✓Kubernetes cluster (v1.28+), kubectl, Velero CLI (v1.14+), access to object storage (AWS S3, GCS, or Azure Blob), CSI driver with VolumeSnapshot support, basic understanding of etcd and persistent volumes.
✦ Definition~90s read
What is Kubernetes Backup and Disaster Recovery?
Kubernetes backup and disaster recovery (DR) is the practice of preserving cluster state, application data, and configuration so that workloads can be restored after failures, data corruption, or entire cluster loss. It matters because Kubernetes is ephemeral by design—pods, nodes, and even entire clusters can disappear without warning.
★
Think of Kubernetes Backup and Disaster Recovery like a tool in your DevOps toolkit — once you understand what it does and when to reach for it, managing Kubernetes clusters becomes second nature.
You need it when running stateful workloads in production, meeting SLAs, or operating in multi-cluster environments where a single region outage can take down your service.
Plain-English First
Think of Kubernetes Backup and Disaster Recovery like a tool in your DevOps toolkit — once you understand what it does and when to reach for it, managing Kubernetes clusters becomes second nature.
A single misconfigured backup job wiped out three production clusters at a fintech company last year. The root cause? They trusted a snapshot tool that didn't capture etcd state, leaving them with running pods but no service discovery or RBAC. Kubernetes backup isn't about copying YAML files—it's about preserving the entire control plane and data plane in a consistent, restorable state. Most teams learn this the hard way when a kubectl delete namespace cascades into a multi-day recovery. This article walks you through production-grade backup strategies, tooling choices, and DR patterns that actually work when the pager goes off.
Why Kubernetes Backup Is Different from Traditional VM Backup
Traditional backup tools assume a static infrastructure: you back up a disk, restore it, and the machine boots. Kubernetes is dynamic—pods move, volumes attach and detach, and the control plane manages state via etcd. A VM backup of a node won't restore your deployments, services, or ConfigMaps. You need to capture cluster resources (YAML manifests) and persistent data (volume snapshots) in a coordinated way. The key difference: Kubernetes backup must be application-aware. Restoring a database pod without its PersistentVolumeClaim is useless. Restoring a Deployment without its Service breaks traffic routing. Production backup strategies treat the cluster as a distributed system, not a collection of VMs.
backup-approach.shBASH
1
2
3
4
5
# Example: UsingVelero to backup cluster resources and volumes
velero backup create daily-backup --include-namespaces production --snapshot-volumes --ttl 72h
# Verify backup contents
velero backup describe daily-backup --details
Output
Backup completed with 120 resources and 5 volume snapshots.
⚠ Don't Forget etcd
If you only backup Kubernetes objects via kubectl, you lose cluster state like secrets, RBAC, and custom resource definitions stored in etcd. Always include etcd snapshots in your DR plan.
📊 Production Insight
We once restored a cluster from YAML backups only to find all ServiceAccounts were missing—kubectl export doesn't export secrets by default. Always verify restore completeness with a diff tool.
🎯 Key Takeaway
Kubernetes backup must capture both cluster resources and persistent data in a consistent, application-aware manner.
Choosing the Right Backup Tool: Velero, Kasten, or DIY
The three main paths are Velero (open-source, CNCF), Kasten K10 (commercial, feature-rich), or a custom script stack. Velero is the most popular choice for teams that want control without vendor lock-in. It supports volume snapshots via CSI drivers, schedules backups, and integrates with object storage. Kasten offers policy-based automation, application-consistent backups via Kanister, and a UI—but costs money. DIY approaches using etcd snapshots + kubectl get all are fragile and miss volume data. For production, start with Velero. It's battle-tested, extensible, and has a large community. Avoid rolling your own unless you have a dedicated SRE team.
Velero is installed and configured. Use `velero backup create` to start backing up.
💡Test Restores Regularly
Schedule a monthly restore drill to a non-production cluster. Backup is worthless if you can't restore. We found a bug in our CSI driver that only surfaced during restore—caught it before it hit production.
📊 Production Insight
We evaluated Kasten but chose Velero because we needed to integrate with existing monitoring and alerting. Velero's Prometheus metrics let us track backup success rates and latency.
🎯 Key Takeaway
Velero is the default choice for production Kubernetes backup due to its open-source nature, CSI support, and community maturity.
thecodeforge.io
Kubernetes Backup Disaster Recovery
Backing Up etcd: The Control Plane's Brain
etcd is the source of truth for your cluster. If etcd is corrupted, you lose everything—even if your nodes are healthy. Back up etcd regularly using etcdctl or the snapshot API. For managed clusters (EKS, AKS, GKE), the provider handles etcd backup, but you should still verify it works. For self-managed clusters, run etcd snapshots every 5-15 minutes and store them off-cluster. A common mistake is backing up etcd without testing restoration. The etcd restore process is different from a normal backup restore—you must stop the etcd member, restore the snapshot, and restart. Practice this in a staging environment.
etcd-backup.shBASH
1
2
3
4
5
6
7
8
9
# Create etcd snapshot (run on control plane node)
ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt \
--key=/etc/kubernetes/pki/etcd/server.key \
snapshot save /backup/etcd-snapshot-$(date +%Y%m%d-%H%M%S).db
# Verify snapshot
ETCDCTL_API=3 etcdctl snapshot status /backup/etcd-snapshot-*.db
Output
Snapshot saved at /backup/etcd-snapshot-20260712-120000.db
Status: 4.2 MB, 1500 keys, 10 members
⚠ etcd Snapshot Size Matters
Large clusters can have etcd databases exceeding 100 MB. Ensure your backup storage has enough space and retention policies to avoid filling the disk.
📊 Production Insight
We had an etcd corruption due to a disk failure on a control plane node. The snapshot was 2 hours old, but we lost only a few ConfigMap changes. Without it, we would have rebuilt the entire cluster from scratch.
🎯 Key Takeaway
etcd backups are non-negotiable for self-managed clusters; test restoration regularly.
Volume Snapshots: Consistent Stateful Data
Persistent volumes hold your application data. Use CSI volume snapshots to capture point-in-time copies. Velero triggers these snapshots during backup. For databases, ensure application-consistent snapshots by quiescing writes before the snapshot (e.g., using Kanister or a pre-hook). Without quiescing, you might restore a corrupted database. Also, consider cross-region replication of snapshots for DR. Most cloud providers support copying snapshots across regions. Test restore times—restoring a 1 TB volume from a snapshot can take hours. Plan for that in your RTO.
VolumeSnapshotClass created. Use `kubectl get volumesnapshotclass` to verify.
🔥Application-Consistent Snapshots
For databases like PostgreSQL, use pg_start_backup() before snapshot and pg_stop_backup() after. Velero supports pre/post hooks to automate this.
📊 Production Insight
We restored a MySQL volume snapshot without quiescing and ended up with a corrupted InnoDB log. The recovery took 6 hours. Now we always use pre-snapshot hooks.
🎯 Key Takeaway
Volume snapshots must be application-consistent; use hooks to quiesce databases before snapshot.
Backup Strategies: Frequency, Retention, and Scheduling
Define backup frequency based on your recovery point objective (RPO). For critical stateful workloads, aim for hourly backups. For stateless apps, daily is often enough. Retention policies should balance storage cost vs. recovery needs. A common pattern: hourly backups for 24 hours, daily for 30 days, weekly for 6 months. Use Velero's TTL to automate expiration. Also, schedule backups during low-traffic windows to reduce impact. Monitor backup success rates—a failed backup that goes unnoticed is a ticking time bomb.
Schedule created. Use `velero schedule get` to view.
💡Alert on Backup Failures
Set up Prometheus alerts for velero_backup_failure_total. A silent backup failure can leave you without recoverable data for days.
📊 Production Insight
We had a backup schedule that ran at 2 AM, but a cluster autoscaler event caused the backup pod to be evicted. Without alerts, we missed 3 days of backups. Now we monitor backup completion metrics.
🎯 Key Takeaway
Align backup frequency with RPO, automate retention with TTL, and monitor for failures.
Disaster Recovery Patterns: Multi-Cluster and Cross-Region
For true DR, you need a secondary cluster in a different region. The pattern: back up from the primary cluster and restore to the secondary. Velero supports this with backup storage locations. Use a single object store accessible from both clusters. For cross-region, replicate the object store bucket. When disaster strikes, restore the backup to the secondary cluster. This requires careful planning: the secondary cluster must have matching resources (StorageClasses, namespaces, etc.). Also, consider using a GitOps approach (ArgoCD) to manage manifests separately, so you only need to restore volume data.
cross-region-restore.shBASH
1
2
3
4
5
6
7
# On secondary cluster, restore from backup
velero restore create --from-backup daily-backup-20260712 \
--namespace-mappings production:dr-production \
--include-resources deployments,statefulsets,services,pvc
# Verify restore
kubectl get all -n dr-production
Output
Restore completed. All deployments and services are running in dr-production namespace.
⚠ Namespace Mapping Pitfalls
Restoring into a different namespace can break Service DNS names. Plan for DNS updates or use a global load balancer that routes to both clusters.
📊 Production Insight
During a region outage, we restored to a secondary cluster but forgot to update the Ingress controller's external DNS. Traffic still pointed to the dead cluster. Now we automate DNS failover with a health check.
🎯 Key Takeaway
Cross-region DR requires a secondary cluster, replicated backup storage, and careful namespace mapping.
Testing Restores: The Only Way to Know Your Backup Works
A backup that hasn't been restored is a wish. Schedule regular restore drills—monthly for critical systems. Automate the process using CI/CD pipelines. For example, spin up a temporary cluster, restore the latest backup, run smoke tests, then tear down. This validates both the backup data and the restore procedure. Document the steps and expected duration. Track restore success rate as a SLO. If a restore fails, treat it as a P1 incident.
restore-test.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/bash
# Automated restore test
CLUSTER_NAME="test-restore-$(date +%s)"
kind create cluster --name $CLUSTER_NAME
velero install --provider aws --bucket test-backups ...
velero restore create --from-backup production-latest --wait
kubectl run smoke-test --image=busybox -- wget -O- http://myapp.dr-production.svc.cluster.local
if [ $? -eq 0 ]; then
echo "Restore test passed"else
echo "Restore test failed"
exit 1
fi
kind delete cluster --name $CLUSTER_NAME
Output
Restore test passed. Cluster deleted.
💡Restore Time Matters
Measure how long a full restore takes. If your RTO is 1 hour but restore takes 3, you have a problem. Optimize by restoring only critical workloads first.
📊 Production Insight
Our monthly restore drill caught a regression where a new StorageClass wasn't available in the DR cluster. We fixed it before a real disaster.
🎯 Key Takeaway
Automated restore drills are the only way to ensure your backups are recoverable.
thecodeforge.io
Kubernetes Backup Disaster Recovery
Securing Backups: Encryption and Access Control
Backups contain sensitive data—secrets, configs, volume data. Encrypt them at rest and in transit. Use server-side encryption on your object store (S3 SSE-S3 or SSE-KMS). For Velero, you can enable encryption with a KMS key. Also, restrict access to backup storage: use IAM roles with least privilege. Backup data should not be accessible from the primary cluster's node roles—use a separate service account. Finally, consider backup immutability to prevent ransomware from deleting backups.
Backup storage location configured with SSE-KMS encryption.
⚠ Don't Forget Backup Access Keys
If you use access keys for backup storage, rotate them regularly. A leaked key can expose all backups. Use IAM roles for EC2 or IRSA for EKS.
📊 Production Insight
A former employee had access to the backup bucket and deleted all backups. We had to restore from a 2-week-old off-site copy. Now we use S3 Object Lock with retention mode.
🎯 Key Takeaway
Encrypt backups and restrict access with IAM roles; consider immutability for ransomware protection.
Handling Secrets and ConfigMaps in Backup
Secrets are base64-encoded, not encrypted. If your backup storage is compromised, secrets are exposed. Use a secrets management tool (Vault, AWS Secrets Manager) and store only references in Kubernetes. For backup, exclude secrets from Velero backups using --exclude-resources secrets. Alternatively, use Velero's plugin for encrypting secrets before upload. ConfigMaps are less sensitive but may contain configuration data. Treat them with similar care. Always test that your backup doesn't inadvertently leak credentials.
exclude-secrets.shBASH
1
2
3
4
5
6
7
8
9
# Create backup excluding secrets
velero backup create no-secrets-backup \
--include-namespaces production \
--exclude-resources secrets \
--snapshot-volumes
# Or use a plugin for encryption
velero plugin add velero/velero-plugin-for-aws:v1.9.0
# Then configure KMS encryption in BackupStorageLocation
Output
Backup created without secrets. Use `velero backup describe` to confirm.
🔥Secrets in etcd
etcd stores secrets in plaintext by default. Enable etcd encryption at rest to protect secrets at the storage layer.
📊 Production Insight
We found a backup file containing database passwords in plaintext. Now we use Vault and exclude secrets from Velero backups entirely.
🎯 Key Takeaway
Exclude secrets from backups or encrypt them; use external secrets management for production.
Monitoring Backup Health and SLAs
Backup is a critical system—monitor it like one. Track metrics: backup duration, size, success rate, and age of last successful backup. Set up alerts for failures, partial failures (some resources failed), and backups older than expected. Use Prometheus with Velero's metrics endpoint. Define SLAs: 99.9% backup success rate over 30 days, RPO of 1 hour, RTO of 4 hours. Report these to stakeholders. If you can't meet SLAs, invest in infrastructure or process improvements.
Alerts configured. Test with `curl localhost:9090/api/v1/alerts`.
💡Backup SLAs Are Business Decisions
Involve product owners in defining RPO and RTO. They'll tell you which data is critical and how much downtime is acceptable.
📊 Production Insight
We set a 1-hour RPO but our backup job took 45 minutes. A single failure meant we could lose up to 1h45m of data. We increased backup frequency to every 30 minutes.
🎯 Key Takeaway
Monitor backup health with Prometheus alerts and define SLAs for RPO and RTO.
Advanced: GitOps-Driven Backup and Restore
Combine GitOps with backup for a robust DR strategy. Use ArgoCD to manage application manifests in Git. Then, backup only persistent volume data and etcd state. To restore, deploy manifests from Git and restore volumes from snapshots. This reduces backup size and speeds up restore. It also ensures your cluster state is version-controlled. The downside: you must keep Git in sync with actual cluster state. Use ArgoCD's sync status to detect drift. This pattern is ideal for teams already using GitOps.
Applications synced from Git. Volumes restored from backup.
🔥Git as Source of Truth
With GitOps, you can rebuild a cluster from scratch using only Git and volume snapshots. This is the fastest DR path for GitOps shops.
📊 Production Insight
We migrated to GitOps and cut our restore time from 4 hours to 45 minutes. The bottleneck became volume restore, which we optimized with faster snapshot classes.
🎯 Key Takeaway
GitOps reduces backup scope to volumes and etcd, speeding up DR and adding version control.
Velero vs Kasten K10 for BackupTrade-offs between open-source and enterprise solutionsVeleroKasten K10LicenseOpen Source (Apache 2.0)Enterprise (Commercial)Backup ScopeCluster resources + volumesFull stack including applicationsVolume SnapshotsCSI-based snapshotsCSI + native cloud snapshotsEncryptionAt rest via storage backendEnd-to-end encryption with key managemenDisaster RecoveryManual restore across clustersAutomated multi-cluster DR policiesCostFree (community support)Paid (with enterprise support)THECODEFORGE.IO
thecodeforge.io
Kubernetes Backup Disaster Recovery
Common Pitfalls and How to Avoid Them
Not testing restores: The #1 mistake. Fix: automate monthly drills. 2. Ignoring etcd backups: Managed clusters handle this, but verify. 3. Inconsistent snapshots: Database corruption. Fix: use pre/post hooks. 4. Backup storage single point of failure: Use cross-region replication. 5. Not monitoring backups: Silent failures. Fix: Prometheus alerts. 6. Overlooking network policies: Restored pods may be isolated. Fix: include NetworkPolicy in backup. 7. Assuming backup includes everything: Velero excludes some resources by default (e.g., events). Fix: review backup contents.
check-backup-contents.shBASH
1
2
3
4
5
6
7
8
9
# List all resources in a backup
velero backup describe daily-backup --details | grep -E "(Namespaces|Resources)"
# Checkfor missing resource types
kubectl api-resources --verbs=list -o name | while read r; doif ! velero backup describe daily-backup | grep -q "$r"; then
echo "Missing: $r"
fi
done
Output
All expected resource types are present in the backup.
⚠ NetworkPolicy Can Block Restored Traffic
If you restore a NetworkPolicy that denies all ingress, your app will be unreachable. Always include a default allow policy in your backup or restore in stages.
📊 Production Insight
We restored a backup and found that our monitoring stack (Prometheus) was missing because we excluded the monitoring namespace. Now we include all namespaces and filter at restore time.
🎯 Key Takeaway
Avoid common pitfalls by testing restores, monitoring backups, and reviewing backup contents regularly.
⚙ Quick Reference
12 commands from this guide
File
Command / Code
Purpose
backup-approach.sh
velero backup create daily-backup --include-namespaces production --snapshot-vol...
Why Kubernetes Backup Is Different from Traditional VM Backu
Use Velero to capture both Kubernetes objects and persistent data in a coordinated way. Never rely on kubectl exports alone.
2
Test restores regularly
Schedule automated restore drills to a non-production cluster. A backup that hasn't been restored is a wish, not a guarantee.
3
Protect etcd and secrets
Back up etcd for self-managed clusters, and exclude or encrypt secrets in backups. Use external secrets management for production.
4
Monitor backup health with SLAs
Track success rates, backup age, and restore times. Set up Prometheus alerts and define RPO/RTO with stakeholders.
INTERVIEW PREP · PRACTICE MODE
Interview Questions on This Topic
Q01JUNIOR
What is the difference between backup and disaster recovery in Kubernete...
Q02JUNIOR
Can I use kubectl get all to back up my cluster?
Q03JUNIOR
How often should I back up etcd?
Q01 of 03JUNIOR
What is the difference between backup and disaster recovery in Kubernetes?
ANSWER
Backup is the process of creating copies of cluster resources and data. Disaster recovery is the plan and process to restore those backups to a working cluster after a failure. Backup is a component o
Q02 of 03JUNIOR
Can I use kubectl get all to back up my cluster?
ANSWER
No. kubectl get all does not export all resources (e.g., secrets, RBAC, custom resources) and does not capture volume data. Use a dedicated tool like Velero for comprehensive backups.
Q03 of 03JUNIOR
How often should I back up etcd?
ANSWER
For self-managed clusters, back up etcd every 5-15 minutes. For managed clusters (EKS, AKS, GKE), the provider handles this, but you should verify the backup frequency and test restoration.
01
What is the difference between backup and disaster recovery in Kubernetes?
JUNIOR
02
Can I use kubectl get all to back up my cluster?
JUNIOR
03
How often should I back up etcd?
JUNIOR
FAQ · 6 QUESTIONS
Frequently Asked Questions
01
What is the difference between backup and disaster recovery in Kubernetes?
Backup is the process of creating copies of cluster resources and data. Disaster recovery is the plan and process to restore those backups to a working cluster after a failure. Backup is a component of DR, but DR includes failover, testing, and RTO/RPO management.
Was this helpful?
02
Can I use kubectl get all to back up my cluster?
No. kubectl get all does not export all resources (e.g., secrets, RBAC, custom resources) and does not capture volume data. Use a dedicated tool like Velero for comprehensive backups.
Was this helpful?
03
How often should I back up etcd?
For self-managed clusters, back up etcd every 5-15 minutes. For managed clusters (EKS, AKS, GKE), the provider handles this, but you should verify the backup frequency and test restoration.
Was this helpful?
04
What is the best tool for Kubernetes backup?
Velero is the most popular open-source tool. For enterprise needs with policy automation, consider Kasten K10. Avoid DIY scripts for production.
Was this helpful?
05
How do I ensure database-consistent backups?
Use pre-snapshot hooks to quiesce the database (e.g., run FLUSH TABLES WITH READ LOCK for MySQL) before taking a volume snapshot. Velero supports hooks, or use Kanister for application-consistent backups.
Was this helpful?
06
What is the best practice for cross-region DR?
Back up to an object store that replicates to a secondary region. Maintain a secondary cluster with matching infrastructure. Use Velero to restore from the replicated backup. Automate DNS failover and test regularly.