location.
Step 4: Run the Backup and Verify
- Click the Create Backup button.
- The backend automatically performs the following steps:
- Connect to the master node via SSH
- Run
etcdctl snapshot save - Compress the
/etc/kubernetes/pkidirectory to tar.gz - Upload to object storage (path:
controlplane/<backup-name>/) - Clean up temporary files
- The backup is complete when the status in the control plane backup list changes to completed.
Control Plane Backup List Columns
| Column | Description |
|---|---|
| Backup name | Identifier for the created backup |
| Size | File size of the backup bundle |
| Created at | Creation timestamp |
| Actions | Provides Restore and Delete icons |
Differences from Velero Backup
| Item | Control Plane Backup | Velero Backup |
|---|---|---|
| Protected scope | Cluster structure (etcd + PKI) | Application workloads + PV data |
| Access method | Direct SSH to master node | Velero Agent (inside cluster) |
| Restore scope | Full cluster reconstruction | Namespace/resource-level selective restore |
| Recommended use | Cluster-level DR | Per-service backup and migration |
In production, run Control Plane Backup + Velero Backup together. The control plane backup provides the foundation for cluster recovery, while Velero protects application data.
Restore Flow Preview
Clicking the Restore icon in the control plane backup list opens the ControlplaneRestoreModal.
- Select backup: Choose the control plane backup to restore from.
- Enter confirmation text: You must type the backup name exactly for the restore button to become enabled.
- Re-enter master node SSH credentials: The SSH username and password are required again at restore time.
- Enter sudo password: Enter the sudo password required to stop/restore etcd and apply the PKI.
See the Recovery guide for detailed restore steps.
Troubleshooting
Backup Failure: "etcdctl snapshot save failed"
Why does this happen? A problem occurred while connecting to the etcd cluster or saving the snapshot.
How to resolve
- Check SSH credentials: Verify that the master node SSH connection details are correct.
- Check sudo privileges: Confirm that the account has sudo privileges.
- Check etcd status: Verify that all etcd members are healthy.
- Check disk space: Confirm that sufficient temporary storage is available on the master node.
Backup Failure: Object Storage Upload Error
How to resolve
- Verify storage registration: In [Backup Management] > Storage Management tab, confirm that object storage is properly registered.
- Re-validate credentials: Check that the Access Key, Secret Key, and bucket name are correct.
- Check network connectivity: Verify that the KIOPS server can reach the object storage endpoint.
Create control plane backups regularly to maintain multiple recovery points. Always create a manual backup before performing significant cluster changes.