Spring has arrived, the flowers are blooming and, for us Kubernetes fans, CNCF’s KubeCon Europe conference has just begun in Valencia! Here at Catalogic, the CloudCasa team has spent the last few months trying to top our February release by developing another set of great new features.
This update marks the introduction of Microsoft Azure account integration for CloudCasa. This works similarly to the existing AWS account support. With Azure integration, CloudCasa now supports automatic discovery of AKS clusters, backups of AKS cluster metadata, and optional automatic creation of AKS clusters on restore.
To link CloudCasa to your Azure account, simply go to the Cloud Accounts page under the Configuration tab and click the “Add cloud account” button. Then select “Microsoft Azure.” You can then click on the “Deploy to Azure” button to open a Create ARM template page in the Azure Portal. Deploying the ARM template will grant CloudCasa the permissions it needs, and only the permissions it needs, to discover, back up, and restore AKS clusters.
Database service backups and cloud account security scanning are not currently supported for Azure. In the future, we expect to have feature parity with AWS.
If you are using AKS clusters, we highly recommend linking your Azure accounts!
In our February update, we introduced organizations and basic user roles. With this release we’ve introduced full role-based access control (RBAC). Roles are now definable by an administrator, and individual users can be assigned multiple roles. User groups can also be defined, and roles can be assigned to groups as well. The permissions a user has are the union of the permissions granted by the roles assigned to them and the permissions granted by the roles assigned to the groups they belong to.
To allow administration of roles and groups, new roles and user groups pages have been added under User Management in the Configuration tab. Built-in roles are not currently editable, but you can clone them to create new modifiable roles. We expect to remove this limitation in a future release.
In the near future, we will introduce the ability to extend access control restrictions to individual resources rather than just resource types. Our API already supports this level of control.
With the default role definitions, the system will behave the same as before. If you don’t need the access control functionality provided by these new features, you don’t need to do anything and shouldn’t notice a difference.
You’ll notice that we’ve again made some significant changes to the UI. The Protection and Security tabs now have left-hand navigation bars like the Configuration tab, and some new pages have been added. In particular, we have added a summary dashboard for each cluster that is reachable from Protection/Clusters/Overview.
We’ve also changed to a new table design for most tables in the product. The new design looks similar to the previous design, but gives you more powerful options for filtering, sorting, searching, and column visibility. A line above the table now includes a search field, quick select options, and a filter button. A menu reachable from the “three dots” icon in the upper right corner of the table controls column visibility.
A final small, but useful UI change: Cloud icons now indicate clusters that are linked to configured cloud accounts and backups that contain cloud metadata.
We are pleased to announce that we have tested and certified CloudCasa to work with the Longhorn V1.3.0 release candidate (1.3.0-RC1). This version has a CSI driver that allows creation of proper volume snapshots. Previous versions of Longhorn would cause timeout failures for CloudCasa backup jobs when they attempted to create snapshots.
Azure Account Integration
This update marks the introduction of Microsoft Azure account integration for CloudCasa. This works similarly to the existing AWS account support. With Azure integration, CloudCasa now supports automatic discovery of AKS clusters, backups of AKS cluster metadata, and optional automatic creation of AKS clusters on restore.
To link CloudCasa to your Azure account, simply go to the Cloud Accounts page under the Configuration tab and click the “Add cloud account” button. Then select “Microsoft Azure.” You can then click on the “Deploy to Azure” button to open a Create ARM template page in the Azure Portal. Deploying the ARM template will grant CloudCasa the permissions it needs, and only the permissions it needs, to discover, back up, and restore AKS clusters.
Database service backups and cloud account security scanning are not currently supported for Azure. In the future, we expect to have feature parity with AWS.
If you are using AKS clusters, we highly recommend linking your Azure accounts!
Granular RBAC & User Groups
In our February update, we introduced organizations and basic user roles. With this release we’ve introduced full role-based access control (RBAC). Roles are now definable by an administrator, and individual users can be assigned multiple roles. User groups can also be defined, and roles can be assigned to groups as well. The permissions a user has are the union of the permissions granted by the roles assigned to them and the permissions granted by the roles assigned to the groups they belong to.
To allow administration of roles and groups, new roles and user groups pages have been added under User Management in the Configuration tab. Built-in roles are not currently editable, but you can clone them to create new modifiable roles. We expect to remove this limitation in a future release.
In the near future, we will introduce the ability to extend access control restrictions to individual resources rather than just resource types. Our API already supports this level of control.
With the default role definitions, the system will behave the same as before. If you don’t need the access control functionality provided by these new features, you don’t need to do anything and shouldn’t notice a difference.
Roles for API Keys
With the addition of RBAC, API keys can now each have one or more roles assigned to them, just like a user. The roles assigned can be modified after key creation.Isolated User Object Store Support for BYO Storage
Previously, CloudCasa only allowed you to define object storage endpoints under “My Storage” if they were reachable from our service provider infrastructure via the public Internet. With this update, it is now only necessary for the storage endpoint to be reachable from the cluster or clusters you wish to back up. This allows to you use local storage systems that are isolated from the Internet. For each endpoint, you must designate one cluster where the CloudCasa agent will be responsible for maintenance operations on the storage, such as expiring old recovery points. Typically, this would be one of the clusters you are backing up from.UI Reorganization
You’ll notice that we’ve again made some significant changes to the UI. The Protection and Security tabs now have left-hand navigation bars like the Configuration tab, and some new pages have been added. In particular, we have added a summary dashboard for each cluster that is reachable from Protection/Clusters/Overview.
We’ve also changed to a new table design for most tables in the product. The new design looks similar to the previous design, but gives you more powerful options for filtering, sorting, searching, and column visibility. A line above the table now includes a search field, quick select options, and a filter button. A menu reachable from the “three dots” icon in the upper right corner of the table controls column visibility.
A final small, but useful UI change: Cloud icons now indicate clusters that are linked to configured cloud accounts and backups that contain cloud metadata.
Backup and Restore Performance Improvements
We’ve had a project running to improve the performance of backups and restores. Over the past few months, we’ve made some significant changes to our agent that, in our testing, increased restore throughput by up to 2.2x and backup throughput by up to 10x. The backup throughput increase is especially pronounced when backing up AWS EBS snapshots, but all PV types should benefit. Backup throughput can sometimes be further increased by increasing the number of concurrent streams under “Advanced options” in your backup job definition. Just be aware that increasing the number of streams will increase memory utilization proportionately. The default is 2, which means that two PVs will be backed up at a time. We think you’ll be impressed with the performance, and work to improve it even more is ongoing.Emailed Reports for Security Scans
When defining a security scan job, you can now specify a list of email addresses that you want summary reports to be sent to. The summary report will be sent every time the scan job runs, as long as it succeeds for at least one cluster or cloud account.Option to Disable Certificate Check for BYO Object Stores
We have added an option “Disable TLS certificate validation” to disable the check for valid a server certificate when opening TLS connections to a BYOS object-store. This will allow CloudCasa to use a storage endpoint with a self-signed or otherwise invalid certificate. You can enable it on a per-bucket basis when configuring storage under “My Storage.” We recommend leaving this off in most cases, which is the default.Longhorn Support
We are pleased to announce that we have tested and certified CloudCasa to work with the Longhorn V1.3.0 release candidate (1.3.0-RC1). This version has a CSI driver that allows creation of proper volume snapshots. Previous versions of Longhorn would cause timeout failures for CloudCasa backup jobs when they attempted to create snapshots.
Bob Adair
Sathya Sankaran