T4K Best Practices

Introduction

This guide presents best practices for deploying T4K in single or multi-cluster Kubernetes environments. T4K delivers a reliable, scalable, and enterprise-grade backup and recovery solution tailored for modern Kubernetes workloads.

Installation Approach

• Run the pre-flight checks to validate that all prerequisites for installing Trilio for Kubernetes are met. For additional information on the Pre-Flight Checks, refer to the Trilio for Kubernetes documentation.

• Do not leave the Trilio UI behind port-forward; use an ingress with HTTPS. To expose Trilio UI, please refer.

Managing Backup Operations Efficiently

• It is recommended to use PriorityClass to control scheduling preferences and ensure application workloads run smoothly without disruption. You can prevent backup operations from impacting application performance by setting a default high-priority class for all pods and assigning a lower priority to Trilio workloads.

This priority is automatically assigned to all pods that do not explicitly specify a priorityClassNameEnsuring application workloads are given higher priority.

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: high-default-priority
value: 100000
globalDefault: true  # Default priority for all pods
description: "High priority for all application workloads"

Assigning a lower priority ensures that Trilio workloads do not preempt application pods.

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: trilio-low-priority
value: 50000
globalDefault: false  # Trilio should not be the default priority
description: "Lower priority for Trilio backup workloads"

After creating priortyclass that can be configured from T4K using TVM inside helmValues:

apiVersion: triliovault.trilio.io/v1
kind: TrilioVaultManager
metadata:
  labels:
    triliovault: k8s
  name: tvk
spec:
  applicationScope: Cluster
  tvkInstanceName: tvk-instance
  componentConfiguration:
    web-backend:
      resources:
        requests:
          memory: "400Mi"
          cpu: "200m"
        limits:
          memory: "2584Mi"
          cpu: "1000m"
    ingress-controller:
      enabled: true
      service:
        type: LoadBalancer
    helmValues:
      priorityClassName: trilio-low-priority
      

• To ensure efficient and reliable cluster backups, avoid backing up the entire cluster in a single backup plan. Instead, create multiple backup plans based on namespaces or individual applications and schedule them at different times. This approach prevents excessive job execution at once, reducing the strain on cluster resources. If your cluster has limited resources, prefer backup plans at the application level rather than at the namespace level. This minimizes resource consumption while maintaining effective backup coverage.

Authorization and Authentication

Choose an appropriate authentication provider to enable secure and permanent external access to the TrilioVault UI. To fully leverage RBAC (role-based access control) capabilities, it is recommended to use a multi-user authentication solution such as OpenID Conne, Active Directory/LDAPS, OpenShift OAuth, or a credentials file (in the case of GKE and AWS). Integrating Trilio with an existing Identity and Access Management (IAM) system ensures centralized and secure access control.

Access Control Considerations:

• Exercise caution when granting the built-in triliovault-admin ClusterRole to users or groups. This role allows unrestricted access, including modifying or deleting backup policies and restoring or removing backup data.

• Define custom Kubernetes ClusterRoles with RoleBindings/ClusterRoleBindings to grant users or groups only the permissions required for specific namespaces or operations.

• To maintain security and access restrictions, ensure RBAC bindings are correctly applied when using an alternate authentication method for Kubernetes API access.

Following these best practices, you can secure TrilioVault while maintaining fine-grained access control over backup and restore operations.