Help with cluster migration issues

4 views

Skip to first unread message

Patrick Beard

unread,

Jun 20, 2024, 5:33:40 AM (9 days ago) Jun 20

to Project Velero

Hi,

First time poster so I hope this message is appropriate here.

I am just getting started with Velero. My primary reason that brought me to Velero was to create a sort of 'blue/green' deployment when upgrading Kubernetes.

I have a cluster running on AWS it is a pure EKS Fargate cluster with no EC2 nodes.

I can successfully backup my cluster. I exclude the Velero namespace and the coredns deployment.

When it comes to restoring the backup into a new cluster, I manually create the cluster from the same (edited) yaml and the create the restore.

After the restore I am faced with two issues.

The first is that although the aws-loadbalancer-controllers are restored they can't trigger the creation of the ALB. The logs from the pods log;

"error":"WebIdentityErr: failed to retrieve credentials\ncaused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity\n\tstatus code: 403, request id: 2fd60bad-61c0-4038-8cac-202250f1a1fa"}

The second issue is with the metrics-server. It is restored and running but does not return any data. I dumps to file as many obects as I could such as service accounts, rolebinding etc. from both the source cluster and restored cluster performed a diff against them.

The only difference was aws-loadbalancer-controller-leader-election-rolebinding was missing from the restored cluster. Everything else was identical.

The source cluster and the restored cluster are both in the same VPC with access to the same IAM policies and roles.

Removing both the loadbalancer-controller and metrics-server deployments and then redeploying them resolves the issue.

Could someone please shed some light on why these two deployments don't function correctly on a restore and need to be removed and redeployed.

I am using Velero 1.14 and Kubernetes 1.29

Many thanks in advance for any assistance.

Patrick

Tiger Kaovilai

unread,

Jun 25, 2024, 3:57:34 AM (5 days ago) Jun 25

to Patrick Beard, Project Velero

Just guessing here from the deployment guide but maybe you need to redo step 4 to replace the serviceaccount with correct IAM attached.

--
You received this message because you are subscribed to the Google Groups "Project Velero" group.
To unsubscribe from this group and stop receiving emails from it, send an email to projectveler...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/projectvelero/bdff0337-8939-4831-8f40-4b8488f85f84n%40googlegroups.com.

Reply all

Reply to author

Forward

0 new messages