Astra Control Now Enables Kubernetes Data Protection at Massive Scale

For the latest versions of NetApp® Astra™ Control 23.10 and Astra Trident 23.10, we are excited to announce the general availability of a rich set of features that our customers have asked for. And the most relevant new feature is the backup and restore of Kubernetes applications backed by NetApp ONTAP® qtrees, created and accessed with the ontap-nas-economy storage driver. Customers now get:

• Backup and restore of applications using qtrees for persistent storage
• Support for on-premises Kubernetes and OpenShift clusters in fully managed Astra Control Service (ACS)
• In-flight data encryption between containers and persistent volumes (PVs) based on Kerberos
• Ransomware protection by using object storage retention policies
• Red Hat OpenShift Service on AWS (ROSA) support
• NVMe over TCP (NVMe/TCP) persistent volumes (PVs) support

Astra Control is an application-aware data management solution that protects, recovers, and moves data-rich Kubernetes workloads in public clouds and on premises. By using industry-leading data management technology for NetApp Snapshot™ copies, backups, replication, and cloning, Astra Control enables data protection, disaster recovery, and migration for Kubernetes workloads.

Many NetApp customers use the ontap-nas-economy storage driver with Trident to provide tens of thousands of persistent volumes (PVs) to their Kubernetes clusters. The ontap-nas-economy storage driver is built on qtrees, a logically defined file system that can exist as a special subdirectory of the root directory within a NetApp FlexVol® volume. With the ontap-nas-economy driver, Kubernetes deployments can scale up to 300 qtrees per FlexVol volume, allowing tens of thousands of PVs per cluster. This massive scale makes ONTAP an appealing option for growing enterprise Kubernetes deployments. However, qtrees don’t support Snapshot copies and can’t be cloned individually. Consequently, apps that use qtrees can’t be protected effectively.

Until now, ONTAP customers could choose either scalable storage (qtrees) or data protection enabled storage (FlexVol) for their Kubernetes applications that require persistent storage. With the latest release of Astra Control, customers no longer have to choose between scale and data protection. They can protect, through backup and restore, Kubernetes applications using PVs that are backed by qtrees, which provide virtually unlimited scale.

In addition to managing and protecting the most popular Kubernetes platforms in the public cloud, with Astra Control Service (ACS), customers can now manage and protect a Kubernetes cluster in a private network on premises. Thanks to an enhanced component of Astra Control called Astra Connector, ACS can communicate to clusters in private networks on hyperscalers or on premises. With this feature, ACS provides a single console to manage both on-premises and public cloud clusters. This centralized management facilitates data and application portability between public cloud and on-premises Kubernetes and OpenShift clusters, enabling hybrid data protection as a service.

Many new regulations about data security and stricter controls require customers to encrypt data that is used by Kubernetes applications everywhere. With Astra Control, customers can now encrypt data in transit, also known as in-flight encryption, between the containers that are running applications and the PVs that store application data. With this new feature, customers can use Kerberos v5 to create a storage backend and storage class, providing in-flight encryption to all PVs that are created using that backend.

Some customers want to use immutable or write once, read many (WORM) buckets to store their backups in a place that’s safe from ransomware or hackers’ attacks. With the latest release, Astra Control automatically recognizes the object storage lock that’s configured, marks the bucket as immutable, and honors the retention period that’s configured in the buckets that store backups. If an attacker gains access to an administrator Astra account, they can’t delete any backups that are part of the immutable bucket until the retention period has expired.

Astra Control Service now supports Red Hat OpenShift Service on AWS (ROSA) clusters for data protection and portability on all possible architecture models:

• Public network
• Private network
• AWS PrivateLink

The supported storage backends for ROSA are FSx for NetApp ONTAP, Amazon EBS, and NetApp CVO.

Customers are demanding better performance for persistent block storage for their Kubernetes deployments at scale. NVMe/TCP is gaining in popularity, and the latest version of Astra Trident can provision block storage by using NVMe/TCP. In addition, Astra Control protects applications by using this protocol to create and to access PVs. Customers can select this new protocol by using sanType=nvme in the Trident backend definition for an ONTAP SAN type of backend. It supports the following volume access modes: RWO, RWOP, and RWX (for raw volumes: volumeMode:Block).

Astra Control now offers advanced storage management, access, and provisioning in addition to Container Storage Interface (CSI) specification–compliant functionality. For customers and partners who are building their own Kubernetes data management control plane but need foundational storage management functionality to do so, this latest release documents and supports the following set of features:

• SnapMirror CustomResourceDefinitions (CRDs). The goal of this feature is to enable continuous operations even under disaster conditions, with CRDs, with namespace scope, in a primary and recovery cluster. In this way, Astra Control can create and destroy mirror relationships between volumes (PVCs) and give the user some more options for mirrored volumes. For example, one option is breaking the relationship and promoting the secondary under disaster conditions (often called failing over). Another example option is enabling lossless transition of applications from cluster to cluster (such as planned failovers and efficient migrations).

• Read-only clones. As part of the solution to enable backup and restore for applications that are stored on ontap-nas-economy PVs, based on qtrees, Astra Control directly mounts the Snapshot directory of the qtree from the parent FlexVol Snapshot image. This feature is now also available for standalone use by Astra customers.

• Snapshot import. Astra Control now enables the import of existing Snapshot copies that were created at the ONTAP level, for example, Snapshot copies replicated by SnapMirror and not created by the CSI specification, as a new VolumeSnapshot in Kubernetes.

• Snapshot restore. In this release, Astra Control also enables an in-place reversion of a volume to a Snapshot copy. Because this capability is not provided by Kubernetes in the CSI specification, it’s available through a CRD called TridentActionSnapshotRestore (TASR).

ONTAP cluster admin credentials are no longer required for NetApp SnapMirror® disaster recovery. With this release, Astra Control no longer requires ONTAP cluster administrator credentials. Instead, it delegates the integration with SnapMirror to the storage provisioning system, which requires only storage VM (SVM) credentials.

These Astra Control and Astra Trident updates deliver exciting new app data management functionality and mitigate many of the customer pain points that are associated with Kubernetes data protection and storage management. Free trials are available for Astra Control. To get started, sign up for a free trial today.