How to Secure Cloud‑Native Applications with Kasten K10 on QingCloud KubeSphere

Background and Validation Goals

QingCloud provides a solid cloud‑native stack—KubeSphere, QKE, QCI, and QingStor—to ensure data security and workload protection. The article demonstrates a protection solution that combines this stack with Kasten K10 to achieve fast backup, restore, and long‑term data retention.

Key Sections

Background

Verification Goals

Kasten and QingCloud KubeSphere

Kasten K10 Deployment Planning

Technical Resource Requirements

K8S Cluster Resource Needs

Deploying the QingCloud Kubernetes Environment

Configuring QingStor Object Storage

Enabling QingStor CSI and Snapshot Integration

Evaluating Storage with Kubestr

Installing Kasten K10 on QKE

Creating Backup Policies and Performing Backup/Restore

Using QingStor Bucket Replication to Avoid Logical Errors

Deploying the QingCloud Kubernetes Environment

Create a QKE cluster, download the kubeconfig, and verify node resources:

# Get cluster info
kubectl config get-contexts
kubectl get nodes -o wide
# Describe node hardware
kubectl describe nodes | grep -E 'Hostname|cpu|memory|ephemeral-storage'

Configuring QingStor Object Storage

Set up an S3‑compatible storage profile in Kasten, using the virtual‑host style endpoint bucket.s3.<zone_id>.qingstor.com or the path style endpoint.

Enabling QingStor CSI Snapshot Class

Create a VolumeSnapshotClass that K10 will use:

apiVersion: snapshot.storage.k8s.io/v1beta1
kind: VolumeSnapshotClass
metadata:
  name: qingstor-snapshotter
  annotations:
    k10.kasten.io/is-snapshot-class: "true"
spec:
  driver: csi-qingcloud
  deletionPolicy: Delete

Apply it and annotate the default storage class:

kubectl apply -f qingstor-snapshotter.yaml
kubectl annotate storageclass csi-high-capacity k10.kasten.io/volume-snapshot-class=qingstor-snapshotter

Evaluating Storage with Kubestr

Install Kubestr and run snapshot and performance tests against the QingStor CSI driver:

# Install Kubestr
wget https://github.com/kastenhq/kubestr/releases/download/v0.4.17/kubestr-v0.4.17-linux-amd64.tar.gz
tar -zxvf kubestr-v0.4.17-linux-amd64.tar.gz
# Run CSI check
./kubestr csicheck -s csi-high-capacity -v qingstor-snapshotter
# Run FIO performance test
./kubestr fio -s csi-high-capacity

Installing Kasten K10

Fetch the Helm chart, create a namespace, and install with required parameters (air‑gapped registry, storage class, persistence sizes, basic auth, external gateway):

# Add Helm repo
helm repo add kasten https://charts.kasten.io/
helm repo update
# Download chart
helm fetch kasten/k10 --version=4.5.4
# Create namespace
kubectl create namespace kasten-io
# Install K10
helm install k10 k10-4.5.4.tgz \
  --namespace kasten-io \
  --set global.airgapped.repository=dockerhub.qingcloud.com/kasten \
  --set global.persistence.metering.size=20Gi \
  --set prometheus.server.persistentVolume.size=20Gi \
  --set global.persistence.catalog.size=20Gi \
  --set auth.basicAuth.enabled=true \
  --set auth.basicAuth.htpasswd='mars:$apr1$Cgu1sGVZ$w/8aLHZkVT73OqYZ06C0v.' \
  --set externalGateway.create=true \
  --set metering.mode=airgap \
  --set global.persistence.storageClass=csi-high-capacity

Verify the pods are running:

kubectl get pods -n kasten-io

Accessing the K10 Console

Find the external LoadBalancer IP of the gateway‑ext service and open http://<IP>/k10/#/ in a browser.

kubectl get svc -n kasten-io | grep gateway

Creating Backup Policies and Running Backup/Restore

In the K10 UI, create a policy that snapshots locally and backs up to QingStor, then run the policy. Verify the backup appears in the dashboard, in QingStor snapshots (prefix k10‑csi‑snap ), and in the storage bucket.

Bucket Replication for Disaster Recovery

Configure QingStor cross‑region bucket replication with delete‑disabled rules. During restore, select the alternate location profile pointing to the replicated bucket.

Summary

By combining QingCloud’s native services—KubeSphere, QKE, QingStor CSI, and object storage—with Kasten K10, enterprises can achieve reliable backup, restore, and disaster‑recovery for cloud‑native workloads while meeting the 3‑2‑1‑1‑0 data‑protection rule.