# T4K Best Practices ### Introduction This guide presents best practices for deploying T4K in single or multi-cluster Kubernetes environments. T4K delivers a reliable, scalable, and enterprise-grade backup and recovery solution tailored for modern Kubernetes workloads. **Installation Approach** * Run the pre-flight checks to validate that all prerequisites for installing Trilio for Kubernetes are met. For additional information on the Pre-Flight Checks, refer to the [Trilio for Kubernetes documentation.](https://docs.trilio.io/kubernetes/krew-plugins/tvk-preflight-checks) * Do not leave the Trilio UI behind port-forward; use an ingress with HTTPS. To expose Trilio UI, please [refer.](https://docs.trilio.io/kubernetes/advanced-configuration/management-console/accessing-the-ui#access-over-https-prerequisite) **Managing Backup Operations Efficiently** * It is recommended to use PriorityClass to control scheduling preferences and ensure application workloads run smoothly without disruption. You can prevent backup operations from impacting application performance by setting a default high-priority class for all pods and assigning a lower priority to Trilio workloads. This priority is automatically assigned to all pods that do not explicitly specify a `priorityClassName`Ensuring application workloads are given higher priority. ```yaml apiVersion: scheduling.k8s.io/v1 kind: PriorityClass metadata: name: high-default-priority value: 100000 globalDefault: true # Default priority for all pods description: "High priority for all application workloads" ``` Assigning a lower priority ensures that Trilio workloads do not preempt application pods. ``` apiVersion: scheduling.k8s.io/v1 kind: PriorityClass metadata: name: trilio-low-priority value: 50000 globalDefault: false # Trilio should not be the default priority description: "Lower priority for Trilio backup workloads" ``` After creating priortyclass that can be configured from T4K using TVM inside **helmValues**: ``` apiVersion: triliovault.trilio.io/v1 kind: TrilioVaultManager metadata: labels: triliovault: k8s name: tvk spec: applicationScope: Cluster tvkInstanceName: tvk-instance componentConfiguration: web-backend: resources: requests: memory: "400Mi" cpu: "200m" limits: memory: "2584Mi" cpu: "1000m" ingress-controller: enabled: true service: type: LoadBalancer helmValues: priorityClassName: trilio-low-priority ``` * To ensure efficient and reliable cluster backups, avoid backing up the entire cluster in a single backup plan. Instead, create multiple backup plans based on **namespaces** or **individual applications** and schedule them at different times. This approach prevents excessive job execution at once, reducing the strain on cluster resources. If your cluster has **limited resources**, prefer backup plans at the **application level** rather than at the namespace level. This minimizes resource consumption while maintaining effective backup coverage. #### Authorization and Authentication Choose an appropriate authentication provider to enable secure and permanent external access to the TrilioVault UI. To fully leverage RBAC (role-based access control) capabilities, it is recommended to use a multi-user authentication solution such as **OpenID Conne, Active Directory/LDAPS, OpenShift OAuth, or a credentials file (in the case of GKE and AWS)**. Integrating Trilio with an existing Identity and Access Management (IAM) system ensures centralized and secure access control. #### **Access Control Considerations:** * **Exercise caution when granting the built-in triliovault-admin ClusterRole to users or groups. This role allows unrestricted access, including modifying or deleting backup policies and restoring or removing backup data.** * **Define custom Kubernetes ClusterRoles** with **RoleBindings/ClusterRoleBindings** to grant users or groups only the permissions required for specific namespaces or operations. * **To maintain security and access restrictions, ensure RBAC bindings are correctly applied when using an alternate authentication method for Kubernetes API access.** Following these best practices, you can secure TrilioVault while maintaining fine-grained access control over backup and restore operations.