Kubernetes Migration

Migrating a Kubernetes cluster from one cloud provider to another usually breaks into three separate problems: moving Kubernetes resources, moving the data attached to workloads, and moving the container images those workloads depend on.

1. Kubernetes resource migration
2. Persistent volume migration
3. Container image migration

Kubernetes resources and persistent volumes can be handled with Velero. Image registry migration is simpler in most cases. Common open source options include Alibaba Cloud's image-syncer and Tencent Cloud's image-transfer.

Velero is an open source backup and restore system built for Kubernetes. A common cross-cloud migration pattern is to back up the source cluster and restore that backup into the target cluster.

Velero consists of two parts:

1. Server-side components running inside the Kubernetes clusters being backed up or restored
2. A CLI client

The server side is a collection of controllers that watch Velero custom resources for backup and restore operations. The CLI mostly saves you from writing those custom resources by hand.

Compared with the version we reviewed in the earlier note on Kubernetes failure detection and self-healing, Velero has added several capabilities that matter in real migrations:

1. ReadWriteMany volumes are no longer backed up repeatedly.
2. Cloud provider plugins have been split out from the core Velero repository.
3. Restic-based persistent volume backups are always incremental, even when Pods move.
4. Namespace cloning can automatically clone the related persistent volumes.
5. CSI-backed persistent volumes are supported, including the mainstream AWS, Azure, and GCP cases.
6. Backup and restore progress reporting is supported.
7. Velero can back up all API versions of a resource.
8. Volume backup through Restic can be enabled by default with --default-volumes-to-restic.
9. restoreStatus can be used to control which resource status fields are restored.
10. --existing-resource-policy can change restore behavior when a resource already exists. The default is to skip existing resources, except for ServiceAccounts. Setting it to update makes Velero update existing resources instead.
11. Since 1.10, Velero supports Kopia as an alternative to Restic. Kopia often performs better on large backup sets or very large file counts.

Velero supports both on-demand and scheduled backups. In both cases it collects Kubernetes resources, applies filters if requested, packages the result, and uploads it to an object storage backend.

A typical backup flow looks like this:

1. The user runs velero backup create, which creates a Backup resource.
2. BackupController sees the new Backup resource and validates it.
3. If validation succeeds, the controller runs the backup. By default, Velero creates snapshots for all persistent volumes. Use --snapshot-volumes=false to change that behavior.
4. The controller uploads the backup data to object storage.

When Velero backs up resources, it stores them using the preferred API version. If the source API server exposes two versions of a group, for example teleport/v1alpha1 and teleport/v1, and v1 is the preferred version, the backup stores the resource in v1 form. The target cluster does not have to prefer that version, but it must support it. That is one reason restore can fail across clusters with different Kubernetes or CRD versions.

Backups can have a retention period through --ttl. When that retention window expires, Velero deletes the Kubernetes backup records, the backup files, the snapshots, and the related Restore objects. If garbage collection fails, Velero adds a velero.io/gc-failure=REASON label to the Backup object.

There is one important caveat for cross-cloud migration: snapshot-based volume backup is not enough. A snapshot created on cloud A is not something you can usually restore directly on cloud B.

Restore takes a previous backup, including Kubernetes resources and volume data, and replays it into the target cluster. The target cluster can be the source cluster itself, and the restore can be filtered so only part of the backup is restored.

Restored Kubernetes resources receive the label velero.io/restore-name=RESTORE_NAME. By default, the restore name is BACKUP_NAME-TIMESTAMP, where the timestamp format is YYYYMMDDhhmmss.

A typical restore flow looks like this:

1. The user runs velero restore create, which creates a Restore resource.
2. RestoreController sees the Restore object and validates it.
3. If validation succeeds, the controller reads the backup metadata from object storage and performs prechecks, including API version checks, to see whether the resources can run on the new cluster.
4. The controller restores resources one by one.

By default, Velero does not delete or overwrite existing objects in the target cluster. If a resource already exists, Velero skips it. Setting --existing-resource-policy=update tells Velero to try to update matching existing resources instead.

The object storage backend is Velero's single source of truth. That has two practical consequences:

1. If object storage contains backup data but the Kubernetes API does not contain the matching Backup resource, Velero recreates the Backup object.
2. If Kubernetes contains a Backup resource but object storage does not contain the matching backup data, Velero deletes the Backup object.

This is also why cross-cloud migration works at all. The source and target clusters do not need to talk directly to each other. Object storage becomes the only shared medium.

The CRD that defines where backup metadata is stored is BackupStorageLocation. It points to a bucket or a prefix inside a bucket. Velero stores backup metadata there, and file-system-based volume backups through Restic or Kopia also live there. Snapshot-based volume backups do not live in that bucket, because the snapshot implementation is controlled by the cloud provider.

Each Backup can use one BackupStorageLocation.

Snapshot-related information is stored in VolumeSnapshotLocation. The actual fields depend on the cloud plugin, because snapshot implementation is provider-specific.

Each Backup can use one VolumeSnapshotLocation per volume snapshot provider.

Velero uses a plugin model that keeps storage and cloud provider integrations outside the core project.

Velero also exposes hooks around the standard backup and restore flow.

Backup hooks run during backup. One standard use is telling a database to flush in-memory buffers before a snapshot or file backup starts.

Restore hooks run during restore. They are often used for initialization steps that need to happen before the application starts normally.

Install the Velero CLI binary, extract it, and place velero on $PATH. To enable shell completion:

Client-side configuration can be adjusted like this:

The CLI can also install the server components:

Several flags in that example matter in migration scenarios:

• --use-node-agent enables file-system-based backup support.
• --default-volumes-to-fs-backup makes file-system backup the default for Pod volumes. Without it, volumes normally have to be selected through annotations.
• --features=EnableCSI,EnableAPIGroupVersions turns on feature gates that matter in newer storage and API-version scenarios.
• Resource request and limit flags often need adjustment when file-system backup is used heavily.

After installation, you can configure default backup and snapshot locations:

You can also add extra snapshot providers after the initial install:

One practical test setup is to create one Kubernetes cluster on Alibaba Cloud as the source cluster and another on Tencent Cloud as the target cluster, then use Velero to move workloads across them.

Create the clusters through the two cloud consoles. The exact steps depend on the providers and are not the point here.

The most common Kubernetes use case is still stateless workloads. Stateful infrastructure such as databases is often delegated to cloud PaaS products instead of being hosted inside the cluster. That reality makes Kubernetes migration much easier, because volume migration often drops out of scope.

A simple test case is an Nginx Deployment plus a Service. Start by creating the resources on the source cluster:

For this kind of workload, the migration path is fairly direct: back up the namespace or selected resources from the source cluster, restore them into the target cluster, and then verify that the restored Deployment, Service, and related objects match expectations. The harder cases show up later, when CRDs, API version skew, storage classes, and cloud-specific integrations enter the picture.