# Velero — Backup, Migrate & Disaster Recovery for Kubernetes

> Velero is the standard tool for backing up and restoring Kubernetes cluster resources and persistent volumes. Migrate workloads between clusters and recover from disasters.

## Install

Save in your project root:

## Quick Use

```bash
# Install Velero CLI
brew install velero

# Install in cluster with S3 backend
velero install 
  --provider aws 
  --plugins velero/velero-plugin-for-aws:v1.9.0 
  --bucket my-backup-bucket 
  --backup-location-config region=us-west-2 
  --snapshot-location-config region=us-west-2 
  --secret-file ./credentials-velero

# Create first backup
velero backup create my-backup --include-namespaces default
```

## Intro

**Velero** is an open-source tool to safely back up, restore, perform disaster recovery, and migrate Kubernetes cluster resources and persistent volumes. Originally created by Heptio (now VMware Tanzu), Velero works with all major cloud providers and on-premises Kubernetes clusters — making it the standard solution for Kubernetes backup and disaster recovery.

With 10K+ GitHub stars and Apache-2.0 license, Velero is used by thousands of organizations to protect Kubernetes workloads, enable cluster migrations, and meet compliance requirements.

## What Velero Does

- **Backup**: Back up Kubernetes resources and persistent volumes
- **Restore**: Restore backed-up resources to the same or different cluster
- **Disaster Recovery**: Recover from cluster failures
- **Cluster Migration**: Move workloads between clusters (cloud to cloud, on-prem to cloud)
- **Scheduled Backups**: Automated periodic backups with retention policies
- **Selective Backup**: Filter by namespace, label, or resource type
- **Volume Snapshots**: Native cloud volume snapshots (EBS, GCE PD, Azure Disk)
- **File System Backup**: Restic/Kopia-based file-level backups for any volume
- **Hooks**: Pre/post backup/restore hooks for app-consistent backups
- **CSI Support**: Container Storage Interface snapshot integration
- **Multi-Cloud**: AWS, Azure, GCP, Alibaba Cloud, Digital Ocean, and more

## Architecture

```
┌─────────────────────────────────────────────┐
│          Kubernetes Cluster                  │
│                                              │
│  ┌──────────────┐  ┌──────────────────┐     │
│  │ Velero Server│  │  Your Workloads  │     │
│  │              │  │  - Deployments   │     │
│  │  Controllers │  │  - Services      │     │
│  │  - Backup    │  │  - ConfigMaps    │     │
│  │  - Restore   │  │  - Secrets       │     │
│  │  - Schedule  │  │  - PVCs          │     │
│  └──────┬───────┘  └──────────────────┘     │
└─────────┼────────────────────────────────────┘
          │
          ▼
┌──────────────────────────────────────────────┐
│  Backup Storage Location                     │
│  ┌────────────┐  ┌────────────┐             │
│  │ S3 / GCS / │  │ Volume     │             │
│  │ Azure Blob │  │ Snapshots  │             │
│  └────────────┘  └────────────┘             │
└──────────────────────────────────────────────┘
```

## Installation

### AWS S3

```bash
# Create S3 bucket
aws s3 mb s3://velero-backups-mycluster

# Create IAM user with S3 access
aws iam create-user --user-name velero

# Save credentials to file
cat > credentials-velero <<EOF
[default]
aws_access_key_id=YOUR_KEY
aws_secret_access_key=YOUR_SECRET
EOF

# Install Velero
velero install 
  --provider aws 
  --plugins velero/velero-plugin-for-aws:v1.9.0 
  --bucket velero-backups-mycluster 
  --backup-location-config region=us-west-2 
  --snapshot-location-config region=us-west-2 
  --secret-file ./credentials-velero
```

### MinIO (Self-Hosted)

```bash
# Assuming MinIO is already running
velero install 
  --provider aws 
  --plugins velero/velero-plugin-for-aws:v1.9.0 
  --bucket velero 
  --secret-file ./credentials-velero 
  --use-volume-snapshots=false 
  --backup-location-config region=minio,s3ForcePathStyle=true,s3Url=http://minio.minio.svc:9000
```

## Usage Examples

### Basic Backup

```bash
# Backup entire cluster
velero backup create cluster-backup

# Backup specific namespace
velero backup create nginx-backup --include-namespaces nginx-app

# Backup by label selector
velero backup create app-backup --selector app=frontend

# Backup with TTL (auto-delete after 30 days)
velero backup create weekly-backup --ttl 720h
```

### Scheduled Backups

```bash
# Daily backup at 1am
velero schedule create daily --schedule "0 1 * * *"

# Weekly backup on Sundays
velero schedule create weekly 
  --schedule "@weekly" 
  --ttl 720h 
  --include-namespaces production

# View schedules
velero schedule get

# Trigger schedule immediately
velero backup create --from-schedule daily
```

### Restore

```bash
# List backups
velero backup get

# Describe backup
velero backup describe cluster-backup

# Restore entire backup
velero restore create --from-backup cluster-backup

# Restore to different namespace
velero restore create --from-backup nginx-backup 
  --namespace-mappings nginx-app:nginx-test

# Restore only specific resources
velero restore create --from-backup cluster-backup 
  --include-resources deployments,configmaps

# Restore with labels filter
velero restore create --from-backup cluster-backup 
  --selector environment=production
```

### Cluster Migration

```bash
# On source cluster
velero backup create migration-backup --include-namespaces myapp

# Wait for completion
velero backup describe migration-backup

# Switch kubectl context to destination cluster
kubectl config use-context destination-cluster

# Install Velero on destination with same backup storage
velero install --provider aws ... (same config)

# Restore
velero restore create --from-backup migration-backup
```

### Backup Hooks

```yaml
# Pre-backup hook: Flush database
apiVersion: v1
kind: Pod
metadata:
  annotations:
    pre.hook.backup.velero.io/container: postgres
    pre.hook.backup.velero.io/command: '["/bin/bash", "-c", "pg_dumpall > /backup/dump.sql"]'
    post.hook.backup.velero.io/container: postgres
    post.hook.backup.velero.io/command: '["/bin/bash", "-c", "rm /backup/dump.sql"]'
spec:
  containers:
    - name: postgres
      image: postgres:16
```

### Volume Backups

```bash
# Use CSI snapshots (recommended for modern clusters)
velero backup create app-backup 
  --include-namespaces production 
  --snapshot-volumes=true 
  --features=EnableCSI

# Use Restic for file-level backup (works with any storage)
velero backup create app-backup 
  --include-namespaces production 
  --default-volumes-to-fs-backup
```

## Backup Storage Backends

| Provider | Plugin | Volume Snapshots |
|----------|--------|------------------|
| AWS | velero-plugin-for-aws | EBS |
| Azure | velero-plugin-for-microsoft-azure | Azure Disk |
| GCP | velero-plugin-for-gcp | GCE PD |
| Alibaba | velero-plugin-for-alibabacloud | Cloud Disk |
| DigitalOcean | velero-plugin-for-do | Block Storage |
| MinIO/S3-compat | AWS plugin | Via CSI |
| vSphere | velero-plugin-for-vsphere | vSphere volumes |

## Key Features

### Restic/Kopia File System Backup

For storage without native snapshots or CSI:

```bash
# Enable file system backup by default
velero install 
  --use-node-agent 
  --default-volumes-to-fs-backup 
  ...

# Backup includes all volumes automatically
velero backup create app-backup --include-namespaces production
```

### Backup Compression

```yaml
apiVersion: velero.io/v1
kind: Backup
metadata:
  name: compressed-backup
spec:
  storageLocation: default
  includedNamespaces:
    - production
  snapshotVolumes: true
  ttl: 720h0m0s
```

### Retention & Cleanup

```bash
# Delete old backups
velero backup delete old-backup

# Delete all backups older than 30 days
velero backup delete --confirm 
  --label-selector 'velero.io/backup-name!='

# Automatic cleanup via schedule TTL
```

## Velero vs Alternatives

| Feature | Velero | Kasten K10 | Portworx PX-Backup | Stash |
|---------|--------|------------|-------------------|-------|
| Open Source | Yes (Apache-2.0) | No | No | Yes (Apache-2.0) |
| Cluster backup | Yes | Yes | Yes | Yes |
| Volume snapshots | Native cloud + CSI | Yes | Native | Restic |
| App-consistent | Via hooks | Yes (Kanister) | Yes | Via hooks |
| Migration | Yes | Yes | Yes | Limited |
| Multi-cloud | Yes | Yes | Yes | Yes |
| Pricing | Free | $0.25/GB | Paid | Free |
| Complexity | Medium | Low (GUI) | Medium | Medium |

## 常见问题

**Q: Velero 能备份数据库吗？**
A: 能，但需要正确配置以保证一致性。简单方法是使用 backup hooks 在备份前 pause 数据库写入或执行 dump。对于 PostgreSQL 等数据库，建议使用数据库原生备份工具 + Velero 备份配置和持久卷。

**Q: 备份存储需要多大空间？**
A: 取决于数据量。Velero 只备份 Kubernetes 资源定义（几 MB）+ 持久卷数据（实际大小）。启用压缩可以减少 30-50% 空间。建议使用 S3 生命周期策略自动清理旧备份。

**Q: 可以跨云迁移吗？**
A: 可以。这是 Velero 的核心使用场景之一。在源集群备份到 S3，在目标集群（可以是另一个云）使用相同的备份存储配置，然后执行 restore。存储类和网络配置可能需要调整。

## 来源与致谢

- GitHub: [vmware-tanzu/velero](https://github.com/vmware-tanzu/velero) — 10K+ ⭐ | Apache-2.0
- 官网: [velero.io](https://velero.io)

---
Source: https://tokrepo.com/en/workflows/e6af2ecd-3558-11f1-9bc6-00163e2b0d79
Author: AI Open Source