Skip to content

Google Cloud Storage Backup

This guide covers configuring VolumeBackup with Google Cloud Storage (GCS) as the repository backend.

Repository URL Format

gs:bucket-name/path

Example: gs:my-backup-bucket/kubernetes/app-data

Credentials Secret

Create a Secret with your GCS service account key and Restic repository password:

apiVersion: v1
kind: Secret
metadata:
  name: gcs-backup-credentials
  namespace: default
type: Opaque
stringData:
  GOOGLE_APPLICATION_CREDENTIALS: "/tmp/gcs-credentials.json"
  GOOGLE_PROJECT_ID: "my-gcp-project"
  RESTIC_PASSWORD: "your-restic-repository-password"
  gcs-credentials.json: |
    {
      "type": "service_account",
      "project_id": "my-gcp-project",
      ...
    }

The service account needs the following IAM roles on the bucket:

  • roles/storage.objectAdmin (or equivalent storage.objects.* permissions)

Full Example

apiVersion: backups.k8s.bnerd.com/v1
kind: VolumeBackup
metadata:
  name: gcs-volume-backup
  namespace: default
spec:
  volumeClaimRef:
    name: my-data-pvc

  schedule: "0 3 * * *"

  repository:
    type: gcs
    url: gs:my-backup-bucket/kubernetes/my-data
    secretRef:
      name: gcs-backup-credentials

  retention:
    keepLast: 15
    keepDaily: 7
    keepWeekly: 4
    keepMonthly: 6

  cache:
    enabled: true
    size: "5Gi"

Workload Identity

If your cluster uses GKE Workload Identity, the service account key in the Secret can be replaced with Workload Identity federation. Ensure the Kubernetes ServiceAccount used by the backup Job is annotated with the GCS-enabled Google service account:

kubectl annotate serviceaccount default \
  iam.gke.io/gcp-service-account=backup-sa@my-project.iam.gserviceaccount.com

In this case, you still need the Secret for RESTIC_PASSWORD, but GOOGLE_APPLICATION_CREDENTIALS can be omitted.

Troubleshooting

"permission denied" errors

  • Verify the service account has storage.objects.create, storage.objects.get, storage.objects.list, and storage.objects.delete permissions
  • Ensure the bucket exists and is in the correct project

"invalid credentials" errors

  • Check that the service account key JSON is valid and not expired
  • Verify GOOGLE_PROJECT_ID matches the project owning the bucket