Table of Contents

3 WHY KUBERNETES?
Kubernetes Data Protection Complexity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

5 DATA PROTECTION FOR KUBERNETES

Kubernetes Environments are Complex and Dynamic. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

What to Protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Focus on Restores. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

8 BEST PRACTICES FOR KUBERNETES DATA PROTECTION

Data Protection Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Security Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Rubrik Zero Trust Data Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Rubrik Protection for Kubernetes Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

How Rubrik Protection for Kubernetes Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Rubrik Protection for Kubernetes: Protection Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Rubrik Protection for Kubernetes: Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Getting Started with Rubrik Protection for Kubernetes. . . . . . . . . . . . . . . . . . . . . . . . . . 15

Rubrik is on a mission to secure the world’s data. With Zero Trust Data Security™, we help organizations achieve business resilience against cyberattacks,
malicious insiders, and operational disruptions. Rubrik Security Cloud, powered by machine learning, secures data across enterprise, cloud, and SaaS
applications. We help organizations uphold data integrity, deliver data availability that withstands adverse conditions, continuously monitor data risks and
threats, and restore businesses with their data when infrastructure is attacked.
For more information please visit www.rubrik.com and follow @rubrikInc on X (formerly Twitter) and Rubrik on LinkedIn.
Rubrik is a registered trademark of Rubrik, Inc. All company names, product names, and other such names in this document are registered trademarks or
trademarks of the relevant company.

ebk-data-protection-for-kubernetes / 20240619
WHY KUBERNETES?
To keep up with the competition, companies need the ability to deliver applications rapidly,
update them frequently, and run them reliably. Given the increasing importance of digital
services in all areas of your business, how do you manage application delivery at scale? And,
how do you ensure applications run the same on-premises, in the cloud, and at the edge?

Many companies are turning to cloud-native architectures and modern application development
methods to deliver new software and services more quickly. New applications are increasingly
packaged in containers, providing lightweight executables designed to run consistently across
on-premises and cloud infrastructures. Using Agile and DevOps methods, teams can deliver
new code quicker, scale operations more easily to meet demand, and move applications across
different environments.

Containerized applications are different from applications running in VMs. Modern applications
typically use a microservices design—with each application service running in its own
container(s). Containers proliferate quickly and require a different management approach.

Kubernetes has become the de-facto standard for container management, often called
orchestration. According to the Cloud Native Computing Foundation (CNCF), a staggering 96%
of organizations are actively using or evaluating Kubernetes, with over 5.6 million developers
worldwide embracing its capabilities.

DATA PROTECTION FOR KUBERNETES 3

DevOps teams rely on Kubernetes to scale services and manage container deployment better
and faster than ever before. Because Kubernetes runs more-or-less identically on premises
and in the cloud, it lends itself well to the multi-cloud strategies that most enterprises are
pursuing, enabling you to move services closer to the consumer without painful re-platforming
or re-factoring. However, containers and Kubernetes create new challenges when it comes to
managing data, reining in data sprawl, and ensuring data protection and security.

Kubernetes Data Protection Complexity

Perhaps the biggest difference—and biggest challenge—with Kubernetes is the way Perhaps
the biggest difference—and biggest challenge—with Kubernetes is the way data is handled.
In a VM environment, an application’s data is often stored within the VM itself. Virtualization
administrators have long experience with protecting the integrity and availability of virtual
environments and recovering when cyberattacks or failures occur.

With Kubernetes, on the other hand, containers come and go quickly and you may have many
instances of the same container, so it doesn’t make sense for a container to store data. Instead,
long-lived data is stored in persistent volumes or PVs. A PV represents a storage volume
accessible to the cluster that can be provisioned upfront by an administrator or dynamically
provisioned via API.

Kubernetes supports the wide variety of storage available in most data centers (and in public
clouds) via the Container Storage Interface (CSI). Storage vendors create CSI plugins to enable
access to the underlying capabilities of their storage. Depending on your Kubernetes cluster
configuration, you may have access to object, file, or block storage—or a combination.

Traditionally, Kubernetes was used to manage stateless applications, where data doesn’t need
to persist after the application is shut down. However, as businesses demand more complex
operations and storage solutions, there has been a significant shift toward stateful applications
within Kubernetes environments.

These differences change the nature of data management and data protection in Kubernetes
environments. There are specific elements that must be backed up so that your application
and your environment can be recovered in the event of a failure. This includes the Kubernetes
application state, which describes each component configuration, metadata describing its
resources, Kubernetes objects representing the state of the cluster, and PVs, as just described.

Because data protection in a dynamic Kubernetes environment is a lot different from what you
may be used to, this eBook examines the operational and data protection challenges created
by Kubernetes and takes a deep dive into protecting and securing data in dynamic, distributed
Kubernetes environments.

DATA PROTECTION FOR KUBERNETES 4

DATA PROTECTION FOR KUBERNETES
Good backups are a must for any computing environment. However, it seems like every time
a new computing paradigm comes along, the industry has to learn the same lessons all over
again. As Kubernetes becomes a critical part of production in enterprise IT, it is essential to have
robust tools for Kubernetes data protection. The Kubernetes community is only now coming to
terms with these requirements.

The Ransomware Threat

Ransomware attacks are growing at an alarming rate. You can’t turn on the news without
hearing about yet another organization that has been affected. These attacks pose a severe
threat to today’s businesses.

ttle against ransomware, traditional approaches to security and data protection are failing,
and traditional backups are vulnerable. Many ransomware attacks target backups to prevent
recovery and force payment. Traditional backup methods are great for recovering from natural
disasters and operational failures, but they were not built to withstand cyber threats and are
therefore vulnerable.

As you plan your data protection strategy for Kubernetes, the ability to protect against
ransomware should be front and center in your thinking.

To learn more about ransomware and ransomware protection for Kubernetes and your entire IT
environment, check out How to Build Your Cyber Recovery Playbook.

DATA PROTECTION FOR KUBERNETES 5

Kubernetes Environments are Complex and Dynamic
The distributed Kubernetes environment is complex and dynamic, changing from one moment
to the next. As a practical limit, a single Kubernetes cluster can have up to 500 nodes. Each
node can run hundreds of containers, and a single Kubernetes cluster generally runs multiple
applications (with varying service level requirements) simultaneously. Most organizations end
up with dozens of clusters for development, testing, and production, with clusters running in
data centers, public clouds, and other locations to deliver services close to where they are
consumed.

Your data protection strategy has to be able to accommodate an environment that is distributed
and dynamic. A data protection approach that worked well when you had one or two clusters
and a handful of nodes may not meet your needs as your fleet of Kubernetes clusters grows.

What to Protect
In addition to coping with the distributed and dynamic nature of Kubernetes, your data
protection strategy needs to encompass the diverse elements that make up a Kubernetes
environment, ensure backup and recovery for both stateless and stateful applications, and
protect against ransomware threats.

Persistent Volumes
Developers now leverage persistent volumes within Kubernetes clusters to
facilitate application mobility. Previously, these applications relied on storing data
externally, often to a data service or NAS. Protected persistent volumes allow for
faster recovery and minimize downtime in case of system failures, disasters, or
cyberattacks.

Application State: Configuration and Metadata

As the risks and threats to your organization’s build and deployment pipelines
rise, safeguarding the application state becomes of utmost importance. This
safeguarding ensures a pristine backup copy is available should redeployment from
code not be feasible.

DATA PROTECTION FOR KUBERNETES 6

Focus on Restores
When a cyberattack, failure, or natural disaster occurs, you need to be sure you can get your IT
operations back online as quickly as possible to ensure business continuity and avoid revenue
loss. This means that fast and flexible restores are a critical consideration.

Because of the complexity of Kubernetes environments—and the number of discrete

elements—restores can be slow and require tedious manual effort. Don’t overlook restore
capabilities when deciding on Kubernetes data protection. Important considerations are:

• Speed. Can you restore fast enough to meet the SLAs of your most important
applications?

• Visibility. If a cluster or application fails, how easy is it to determine what has been
affected? Can you see restore point options in one place?

• Flexibility. Can you restore missing objects from a namespace? An entire application
and all its resources? An entire cluster? Can you restore to a different cluster? (This
can be useful for migration and disaster recovery.) Can you restore to a sandbox
environment? (This can be essential when recovering from ransomware or other
malware attacks.)

With Kubernetes, your goal should be to back up the entire application, including front-end
services, supporting microservices, PVs, and all associated Kubernetes object data, so you can
recover the application state to any point in time.

DATA PROTECTION FOR KUBERNETES 7

BEST PRACTICES FOR KUBERNETES
DATA PROTECTION
If you’re reading this book, it’s a sign that you’ve already recognized the importance of
Kubernetes data protection and security. Here are some best practices that will help ensure
your environment is well protected.

Data Protection Best Practices

There are a few basic—and a few not-so-basic—considerations that will help ensure the
success of whatever data protection method you choose.

Follow resiliency and availability best practices

Follow the best practices for Kubernetes Master node and /etcd resilience for
whatever flavor(s) of Kubernetes you use. Typically, you’ll want multiple Master
nodes and redundant copies of /etcd plus regular /etcd backups.

Implement good storage practices

• One namespace per application. Kubernetes namespaces can be used to
subdivide clusters, providing isolation, resource control, and other benefits. If
two apps share the same namespace, a restore may affect both apps.

• Each namespace should have unique PVs. As above, if PVs are shared
between namespaces (and applications) any failure will have a bigger blast
radius.

• Each PV should have a single function. If you use a PV to store persistent

data for multiple services, then a failure or data corruption event may affect
all those services—as will a restore. For example, if your product catalog is
important to the function of your application, don’t store other data in the
same PV.

Choose the right protection scheme for your organization

• Business needs. What are your business needs in terms of backup and
restore? Backups can’t have too great an impact on production but must
enable you to meet your recovery time objective (RTO) and recovery point
objective (RPO) for each application.

DATA PROTECTION FOR KUBERNETES 8

 • Frequency. How often you back up should be based on how critical the
application is, what happens if it fails, and how much data you can afford to
lose. Snapshot-based backups help increase frequency while minimizing the
impact on running applications.

• Ad hoc backups. Given the dynamic nature of Kubernetes and the high
rate of change of modern applications, you will likely need the ability to
perform ad hoc application backups in response to events like updates and
new application deployments, enabling you to quickly roll back if something
goes wrong.

• Custom SLAs. You may want the ability to implement custom SLAs on a per-
application, per-PV, or per-object basis.

Do regular dry runs

An effective way to ensure that you can restore an application and meet the
required SLAs is to do occasional dry runs.

Seek a policy-driven approach

Since a Kubernetes cluster is dynamic, your backup strategy needs to be
application-centric rather than job-centric. With a policy-driven approach, as
the application environment changes, your backups should also adapt to ensure
everything is protected. The same policy should be able to manage both cloud and
on-prem. The right method should interface with the Kubernetes control plane in
order to keep track of individual applications in their entirety, capturing both state
and data.

DATA PROTECTION FOR KUBERNETES 9

Security Best Practices
Kubernetes environments are as vulnerable to threats as other environments. Ransomware
attacks, malicious actors, and human mistakes can all compromise data and infrastructure. The
results can be detrimental, potentially even disabling Kubernetes systems.

There can be a lot to get your head around, as evidenced by the number of high-profile security
incidents due to mistakes. Given cybersecurity is top of mind for every IT leader, there are
additional best practices that can help ensure the security of your Kubernetes environment
including backup data:

Embrace DevSecOps
Given the increase in security concerns and cyber threats, many organizations are
turning to DevSecOps—combining DevOps and security functions—to ensure that
new software is created using security best practices. This practice also ensures
that when new vulnerabilities are found (and the vulnerability list keeps growing),
the affected software can be easily identified and quickly patched.

Isolate Each Application

If you follow the storage practices described above, each application has its
own namespace, and each namespace has its own PVs, keeping application data
isolated so that a breach of one application doesn’t immediately become a breach
of multiple applications.

Secure Cluster Access

Kubernetes includes all the hooks necessary to enable a zero-trust access
environment for each Kubernetes cluster including multi-factor authentication (MFA)
and role-based access control (RBAC). Using RBAC, you can restrict the capabilities
of different users and service accounts. In particular, you should limit the set of
admins that can access backups or change backup settings.

Choose Immutability
Backups are the last line of defense against ransomware, and hackers have learned
to go after them. If they gain access to your backup software, they may turn
backups off or alter schedules, and hope you don’t notice. Careful access control
is the first line of defense for your backups. Immutability—the ability to prevent any
changes to a backup once it is written—is the second line of defense. Immutability
ensures that backup files can’t be altered or encrypted once they are written—even
if hackers gain full access to them.

DATA PROTECTION FOR KUBERNETES 10

 Encrypt Backups
Encryption is the third line of defense against cyber attacks. If hackers are
somehow able to exfiltrate your backup data, encryption ensures that sensitive data
remains unreadable.

Enable Logging and Auditing

Enabling logging and auditing on each Kubernetes cluster and your backups—with
centralized log aggregation—is another important security measure that will help
you detect unauthorized changes and intrusions more quickly.

The ideal Kubernetes data protection strategy includes automated backup and recovery,
scheduling and retirement policies, the ability to meet your recovery SLAs, and protection
against ransomware encryption across cloud and on-prem clusters. All of this has to be
accomplished at scale, with fewer manual tasks, for every application in every production
Kubernetes cluster. And it all needs to be as secure as possible.

Rubrik Zero Trust Data Security

Rubrik takes a zero-trust approach to protect your data and applications from ransomware,
natural disasters, and operational failures. Many ransomware attacks often target backups, so
it’s vital to ensure your backups are 100% protected and resilient. With Zero Trust Data Security,
no one is trustworthy. No user. No application. No device.

By taking a zero-trust approach, Rubrik ensures all your data remains readily available. Services
are architected with a logical air gap, secure protocols, native immutability, encryption, and
access controls.

In particular, Role-Based Access Control (RBAC) allows admins to maintain control over their
environment. They can add databases and workloads, manage what SLAs are assigned to the
environment, and handle backup and recovery operations without having access to objects they
do not need.

DATA PROTECTION FOR KUBERNETES 11

Zero Trust By Design
Rubrik Security Cloud was architected
using Zero Trust principles to prevent
threats at the data layer. Our use of
native immutability, secure protocols,
logical air gap, encryption, role-
based access controls, multi-factor
authentication, and native services,
uphold data integrity and availability.

Rubrik Protection for Kubernetes Environments

Rubrik Security Cloud (RSC) is a software-as-a-service (SaaS) platform that enables you to
keep your data secure, monitor data risk, and quickly recover data wherever it lives: across the
enterprise, in the cloud, and in SaaS applications.

More specifically, RSC enables the backup and recovery of persistent volumes and Kubernetes
objects associated with applications, ensuring protection and the ability to restore from a
specific point in time.

The underlying technology is designed to provide the following benefits:

UNIFIED MANAGEMENT GLOBAL SECURITY ENTERPRISE SCALE & SUPPORT

Protect Kubernetes clusters across Automated security policies Support for unlimited number
on-prem and cloud through a single ensure Kubernetes clusters of Kubernetes clusters, cluster
management plane with automated are protected with immutable, nodes, applications, and data
security policies access controlled backups backed by 24/7 global support

Rubrik’s immutable backups can’t be changed. Your Kubernetes and other backups are -
unchanged once written to Rubrik and can be deployed immediately to production servers or
sandbox environments. In addition to protecting against malicious data corruption, having an
immutable backup helps you manage your compliance requirements—ensuring that accurate
copies of data are retained.

DATA PROTECTION FOR KUBERNETES 12

When you protect your Kubernetes environment with Rubrik, backup data is stored on Rubrik’s
immutable storage platform, so you always have a good point in time to recover from, ensuring
the availability of your applications—and your business.

How Rubrik Protection for Kubernetes Works

Here’s how Rubrik integrates with Kubernetes to provide backup and recovery functions.

KUBERNETES
CLUSTER 1

Rubrik Security Cloud

Load Balancer
Rubrik Cluster

RS

Controller Rubrik Protection Agent Pod RS

PV PVC

STS PVC

App namespace metadata

Data Plane
PV

Control Panel PV

K8s Persistent Volume Backups

There are three main components associated with the Rubrik protection architecture:

1. Rubrik Security Cloud

2. A Rubrik cluster connected to Rubrik Security Cloud

3. The Kubernetes cluster to be protected

Rubrik Security Cloud serves as the centralized management plane for Kubernetes protection
and provides the user interface for backup, recovery, and reporting of Kubernetes cluster data.
The connected Rubrik cluster serves as the immutable storage target to store the Persistent
Volume (PV) data backups and app namespace metadata backups of the Kubernetes cluster.

DATA PROTECTION FOR KUBERNETES 13

In addition, a Kubernetes protection agent is automatically deployed on the Kubernetes clusters
and leverages a service of type LoadBalancer to communicate with the Rubrik clusters for
backup or recovery operations. Rubrik uses the control path flow to retrieve the metadata,
which it then uses to add the Kubernetes cluster and discover namespaces.

An ephemeral agent pod is deployed during the backup and recovery operation. After the
operations are completed, the agent pod is automatically deleted from the namespace. The
data path flow is used to ingest backup data into Rubrik’s immutable file system and retrieve the
backups for restores. The same architecture and functionalities are used across on-premises
and supported public clouds.

Rubrik Protection for Kubernetes: Protection Set

With the new Protection Set filtering feature, you can use Rubrik Security Cloud to secure
your on-premises or public cloud Kubernetes clusters by protecting either entire Kubernetes
namespaces or specific resources within a namespace.

A Protection Set is a protectable Kubernetes workload that you define in RSC. The subset can
comprise Kubernetes resources or objects, such as deployments, services, or pods, along with
associated persistent volumes, so you can explicitly choose what to protect and recover.

KUBERNETES
CLUSTER 1

App Team 1 is scoped App Team 2 is scoped

to Namespace 1 (NS) to Namespace 2 (NS)
(full privileges) (full privileges)

NS1 Protection Sets NS2 Protection Sets

PV PV PV

Persistent Persistent Persistent Pod

Volume Volume Volume

Stateful Stateful Deployment

Set PV Set PVC PVC

Persistent Persistent Persistent Pod

Volume Volume Claim Volume Claim

PV

Stateful Persistent
Set Volume

DATA PROTECTION FOR KUBERNETES 14

Rubrik Protection for Kubernetes: Benefits
Rubrik Protection for Kubernetes offers the following benefits:

• Immutable, air-gapped backups ensure application data and dependencies are

resilient MFA, with granular role-based access control preventing unauthorized change,
encryption, or deletion.

• Reusable Global SLAs can be assigned to clusters or protection sets to improve your
efficiency.

• Flexibility to set the frequency and retention of snapshots enables you to cater to
different applications’ SLA needs.

• Protection for Kubernetes workloads across your private and public clouds gives you
coverage across multi-cloud environments.

• Rubrik enables the creation of a Protection Set, which is an advanced filter capability
to group resources for an application within a namespace to be protected.

• Extend Rubrik’s data protection as Rubrik APIs or Kubernetes CRDs to run commands
against Kubernetes clusters for backup and recovery operations.

• Supported Kubernetes Distributions: Conforming Kubernetes clusters such as Red Hat

OpenShift, VMware Tanzu, SuSE Rancher, AmazonEKS, and Azure AKS.

Getting Started with Rubrik Protection for Kubernetes

To find out how Rubrik can help you enhance data protection, deliver superior protection
against ransomware and other cyber threats, and increase the productivity of your entire
team—for your Kubernetes environment and your entire IT operation—visit our Kubernetes
Protection page.

DATA PROTECTION FOR KUBERNETES 15

DATA PROTECTION FOR KUBERNETES 16