All Policies
Generate Kasten Backup Policy Based on Resource Label
Generates a Kasten policy for a namespace that includes any Deployment or StatefulSet with a "dataprotection=kasten-example" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-data-protection-by-label" policy to require "dataprotection" labeling on workloads.
Policy Definition
/kasten/kasten-generate-example-backup-policy/kasten-generate-example-backup-policy.yaml
1# This is an example rule intended to be cloned & modified to meet organizational requirements.
2# The `dataprotetion` label value can be changed to correspond with specific policy templates.
3#
4# NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest.
5#
6# apiVersion: rbac.authorization.k8s.io/v1
7# kind: ClusterRole
8# metadata:
9# labels:
10# app.kubernetes.io/component: background-controller
11# app.kubernetes.io/instance: kyverno
12# app.kubernetes.io/part-of: kyverno
13# name: kyverno:create-kasten-policies
14# rules:
15# - apiGroups:
16# - config.kio.kasten.io
17# resources:
18# - policies
19# verbs:
20# - create
21# - update
22# - delete
23#
24apiVersion: kyverno.io/v1
25kind: ClusterPolicy
26metadata:
27 name: kasten-generate-example-backup-policy
28 annotations:
29 policies.kyverno.io/title: Generate Kasten Backup Policy Based on Resource Label
30 policies.kyverno.io/category: Veeam Kasten
31 kyverno.io/kyverno-version: 1.12.1
32 policies.kyverno.io/minversion: 1.12.0
33 kyverno.io/kubernetes-version: "1.24-1.30"
34 policies.kyverno.io/subject: Policy
35 policies.kyverno.io/description: >-
36 Generates a Kasten policy for a namespace that includes any Deployment or StatefulSet with a "dataprotection=kasten-example" label, if the policy does not already exist. This Kyverno policy can be used in combination with the "kasten-data-protection-by-label" policy to require "dataprotection" labeling on workloads.
37spec:
38 rules:
39 - name: kasten-generate-example-backup-policy
40 match:
41 any:
42 - resources:
43 kinds:
44 - Deployment
45 - StatefulSet
46 selector:
47 matchLabels:
48 dataprotection: kasten-example
49 context:
50 - name: dataprotectionLabelValue
51 variable:
52 value: "kasten-example"
53 - name: kyvernoPolicyName
54 variable:
55 value: "kasten-generate-example-backup-policy"
56 - name: existingPolicy
57 apiCall:
58 urlPath: "/apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policies" # returns list of Kasten policies from kasten-io namespace
59 jmesPath: "items[][[@.metadata.labels.\"generate.kyverno.io/policy-name\"=='{{ kyvernoPolicyName }}'] && [@.spec.selector.matchExpressions[].values[?@=='{{ request.namespace }}']]][][][][] | length(@)" # queries if a Kasten policy protecting the namespace generated by this Kyverno policy already exists
60 preconditions:
61 any:
62 - key: "{{ existingPolicy }}"
63 operator: Equals
64 value: 0 # Only generate the policy if it does not already exist
65 generate:
66 apiVersion: config.kio.kasten.io/v1alpha1
67 kind: Policy
68 name: "{{ request.namespace }}-{{ dataprotectionLabelValue }}-policy"
69 namespace: kasten-io
70 data:
71 metadata:
72 name: "{{ request.namespace }}-{{ dataprotectionLabelValue }}-policy"
73 namespace: kasten-io
74 spec:
75 comment: "Auto-generated by Kyverno"
76 frequency: '@daily'
77 retention:
78 daily: 7
79 weekly: 4
80 monthly: 12
81 yearly: 7
82 actions:
83 - action: backup
84 - action: export
85 exportParameters:
86 frequency: '@daily'
87 profile:
88 name: test
89 namespace: kasten-io
90 exportData:
91 enabled: true
92 selector:
93 matchExpressions:
94 - key: k10.kasten.io/appNamespace
95 operator: In
96 values:
97 - "{{ request.namespace }}"