Enterprise
Available in these plans	Free	Dev	Prod	Scale
Auto Snapshots

Supported Configurations

Running the control plane as a container with:

• Host Nodes

Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

Snapshots

vCluster Platform allows you to configure taking snapshots of the vCluster at specific intervals.

Manual snapshots with the vCluster CLI

For on-demand snapshot creation and restore operations, see the vCluster Snapshot and Restore documentation.

This allows administrators to capture and store the vCluster state in scheduled intervals to help protect against infrastructure failures, data corruption, and configuration errors. By maintaining consistent recovery points, administrators can quickly restore the vCluster to a known good state without relying on manual backup processes. For more details on how snapshots work, refer to the documentation in the Snapshot and Restore section.

In the vcluster.yaml, it is configured under snapshots. Using the UI, you can configure the management of snapshots in the config options of a virtual cluster under Snapshots. Though snapshot configuration is configured on the virtual cluster itself, the capability and logic of scheduling snapshots is in vCluster Platform.

note

Auto Snapshot is supported from platform version 4.4.0 onward and is currently in Beta.

note

Volume Snapshot is currently in beta. Support is available from vCluster version 0.30 and beyond, and Platform version 4.5 and beyond.

Configure

vcluster.yaml

Enable auto snapshots

To enable auto snapshots, add the following configuration to your vcluster.yaml:

Auto Snapshots configuration

snapshots:
  auto:
    # Take a snapshot every 12 hours
    schedule: 0 */12 * * *
    # Default is UTC
    # Options are at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
    timezone: America/New_York
    retention:
      period: 30
      maxSnapshots: 14
    storage:
      type: s3
      s3:
        url: s3://my-bucket/path
    # Enables snapshots for PVCs that are provisioned by CSI drivers
    volumes:
      enabled: true

warning

In order to create volume snapshots, several installation and configuration steps have to be done in your host or virtual cluster. Check the Volume Snapshot documentation page to learn more about getting your cluster ready for snapshotting volumes

AWS S3 bucket example

Snapshots can be stored in an AWS S3 bucket.

Configure snapshots with AWS S3

S3 configuration options

Option	Description
auto.storage.type.s3.url	URL of the AWS S3 bucket. Must be pre-fixed with s3://.
auto.storage.type.s3.credential	References the AWS credentials as a Kubernetes secret
auto.storage.type.s3.credential.name	Name of the Kubernetes secret.
auto.storage.type.s3.credential.namespace	Namespace of the Kubernetes secret. The secret must be deployed on the host of where the vCluster control plane pod is deployed to.

Authenticate with AWS Pod identity

When using AWS S3 buckets, it is recommended to authenticate using AWS pod identity.

info

The EKS Pod Identity association must be created for the vCluster control plane pod. The vCluster control plane pod is the one that runs inside the host cluster namespace automatically created by vCluster Platform for each vCluster—typically named: loft-<project-name>-<vcluster-name>. By default, this pod uses the service account: vc-<vcluster-name>. This is the service account that must be associated with your EKS Pod Identity role so that the vCluster control plane can authenticate to AWS when performing scheduled snapshot creation to S3.

Example vcluster.yaml configuring snapshots into s3 with a pod identity

snapshots:
  auto:
    # Take a snapshot every 12 hours
    schedule: 0 */12 * * *
    storage:
      type: s3
        s3:
          # URL of location of S3-compatible bucket
          # Must be prefixed with `s3://`
          url: s3://<bucket-name>/snapshots

Authenticate with AWS Credentials as a secret

Alternatively, you can create a Kubernetes secret with your AWS credentials.

1. Create a Kubernetes secret of your AWS credentials.

   Create this secret on the host of where the vCluster control plane is deployed. It could be deployed in the namespace of the vCluster or a different namespace. If the vCluster is externally deployed, ensure the vCluster ClusterRole has permission to read the secret. The vCluster ClusterRole follows the naming pattern vc-<vClusterName>-v-<vClusterNamespace>.

   The secret needs to contain all these three keys:

   • AWS_ACCESS_KEY_ID
   • AWS_SECRET_ACCESS_KEY
   • AWS_SESSION_TOKEN
   Create AWS credentials secret

   kubectl create -f - <<EOF
   apiVersion: v1
   kind: Secret
   type: Opaque
   metadata:
     name: aws-cred
     namespace: p-default
   data:
     AWS_ACCESS_KEY_ID: "id"
     AWS_SECRET_ACCESS_KEY: "key"
     AWS_SESSION_TOKEN: "token"
   EOF

2. Create a vCluster referencing those credentials.

   Example vcluster.yaml referencing the Kubernetes secret

   snapshots:
     auto:
       # Take a snapshot every 12 hours
       schedule: 0 */12 * * *
       storage:
         type: s3
         s3:
           # URL of location of S3-compatible bucket
           # Must be prefixed with `s3://`
           url: s3://<bucket-name>/<path>
           # Secret must be located on the host cluster that the vCluster is deployed on
           credential:
             secretName: aws-cred
             secretNamespace: p-default

OCI image registries

Configure snapshots with OCI

OCI configuration options

Option	Description
auto.storage.type.oci.repository	OCI registry address. Must be pre-fixed with oci://
auto.storage.type.oci.credential	Reference the OCI credentials as a Kubernetes secret
auto.storage.type.oci.credential.name	Name of the Kubernetes secret
auto.storage.type.oci.credential.namespace	Namespace of the Kubernetes secret. The secret must be deployed on the host of where the vCluster control plane pod is deployed to.
auto.storage.type.oci.username	Username of the credentials to access the OCI registry
auto.storage.type.oci.password	Password of the credentials to access the OCI registry

Authenticate with credentials in a Kubernetes secret

It's recommended to store your credentials to your OCI registry in a secret and reference the secret in the vcluster.yaml of your virtual cluster configuration. This protects the details of your credentials.

1. Create a Kubernetes secret of your credentials to your OCI registry.

   Create this secret on the host of where the vCluster control plane is deployed. It could be deployed in the namespace of the vCluster or a different namespace. If the vCluster is externally deployed, ensure the vCluster ClusterRole has permission to read the secret. The vCluster ClusterRole follows the naming pattern vc-<vClusterName>-v-<vClusterNamespace>.

   The secret needs to contain:

   • username
   • password
   Create OCI credentials secret

   kubectl create -f - <<EOF
   apiVersion: v1
   kind: Secret
   type: Opaque
   metadata:
     name: oci-cred
     namespace: p-default
   data:
     username: "id" # username to authenticate with the OCI registry
     password: "key" # password base64 to authenticate with the OCI registry
   EOF

2. Create a vCluster referencing those credentials.

   Example vcluster.yaml referencing the Kubernetes secret

   snapshots:
     auto:
       # Take a snapshot every 12 hours
       schedule: 0 */12 * * *
       storage:
         type: oci
         oci:
           # Location of OCI registry
           # Must be prefixed with `oci://`
           repository: oci://my-registry/snapshots
           credential:
             secretName: oci-cred
             secretNamespace: p-default

Authenticate without a Kubernetes secret

If you do not want to use a secret, you can also explicitly set the username and password directly in the vcluster.yaml.

Example vcluster.yaml setting OCI credentials without a secret

snapshots:
  auto:
    # Take a snapshot every 12 hours
    schedule: 0 */12 * * *
    storage:
      type: oci
      oci:
        # Location of OCI registry
        # Must be prefixed with `oci://`
        repository: oci://my-registry/snapshots
        credential:
          username: "my-username"
          password: "my-pasword"

vCluster CLI

Create an OCI snapshot (Helm driver)

For virtual clusters deployed with the Helm driver (without platform):

vcluster snapshot create VCLUSTER_NAME --namespace NAMESPACE oci://ghcr.io/my-user/my-repo:my-tag

This will take a snapshot of the virtual cluster and saves it as an OCI image.

Create an AWS S3 snapshot (Helm driver)

For virtual clusters deployed with the Helm driver (without platform):

vcluster snapshot create VCLUSTER_NAME --namespace NAMESPACE s3://my-bucket/my-bucket-key

This will take a snapshot of the virtual cluster and saves it to a AWS S3 bucket.

info

There might be additional enryption settings necessary for AWS, which can be configured with following flags:

• --customer-key-encryption-file
• --kms-key-id
• --server-side-encryption

Create a container filesystem snapshot (Helm driver)

For virtual clusters deployed with the Helm driver (without platform):

vcluster snapshot create VCLUSTER_NAME --namespace NAMESPACE container:///data/my-local-snapshot.tar.gz

This will take a snapshot of the virtual cluster to the vCluster container filesystem.

Platform UI

1. From the project drop-down menu (top left corner), select the project you'd like to create the virtual cluster in.

2. Click on Virtual Clusters.

3. Click on Edit on the virtual cluster that you want to edit.

4. Select the Snapshots expander, toggle the Enable Snapshots slider to enable auto snapshots and configure accordingly.

5. Click on the button to save the changes.

Config reference

snapshots required object

Snapshots holds configuration for automatic vCluster snapshots.

auto required object

Auto holds automatic snapshot configuration

schedule required string

Schedule specifies a scheduled time in Cron format, see https://en.wikipedia.org/wiki/Cron for a virtual cluster snapshot to be taken

timezone required string

Timezone specifies time zone used for scheduled snapshot operations. Defaults to UTC. Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation). The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York".

retention required object

Retention specifies how long snapshots will be kept

period required integer

Period defines the number of days a snapshot will be kept

maxSnapshots required integer

MaxSnapshots defines the number of snapshots that can be taken

storage required object

Storage specifies where the snapshot will be stored

type required string

Type specifies supported type of storage services for a snapshot S3/OCI/Container, see https://www.vcluster.com/docs/vcluster/manage/backup-restore#store-snapshots-in-s3-buckets

s3 required object

S3 holds configuration for storing snapshots in S3-compatible bucket

url required string

Url specifies url to the storage service

credential required object

Credential secret with the S3 Credentials, it should contain AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN

secretName required string

SecretName is the secret name with credential

secretNamespace required string

SecretNamespace is the secret namespace with credential

oci required object

OCI holds configuration for storing snapshots in OCI image registries

repository required string

Repository OCI repository to store the snapshot

credential required object

Credential secret with the OCI Credentials

secretName required string

SecretName is the secret name with credential

secretNamespace required string

SecretNamespace is the secret namespace with credential

username required string

Username to authenticate with the OCI registry

password required string

Password to authenticate with the OCI registry

container required object

Container holds configuration for storing snapshots as local files inside a vCluster container

path required string

Path specifies directory to store the snapshot

volume required object

Volume specifies which volume needs to be mounted into the container to store the snapshot

name required string

Name to be used to mount the volume

path required string

Path to the volume mount

volumes required object

Volumes specifies configuration for volume snapshots

enabled required boolean

Enabled specifies whether a snapshot should also include volumes in the snapshot