Let's sail to a safer place!
What is Velero?
Velero is an open-source project developed by Heptio, formerly called Ark, to easily backup, restore, and migrate Kubernetes resources and volumes.
Velero consists of:
A server running in your cluster
A CLI to run commands on the Velero server
What does it do?
Stores Kubernetes resources in highly available Object Storages (S3, GCS, Blob Storage, etc.)
Backs up PVs/PVCs using disk snapshot mechanisms from cloud providers
Schedules backups using cron syntax
Automatic backup rotation with TTL (Time to Live)
Supports plugins developed by the community
Want to know more? Take a look at our Kubilab #01, where we do a demo destroying the resources of a cluster and recreating them using only Velero.
After the video, we have a step-by-step guide on how to install it from scratch in your cluster, both on AWS and GCP!
Before installing Velero, you will need:
A quick warning!
Openshift has native support like any other Kubernetes cluster that supports CRDs. Below are the supported versions for each platform:
Kubernetes ≥ 1.7
Openshift ≥ 3.7
Installation
The installation is done in three steps:
Deploy Velero prerequisites
Configuring credentials and cloud resources
Velero configuration and deployment
1. Deploy Velero prerequisites
Download the latest version of Velero available on the Github Releases page. We will use version v0.11.0, which is the latest available at the time of writing:
# Configuring Velero namespace, RBAC and CRDs by applying the Kubernetes prerequisites YAML
export VELERO_FOLDER=/opt/velero
export VELERO_VERSION=v0.11.0
wget https://github.com/heptio/velero/releases/download/$VELERO_VERSION/velero-$VELERO_VERSION-linux-amd64.tar.gz
mkdir -p $VELERO_FOLDER
tar -xzvf velero-$VELERO_VERSION-linux-amd64.tar.gz -C $VELERO_FOLDER
mv $VELERO_FOLDER/velero /usr/bin
chmod +x /usr/bin/velero
kubectl apply -f $VELERO_FOLDER/config/common/00-prereqs.yaml
Now we have the Velero namespace, RBAC, and CRDs created.
The next step is to configure the credentials-velero file by creating an Object Storage and cloud provider credentials (IAM).
2. Configuring credentials and cloud resources
It's time to configure cloud credentials for communication, and Object Storage for storing metadata/resources. When running commands related to the cloud provider, you must have the credentials-velero file in the $VELERO_FOLDER/credentials-velero directory.
# Configuring Velero for a Kubernetes cluster hosted in AWS
# For in depth details, check https://heptio.github.io/velero/master/aws-config.html
export VELERO_FOLDER=/opt/velero
export BUCKET_NAME=k8s-cluster-velero # Use a different name
export CLOUD_REGION=us-east-1
# Create an S3 bucket to store Object backups
aws s3api create-bucket \
--bucket $BUCKET_NAME \
--region $CLOUD_REGION
# Create Velero IAM user
aws iam create-user --user-name velero
# Attach IAM policies
cat > $VELERO_FOLDER/velero-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeSnapshots",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateSnapshot",
"ec2:DeleteSnapshot"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::${BUCKET_NAME}/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::${BUCKET_NAME}"
]
}
]
}
EOF
aws iam put-user-policy \
--user-name velero \
--policy-name velero \
--policy-document file://${VELERO_FOLDER}/velero-policy.json
# Create IAM credentials
export CREDENTIALS_OUTPUT=$(aws iam create-access-key --user-name velero)
export VELERO_AWS_ACCESS=$(echo -n "$CREDENTIALS_OUTPUT" | jq -r '.AccessKey.AccessKeyId')
export VELERO_AWS_SECRET=$(echo -n "$CREDENTIALS_OUTPUT" | jq -r '.AccessKey.SecretAccessKey')
# Create "credentials-velero" file
cat > $VELERO_FOLDER/credentials-velero <<EOF
[default]
aws_access_key_id=${VELERO_AWS_ACCESS}
aws_secret_access_key=${VELERO_AWS_SECRET}
EOF
# Configuring Velero for a Kubernetes cluster hosted in GCP
# For in depth details, check https://heptio.github.io/velero/master/gcp-config.html
export VELERO_FOLDER=/opt/velero
export BUCKET_NAME=k8s-cluster-velero # Use a different name
export PROJECT_ID=$(gcloud config get-value project)
# Create a GS bucket to store Object backups
gsutil mb gs://$BUCKET_NAME/
# Create GCP Service Account
gcloud iam service-accounts create velero \
--display-name "Velero service account"
SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \
--filter="displayName:Velero service account" \
--format 'value(email)')
# Create IAM Role
ROLE_PERMISSIONS=(
compute.disks.get
compute.disks.create
compute.disks.createSnapshot
compute.snapshots.get
compute.snapshots.create
compute.snapshots.useReadOnly
compute.snapshots.delete
compute.zones.get
)
gcloud iam roles create velero.server \
--project $PROJECT_ID \
--title "Velero Server" \
--permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"
# Bind IAM policy
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
--role projects/$PROJECT_ID/roles/velero.server
# Change IAM permissions
gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://$BUCKET_NAME
# Create "credentials-velero" file
gcloud iam service-accounts keys create $VELERO_FOLDER/credentials-velero \
--iam-account $SERVICE_ACCOUNT_EMAIL
3. Velero configuration and deployment
With the credentials-velero file and Object Storage configured, we will only need to create the Kubernetes Secret from the credentials-velero file and then deploy Velero.
# Deploying Velero for a Kubernetes cluster hosted in AWS
# For in depth details, check https://heptio.github.io/velero/master/aws-config.html
export VELERO_FOLDER=/opt/velero
export BUCKET_NAME=k8s-cluster-velero # Use a different name
export CLOUD_REGION=us-east-1
kubectl create secret generic cloud-credentials \
--namespace velero \
--from-file cloud=$VELERO_FOLDER/credentials-velero
sed -e "s/<YOUR_BUCKET>/${BUCKET_NAME}/g" \
-e "s/<YOUR_REGION>/${CLOUD_REGION}/g" \
-i $VELERO_FOLDER/config/aws/05-backupstoragelocation.yaml
sed -e "s/<YOUR_REGION>/${CLOUD_REGION}/g" \
-i $VELERO_FOLDER/config/aws/06-volumesnapshotlocation.yaml
kubectl apply -f $VELERO_FOLDER/config/aws/05-backupstoragelocation.yaml
kubectl apply -f $VELERO_FOLDER/config/aws/06-volumesnapshotlocation.yaml
kubectl apply -f $VELERO_FOLDER/config/aws/10-deployment.yaml
# Deploying Velero for a Kubernetes cluster hosted in GCP
# For in depth details, check https://heptio.github.io/velero/master/gcp-config.html
export VELERO_FOLDER=/opt/velero
export BUCKET_NAME=k8s-cluster-velero # Use a different name
kubectl create secret generic cloud-credentials \
--namespace velero \
--from-file cloud=$VELERO_FOLDER/credentials-velero
sed -e "s/<YOUR_BUCKET>/${BUCKET_NAME}/g" \
-i $VELERO_FOLDER/config/gcp/05-backupstoragelocation.yaml
kubectl apply -f $VELERO_FOLDER/config/gcp/05-backupstoragelocation.yaml
kubectl apply -f $VELERO_FOLDER/config/gcp/06-volumesnapshotlocation.yaml
kubectl apply -f $VELERO_FOLDER/config/gcp/10-deployment.yaml
Congratulations! Your Velero is installed and running. Now, let's understand some concepts before creating our first backup.
Velero 101
It is important to know what is happening behind the scenes before running random commands and getting into trouble. Below are some concepts of what you need to know about Velero:
Backup: CRD that stores metadata such as creation date, which namespaces should be included, which PVCs are attached, etc.
BackupLocation: CRD that stores configurations such as which region and object storage should be used to store backups.
SnapshotLocation: CRD that stores configurations such as which region should be used for PVC snapshots.
Restore: CRD that stores information such as which content of a backup should be restored.
BackupController: Controller inside the Velero server that manages CRDs (backups/restores/schedules) and processes Kubernetes API calls.
For more details, see the official documentation.
Creating your first backup
Velero is not an intrusive tool if you only use backup features, as it will read the resources without modifying them.
Velero uses the most famous commands available in kubectl (get, create, describe, logs and delete), so you will feel at home using its CLI.
It is possible to create unique, isolated backups by running
Newsletter Getup.
Atualizações sobre Kubernetes e Software Supply Chain Security todos os meses.
Operating Kubernetes in production for more than 13 years. With Quor, this experience extends to software supply chain security as well.
GET UP
© Getup · 2026
