Helm based Installation

Prerequisites

Before installing Veeam Kasten on Red Hat OpenShift, please ensure that the install prerequisites are met.

Veeam Kasten Installation

Depending on your OpenShift infrastructure provider, you might need to provide access credentials as specified elsewhere for public cloud providers.

You will also need to add the following argument to create the SecurityContextConstraints for Veeam Kasten ServiceAccounts.

$ helm install k10 kasten/k10 --namespace=kasten-io \
    --set scc.create=true

OpenShift on AWS

When deploying OpenShift on AWS without using the EBS CSI driver for persistent storage, make sure that you configure these policies before executing the installation command provided below:

$ helm install k10 kasten/k10 --namespace=kasten-io \
    --set scc.create=true \
    --set secrets.awsAccessKeyId="${AWS_ACCESS_KEY_ID}" \
    --set secrets.awsSecretAccessKey="${AWS_SECRET_ACCESS_KEY}"

OpenShift on Azure

When running OpenShift on Azure, you need to specify a credential if you want to snapshot your volumes using in-tree (non-CSI) storage.

Veeam Kasten supports the following credentials types described below.

Service Principal

If using service principal, the principal needs a contributor role on the resource group. You also need to specify the resource group of the openshift nodes and the subscription id.

$ helm install k10 kasten/k10 --namespace=kasten-io \
    --set scc.create=true \
    --set secrets.azureTenantId=<tenantID> \
    --set secrets.azureClientId=<azureclient_id> \
    --set secrets.azureClientSecret=<azureclientsecret> \
    --set secrets.azureResourceGroup=<resource_group_name> \
    --set secrets.azureSubscriptionID=<subscription_id>

Federated Identity

If using federated identity, the user-assigned managed identity needs a contributor role on the resource group. The federated identity needs to be created and setup for the Veeam Kasten Service Account.

While installing Veeam Kasten, specify the azureClientId of the user-assigned managed identity along with the resource group of the openshift nodes and the subscription id. You also need to set the useFederatedIdentity flag.

$ helm install k10 kasten/k10 --namespace=kasten-io \
    --set azure.useFederatedIdentity=true \
    --set secrets.azureClientId=<azureclient_id> \
    --set secrets.azureResourceGroup=<resource_group_name> \
    --set secrets.azureSubscriptionID=<subscription_id>

Accessing Dashboard via Route

As documented here, the Veeam Kasten dashboard can also be accessed via an OpenShift Route.

Authentication

OpenShift OAuth server

As documented here, the OpenShift OAuth server can be used to authenticate access to Veeam Kasten.

Using an OAuth Proxy

As documented here, the OpenShift OAuth proxy can be used for authenticating access to Veeam Kasten.

Securing Veeam Kasten with SecurityContextConstraints

Veeam Kasten installs customized SecurityContextConstraints (SCC) to ensure that all workloads associated with Veeam Kasten have just enough privileges to perform their respective tasks.

For additional information about SCCs, please refer to the official OpenShift documentation

Note

Starting with OpenShift 4.14, a new openshift.io/required-scc annotation was introduced. Veeam Kasten applies this annotation to its own pods to ensure that the correct SecurityContextConstraints (SCC) have been applied.

Please note that pods created for Kanister Execution Hooks execution will not receive the openshift.io/required-scc annotation. For more information, visit the Managing security context constraints.

SecurityContextConstraints customization

The value of the Priority field in SecurityContextConstraints (SCC) can be adjusted to align the priority with the existing cluster configuration.

To set the desired Priority value in an Operator-managed installation, modify the YAML of the Veeam Kasten Operand configuration with the parameters below:

scc:
  priority: <priority_value>

This customization can be achieved in a Helm-based installation by adding the following parameter to the Helm command:

--set scc.priority=<priority_value>

SecurityContextConstraints Leakage

OpenShift assigns SCC to workloads automatically. By default, the most restrictive SCC matching a workload security requirement will be selected and assigned to that workload. One of the criteria for SCC selection is the availability of the SCC to a User or ServiceAccount. SCC leakage means that some workloads might get an SCC applied to them, which was not the intended one.

Veeam Kasten protects its SCC from leaking onto other workloads by limiting access only to its dedicated ServiceAccount:

users:
  - system:serviceaccount:kasten-io:k10-k10

Note

In this example, and in the rest of this page, Veeam Kasten is installed into the namespace kasten-io (default), the ServiceAccount name is the default one - k10-k10, and the SCC name is also the default one - k10-scc. If the cluster being considered has a different configuration, those values need to be adapted to match the values used during Veeam Kasten's installation in this cluster.

Despite the usage restrictions, it is still possible to get Veeam Kasten's SCC assigned to other workloads. This could happen when a workload is started by a cluster admin or any other user with an allowed use action on all SCCs (*) or on Veeam Kasten's specific SCC (k10-scc). This is because users with the ClusterRole cluster-admin bound to them have unlimited access to all available SCCs, without any restrictions.

Veeam Kasten's SCC may be unexpectedly applied to workloads it was not intended for under the following conditions:

  • The workload is initiated by a user with cluster admin privileges

  • The user initiating the workload has a role that grants access to all SCCs

How to verify if access to a specific SecurityContextConstraints is granted

OpenShift's command line (CLI) client, oc, has a can-i command that can be used with impersonation to check if a user can perform a specific action on a specific resource. Alternatively, the standard kubectl CLI client also has the same command built-in and can be used to perform the same check. Simply replace oc with kubectl in the command below.

To check if a user can use/access Veeam Kasten's SCC, the following command can be used:

oc auth can-i use securitycontextconstraints/k10-scc --as=<your_username>

The output will contain yes if the specified user is able to use Veeam Kasten's SCC or no if it is not. For example, the output for the following check, "Can Veeam Kasten's ServiceAccount use Veeam Kasten's SCC", should be yes:

oc auth can-i use securitycontextconstraints/k10-scc --as=system:serviceaccount:kasten-io:k10-k10

Detailed information about can-i and impersonation can be found in the official Kubernetes documentation.

Validating the Install

To validate that Veeam Kasten has been installed properly, the following command can be run in Veeam Kasten's namespace (the install default is kasten-io) to watch for the status of all Veeam Kasten pods:

$ kubectl get pods --namespace kasten-io --watch

It may take a couple of minutes for all pods to come up but all pods should ultimately display the status of Running.

$ kubectl get pods --namespace kasten-io
NAMESPACE     NAME                                    READY   STATUS    RESTARTS   AGE
kasten-io     aggregatedapis-svc-b45d98bb5-w54pr      1/1     Running   0          1m26s
kasten-io     auth-svc-8549fc9c59-9c9fb               1/1     Running   0          1m26s
kasten-io     catalog-svc-f64666fdf-5t5tv             2/2     Running   0          1m26s
...

In the unlikely scenario that pods that are stuck in any other state, please follow the support documentation to debug further.

Validate Dashboard Access

By default, the Veeam Kasten dashboard will not be exposed externally. To establish a connection to it, use the following kubectl command to forward a local port to the Veeam Kasten ingress port:

$ kubectl --namespace kasten-io port-forward service/gateway 8080:80

The Veeam Kasten dashboard will be available at http://127.0.0.1:8080/k10/#/.

For a complete list of options for accessing the Kasten Veeam Kasten dashboard through a LoadBalancer, Ingress or OpenShift Route you can use the instructions here.

Using Veeam Kasten Console Plugin

The Veeam Kasten operator includes the OpenShift Console Plugin, providing faster and more convenient access to the essential data about the Veeam Kasten application state.

Enable Veeam Kasten Console Plugin

The Veeam Kasten Console Plugin can be enabled during the installation of the Veeam Kasten operator. For more details, see Veeam Kasten Installation

To enable the plugin for existing K10 deployments, navigate to the Operator Details page for Veeam Kasten operator in the OpenShift Console. In the Console Plugin section on the right-hand side, select the Enabled checkbox.

If Veeam Kasten was installed using Helm based Installation, enabling the plugin from the Console Details page will be the only available option. Navigate to the Console Plugins tab of the Console Details page in the OpenShift Console. Find the Veeam Kasten Plugin from OpenShift Console and select the Enabled checkbox.

Veeam Kasten Console Plugin UI Overview

The Veeam Kasten Console Plugin adds a new Veeam Kasten tab to the OpenShift Web Console panel on the left. Click on the tab to open the plugin. The plugin UI contains all the essential data from the Veeam Kasten Dashboard, including the system overview and the recent activity.