KubeQuest

Appearance

etcd Backup and Restore

Backup etcd

bash
# Find etcd cert paths
cat /etc/kubernetes/manifests/etcd.yaml | grep -E "cert|key|ca"

# Backup
ETCDCTL_API=3 etcdctl snapshot save /backup/etcd-snapshot.db \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key

# Verify backup
ETCDCTL_API=3 etcdctl snapshot status /backup/etcd-snapshot.db --write-out=table

Restore etcd

bash
# Stop kubelet
systemctl stop kubelet

# Move current etcd data
mv /var/lib/etcd /var/lib/etcd.bak

# Restore from snapshot
ETCDCTL_API=3 etcdctl snapshot restore /backup/etcd-snapshot.db \
  --data-dir=/var/lib/etcd \
  --name=<node-name> \
  --initial-cluster=<node-name>=https://<node-ip>:2380 \
  --initial-cluster-token=etcd-cluster-1 \
  --initial-advertise-peer-urls=https://<node-ip>:2380

# Fix ownership
chown -R etcd:etcd /var/lib/etcd

# Start kubelet
systemctl start kubelet

etcd Key-Value Operations

bash
# Get all keys
ETCDCTL_API=3 etcdctl get / --prefix --keys-only \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key

# Get specific key
ETCDCTL_API=3 etcdctl get /registry/pods/default/nginx ...

# Check etcd health
ETCDCTL_API=3 etcdctl endpoint health ...
ETCDCTL_API=3 etcdctl endpoint status ...

Released under the MIT License.

Copyright © 2026 OpsAlchemy