ETCD备份
环境信息:
kubernetes v1.22.2
一、备份前准备
1.确认 etcd 集群状态
kubectl get nodes -o wide # 检查节点状态
kubectl get pods -n kube-system | grep etcd # 查看 etcd Pod 位置(通常在 Master 节点)
2.准备备份工具
使用官方工具 etcdctl(需与 etcd 版本匹配):
# 查看 etcd 版本(在 Master 节点执行)
kubectl describe pod -n kube-system etcd-<master-node-name> | grep "Image:"
# 下载对应版本 etcdctl(示例:v3.5.0)
wget https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz
tar -xzvf etcd-v3.5.0-linux-amd64.tar.gz
sudo mv etcd-v3.5.0-linux-amd64/etcdctl /usr/local/bin/
etcdctl version # 确认版本
3.获取 etcd 证书路径
在 Master 节点上,证书通常位于 /etc/kubernetes/pki/etcd/:
ls /etc/kubernetes/pki/etcd/
# 输出:ca.crt server.crt server.key peer.crt peer.key
二、备份方案
方案1: 使用 etcdctl 手动快照备份(推荐)
# 在 Master 节点执行(替换 <master-node-ip>)
ETCDCTL_API=3 etcdctl \--endpoints=https://192.168.12.211:2379 \--cacert=/etc/kubernetes/pki/etcd/ca.crt \--cert=/etc/kubernetes/pki/etcd/server.crt \--key=/etc/kubernetes/pki/etcd/server.key \snapshot save /backup/etcd-snapshot-$(date +%Y%m%d%H%M%S).db
参数说明:
- 仅单节点进行备份
--endpoints:etcd 服务地址(通常为 Master 节点 IP + 2379 端口)--cacert:CA 证书路径--cert和--key:etcd 服务端证书和私钥snapshot save:保存快照到指定路径
方案2: 通过静态 Pod 直接备份(无需证书)
如果 etcd 以静态 Pod 运行(Kubeadm 部署常见):
进入pod进行手动备份
# 进入 etcd Pod 容器
kubectl exec -it -n kube-system etcd-<master-node-name> -- sh# 在容器内执行备份
etcdctl --endpoints=https://127.0.0.1:2379 \--cacert=/etc/kubernetes/pki/etcd/ca.crt \--cert=/etc/kubernetes/pki/etcd/server.crt \--key=/etc/kubernetes/pki/etcd/server.key \snapshot save /var/lib/etcd/snapshot.db
将手动备份的db文件拷贝到备份文件所在目录
1、使用scp进行备份文件(测试可用)
获取etcd节点ip
kubectl get pod -A -o wide |grep etcd
[root@master-01 ~]# kubectl get pod -A -o wide |grep etcd
kube-system etcd-master-01 1/1 Running 30 (53m ago) 23d 192.168.12.211 master-01 <none> <none>
kube-system etcd-master-02 1/1 Running 17 (53m ago) 23d 192.168.12.212 master-02 <none> <none>
kube-system etcd-master-03 1/1 Running 17 (53m ago) 23d 192.168.12.213 master-03 <none> <none>scp root@192.168.12.212:/var/lib/etcd/snapshot.db /backup/
2、使用kubectl cp
kubectl cp -n kube-system etcd-<master-node-name>:/var/lib/etcd/snapshot.db /backup/snapshot.db
三、验证备份文件
# 检查快照状态
[root@master-01 backup]# etcdctl snapshot status /backup/snapshot.db --write-out=table
Deprecated: Use `etcdutl snapshot status` instead.+----------+----------+------------+------------+
| HASH | REVISION | TOTAL KEYS | TOTAL SIZE |
+----------+----------+------------+------------+
| 8e9865be | 494341 | 1956 | 13 MB |
+----------+----------+------------+------------+
四、自动化备份(CronJob)
创建定时备份任务:
# etcd-backup-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:name: etcd-backupnamespace: kube-system
spec:schedule: "0 2 * * *" # 每天凌晨2点备份jobTemplate:spec:template:spec:hostNetwork: truecontainers:- name: etcd-backupimage: k8s.gcr.io/etcd:3.5.0 # 与集群 etcd 版本一致command:- /bin/sh- -c- |etcdctl --endpoints=https://<master-ip>:2379 \--cacert=/etc/kubernetes/pki/etcd/ca.crt \--cert=/etc/kubernetes/pki/etcd/server.crt \--key=/etc/kubernetes/pki/etcd/server.key \snapshot save /backup/snapshot-$(date +%Y%m%d).dbvolumeMounts:- name: etcd-certsmountPath: /etc/kubernetes/pki/etcd- name: backup-dirmountPath: /backupvolumes:- name: etcd-certshostPath:path: /etc/kubernetes/pki/etcd- name: backup-dirhostPath:path: /backuprestartPolicy: OnFailure
部署命令
kubectl apply -f etcd-backup-cronjob.yaml
五、灾难恢复(从备份还原)
还原操作会覆盖 etcd 数据,务必在测试环境验证!
# 1. 停止所有 etcd 服务(所有 Master 节点)
sudo systemctl stop etcd# 2. 还原快照(在任意 Master 节点)
etcdctl snapshot restore /backup/snapshot.db \--name etcd-0 \--initial-cluster etcd-0=https://<master-ip>:2380 \--initial-cluster-token etcd-cluster-1 \--initial-advertise-peer-urls https://<master-ip>:2380 \--data-dir /var/lib/etcd-restore# 3. 替换原数据目录
sudo mv /var/lib/etcd /var/lib/etcd-old
sudo mv /var/lib/etcd-restore /var/lib/etcd
sudo chown -R etcd:etcd /var/lib/etcd# 4. 重启 etcd 服务
sudo systemctl start etcd# 5. 验证集群状态
kubectl get nodes