May 12, 2022 at 8:03 pm #6102Bob AdairMember
Spring has arrived, the flowers are blooming and, for us Kubernetes fans, CNCF’s KubeCon Europe conference in Valencia is just around the corner! Here at Catalogic, the CloudCasa team has spent the last few months trying to top our big February release by developing another set of major new features.
Azure account support
This update marks the introduction of Microsoft Azure account integration for CloudCasa. This works similarly to the existing AWS account support. With Azure integration, CloudCasa now supports automatic discovery of AKS clusters, backups of AKS cluster metadata, and optional automatic creation of AKS clusters on restore.
To link CloudCasa to your Azure account, simply go to the Cloud Accounts page under the Configuration tab and click the “Add cloud account” button. Then select “Microsoft Azure”. You can then click on the “Deploy to Azure” button to open a Create ARM template page in the Azure Portal. Deploying the ARM template will grant CloudCasa the permissions it needs, and only the permissions it needs, to discover, back up, and restore AKS clusters.
Database service backups and cloud account security scanning are not currently supported for Azure. In the future, we expect to have feature parity with AWS.
If you are using AKS clusters, we highly recommend linking your Azure accounts!
Granular RBAC & user groups
In our February update, we introduced organizations and basic user roles. With this release, we’re introducing full role-based access control (RBAC). Roles are now definable by an administrator, and individual users can be assigned multiple roles. User groups can also be defined, and roles can be assigned to groups as well. The permissions a user has are the union of the permissions granted by the roles assigned to them and the permissions granted by the roles assigned to the groups they belong to.
To allow administration of roles and groups, new Roles and User Groups pages have been added under User Management in the Configuration tab. Built-in roles are not currently editable, but you can clone them to create new modifiable roles. We expect to remove this limitation in a future release.
In the near future, we will introduce the ability to extend access control restrictions to individual resources rather than just resource types. Our API already supports this level of control.
With the default role definitions, the system will behave the same as before. If you don’t need the access control functionality provided by these new features, you don’t need to do anything and shouldn’t notice a difference.
Note: Some administrative actions in the UI are still only enabled for the built-in Admin role. This restriction will be removed in a future update. We are still fine-tuning the behaviors of the various permissions. Some may be renamed, combined, or sub-divided in future updates.
Roles for API keys
With the addition of RBAC, API keys can now each have one or more roles assigned to them, just like a user. The roles assigned can also be modified after key creation.
Isolated user object store support for BYO Storage
Previously, CloudCasa only allowed you to define object storage endpoints under “My Storage” if they were reachable from our service provider infrastructure via the public Internet. With this update, it is now only necessary for the storage endpoint to be reachable from the cluster or clusters you wish to back up. This allows to you use storage systems that are isolated from the Internet. You must designate one cluster where the CloudCasa agent will be responsible for maintenance operations on the storage, such as expiring old recovery points. Typically, this would be one of the clusters you are backing up from.
You’ll notice that we’ve again made some significant changes to the UI. The Protection and Security tabs now have left-hand navigation bars like the Configuration tab, and some new pages have been added. In particular, we have added a summary dashboard for each cluster that is reachable from Protection/Clusters/Overview.
We’ve also changed to a new table design for most tables in the product. The new design looks similar to the previous design, but gives you more powerful options for filtering, sorting, searching, and column visibility. A line above the table now includes a search field, quick select options, and a filter button. A menu reachable from the “three dots” icon in the upper right corner of the table controls column visibility.
A final small but useful UI change: Cloud icons now indicate clusters that are linked to configured cloud accounts and backups that contain cloud metadata.
Backup and restore performance improvements
We’ve had a project running to improve the performance of backups and restores. Over the past few months, we’ve made some significant changes to our agent that in our testing increased restore throughput by up to 2.2x and backup throughput by up to 10x. The backup throughput increase is especially pronounced when backing up AWS EBS snapshots, but all PV types should benefit.
Backup throughput can sometimes be further increased by increasing the number of concurrent streams under “Advanced options” in your backup job definition. Just be aware that increasing the number of streams will increase memory utilization proportionately. The default is 2, which means that two PVs will be backed up at a time.
Additional work to improve performance even more is on-going.
Emailed reports for security scans
When defining a security scan job, you can now specify a list of email addresses that you want summary reports to be sent to. The summary report will be sent every time the scan job runs, as long as it succeeds for at least one cluster or cloud account.
Option to disable certificate check for BYO object stores
We have added an option “Disable TLS certificate validation” to disable the check for valid a server certificate when opening TLS connections to a BYOS object store. This will allow CloudCasa to use a storage endpoint with a self-signed or otherwise invalid certificate. You can enable it on a per-bucket basis when configuring storage under “My Storage”. We recommend leaving this off in most cases, which is the default.
We are pleased to announce that we have tested and certified CloudCasa to work with the SUSE Longhorn V1.3.0 release candidate (1.3.0-RC1). This version has a CSI driver that allows creation of volume snapshots. Previous versions of Longhorn would cause timeout failures for CloudCasa backup jobs when they attempted to create snapshots.
Kubernetes 1.23 support
We have tested CloudCasa with Kubernetes 1.23 and confirmed compatibility. No changes or user actions were necessary.
Azure marketplace listing
As a Microsoft Partner, CloudCasa now has a listing in the Azure marketplace! This compliments our new extended Azure support.
Kubernetes agent updates
In this release we’ve again made several changes to our Kubernetes agent to add features, improve performance, and fix bugs. However, manual updates normally shouldn’t be necessary anymore because of the automatic agent update feature introduced in February.
With some browsers you may need to restart, hit Control-F5, and/or clear the cache to make sure you have the latest version of the CloudCasa web app when first logging in after the update.
As always, we want to hear your feedback on new features! You can contact us via the user forum, using the support chat feature, or by sending email to firstname.lastname@example.org.
- You must be logged in to reply to this topic.