Skip to content

etcd Backup — CKA Reference

Why it's needed

etcd is the brain of the cluster — all state lives there. If the cluster dies, restoring etcd brings everything back. The CKA tests that you can back it up and know where the pieces are.

Step 1 — Get the cert paths

From the manifest (fastest)

cat /etc/kubernetes/manifests/etcd.yaml

Look for these flags in the command section: 

--trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
--cert-file=/etc/kubernetes/pki/etcd/server.crt
--key-file=/etc/kubernetes/pki/etcd/server.key
--listen-client-urls=https://127.0.0.1:2379

From the running pod

k get pod etcd-controlplane -n kube-system -o yaml | grep -A 40 command

Same flags, same paths — just a different way to read them.

Step 2 — Run the backup

Standard command

ETCDCTL_API=3 etcdctl snapshot save /opt/cluster_backup.db \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key

With console output saved to file

ETCDCTL_API=3 etcdctl snapshot save /opt/cluster_backup.db \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key \
  &> backup.txt

&> captures both stdout and stderr — use this when the task asks you to store the output.

Verify the backup

ETCDCTL_API=3 etcdctl snapshot status /opt/cluster_backup.db --write-out=table

Why ETCDCTL_API=3 is always required

etcdctl defaults to API v2. Kubernetes uses v3. Without this env var the command either fails or hits the wrong API. Always prefix it.

Bash script version (reads paths from manifest automatically)

#!/bin/bash
ETCD_MANIFEST="/etc/kubernetes/manifests/etcd.yaml"
BACKUP_FILE="/opt/cluster_backup.db"
OUTPUT_FILE="backup.txt"

CACERT=$(grep 'trusted-ca-file' $ETCD_MANIFEST | awk -F'=' '{print $2}')
CERT=$(grep 'cert-file' $ETCD_MANIFEST | awk -F'=' '{print $2}')
KEY=$(grep 'key-file' $ETCD_MANIFEST | awk -F'=' '{print $2}')

ETCDCTL_API=3 etcdctl snapshot save $BACKUP_FILE \
  --endpoints=https://127.0.0.1:2379 \
  --cacert=$CACERT \
  --cert=$CERT \
  --key=$KEY \
  &> $OUTPUT_FILE

echo "Backup done. Output stored in $OUTPUT_FILE"
ETCDCTL_API=3 etcdctl snapshot status $BACKUP_FILE --write-out=table

In production this would live in a cron job for automated scheduled backups.

CKA exam pattern

  1. cat /etc/kubernetes/manifests/etcd.yaml — grab the 3 cert paths and endpoint
  2. Run etcdctl snapshot save with those paths
  3. If task asks for output → use &> backup.txt
  4. Verify with snapshot status if time allows

Default cert paths are almost always: 

/etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/etcd/server.crt
/etc/kubernetes/pki/etcd/server.key

Endpoint is almost always https://127.0.0.1:2379

Don't memorise the full command — read the manifest, plug in the paths.