In the landscape of modern application development and deployment, Kubernetes has transcended its adoption phase to become a cornerstone technology for organizations worldwide.

According to the Cloud Native Computing Foundation (CNCF), a staggering 96% of organizations are actively using or evaluating Kubernetes, with over 5.6 million developers worldwide embracing its capabilities. In addition, Datadog’s Container Report highlights that nearly 90% of Kubernetes users rely on cloud-managed services, showcasing the platform's widespread integration into cloud infrastructures along with on-premises infrastructure. 

New Paradigm: More Stateful Applications

Traditionally, Kubernetes was used to manage stateless applications, where data doesn’t need to persist after the application is shut down. However, as businesses demand more complex operations and storage solutions, there has been a significant shift toward stateful applications within Kubernetes environments. This transition brings about a new set of challenges, particularly in the realm of data protection. With more persistent data being stored, the stakes for ensuring data integrity and security are higher than ever.

Protecting Kubernetes data in a stateful environment is no small feat. As applications become increasingly reliant on persistent storage, the complexity of managing and safeguarding this data grows exponentially. Unlike stateless applications where data can be easily replicated and does not require persistent storage, stateful applications involve managing databases, user sessions, and intricate transaction data that must be preserved across sessions and pod restarts. 

This persistence necessitates robust backup strategies, efficient disaster recovery plans, and stringent access controls to protect against data loss and unauthorized access. Furthermore, the dynamic nature of containerized environments, with pods being created and destroyed frequently, adds another layer of complexity to data protection efforts.

This blog will dive into the intricacies of navigating these challenges, providing insights and strategies to bolster the security posture of Kubernetes deployments in the evolving landscape of mainstream adoption.

Rubrik for Kubernetes Protection

Rubrik Security Cloud (RSC) is a software-as-a-service (SaaS) platform that enables you to keep your data secure, monitor data risk, and quickly recover data wherever it lives: across the enterprise, in the cloud, and in SaaS applications. 

More specifically, RSC enables the backup and recovery of persistent volumes and Kubernetes objects associated with applications, ensuring protection and the ability to restore from a specific point in time. The underlying technology is designed to provide the following benefits:

Unified platform

  • Centralized view of Kubernetes environments across cloud and on-premises

  • Data protection through a global SLA policy engine

  • Support for namespace recovery using in-place or export options

  • Support for granular app-level recovery

Secure backups

  • In-flight and at-rest database data encryption

  • Air-gapped, immutable backups

  • RBAC for controlled access

Scalable application-consistent protection

  • Protect unlimited K8s clusters and nodes 

  • Protect app state, data, and metadata

  • Protect any CSI-compatible storage

Comprehensive support

  • 24x7, global support

  • Dedicated support team to deliver the best customer experience

What’s protected?

Your Kubernetes application state and persistent data need protection. But why now?

Persistent Volumes

persistent-volumes

Developers now leverage persistent volumes within the Kubernetes cluster to facilitate application mobility. Previously, these applications relied on storing data externally, often to a data service or NAS. Protected persistent volumes allow for faster recovery and minimize downtime in case of system failures, disasters, or cyberattacks.

Application State: Configuration and Metadata

application state

As the risks and threats to your organization's build and deployment pipelines rise, safeguarding the application state becomes of utmost importance. This safeguarding ensures a pristine backup copy is available should redeployment from code not be feasible.

Rubrik protects the persistent volumes and application state across cloud and on-premises Kubernetes deployments.

Rubrik for Kubernetes Protection Architecture:

The following diagram gives a high-level overview of how Rubrik integrates with Kubernetes to provide backup and recovery functions.

kubernetes protection
  • There are three main components associated with the Rubrik protection architecture:

    • Rubrik Security Cloud

    • A Rubrik cluster connected to Rubrik Security Cloud

    • The Kubernetes cluster to be protected

Rubrik Security Cloud serves as the centralized management plane for Kubernetes protection and provides the user interface for backup, recovery, and reporting of Kubernetes cluster data. The connected Rubrik cluster serves as the immutable storage target to store the Persistent Volume (PV) data backups and app namespace metadata backups of the Kubernetes cluster.

In addition, a Kubernetes protection agent is auto-deployed on the Kubernetes clusters and leverages the load balancer to communicate with the Rubrik clusters for any backup or recovery operations. Rubrik uses the control path flow to retrieve the metadata, which it then uses to add the Kubernetes cluster and namespaces. 

An agent pod is deployed during the backup and recovery operation. After the operations are completed, the agent pod is automatically deleted from the namespace. The agent pod uses the data path flow to ingest the data to Rubrik’s immutable file system and retrieve the backups for restores. The same architecture and functionalities are used across on-premises and supported public clouds.

Protection Set

Using the new protection set filtering feature, you can use Rubrik Security Cloud to secure your on-premises or public cloud Kubernetes clusters by protecting either entire Kubernetes namespaces or specific subsets within a namespace. 

A protection set is a protectable Kubernetes workload that you define in RSC. The subset can comprise Kubernetes resources or objects, such as deployments, services, or pods, along with the associated persistent volumes.

kubernetes clusters

Recovery with Rubrik

Rubrik offers multiple options to recover your Kubernetes application as well. Let's discuss some of the current capabilities:

Restore Protection Set

Rubrik provides multiple ways to recover your protection set.

  • In-place recovery: Restore missing objects or corrupted data

  • Export to same namespace or cluster: Restore all resources under the protection set or tagged with a label 

  • Export to another namespace or cluster: Restore all resources under the protection set or tagged with a label 

Restore PVC

Rubrik provides multiple ways to recover your PVCs.

  • In-place recovery: Restore missing objects or corrupted data

  • Export to same namespace or cluster: Restore all selected PVCs or PVCs tagged with a label

  • Export to another namespace or cluster: Restore all selected PVCs or PVCs tagged with a label

Get started with Rubrik for Kubernetes

It’s simple to get started. If you haven’t tried the Rubrik solution for Kubernetes or haven't seen a demo, try our hands-on lab for Kubernetes.