Backups Addon

The backups addon can be used to backup the most important parts of a cluster, including:

  • etcd
  • etcd PKI (certificates and keys used by Kubernetes to access the etcd cluster)
  • Kubernetes PKI (certificates and keys used by Kubernetes and clients)

The addon uses Restic to upload backups, encrypt them, and handle backup rotation.

By default, backups are done every 30 minutes and are kept for 48 hours. If you need retention, please adjust the restic CLI flags restic forget --prune --keep-last <NEW AMOUNT OF HOURS>.


In order to use this addon, you need an S3 bucket or Restic-compatible repository for storing backups.

Using The Addon

You can enable the addon via the KubeOneCluster manifest. Make sure to replace the placeholder values in the params stanza with the appropriate values.

kind: KubeOneCluster
  kubernetes: 1.23.3
  aws: {}
  enable: true
    - name: backups-restic
        resticPassword: "<some-secret-value-here>"
        s3Bucket: "<backup-bucket-name>"
        awsDefaultRegion: "<default-AWS-region>"

Original addon source can be found in kubeone repository.

Credentials are fetched automatically via the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables. If you want to use non-default credentials, update the s3-credentials secret (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY keys).