Generate Kasten Policy from Preset

 1# This example assumes that Kasten policy presets named "gold", "silver", and "bronze" have been pre-created and Kasten was deployed into the `kasten-io` namespace.
 2#
 3# NOTE: Use of this policy will require granting the Kyverno background-controller additional privileges required to generate Kasten resources. An example ClusterRole to provide required privileges is provided within the comments of the policy manifest.
 4#
 5# apiVersion: rbac.authorization.k8s.io/v1
 6# kind: ClusterRole
 7# metadata:
 8#   labels:
 9#     app.kubernetes.io/component: background-controller
10#     app.kubernetes.io/instance: kyverno
11#     app.kubernetes.io/part-of: kyverno
12#   name: kyverno:create-kasten-policies
13# rules:
14# - apiGroups:
15#   - config.kio.kasten.io
16#   resources:
17#   - policies
18#   verbs:
19#   - create
20#   - update
21#   - delete
22#
23apiVersion: kyverno.io/v1
24kind: ClusterPolicy
25metadata:
26  name: kasten-generate-policy-by-preset-label
27  annotations:
28    policies.kyverno.io/title: Generate Kasten Policy from Preset
29    policies.kyverno.io/category: Veeam Kasten
30    policies.kyverno.io/subject: Policy
31    kyverno.io/kyverno-version: 1.12.1
32    policies.kyverno.io/minversion: 1.12.0
33    kyverno.io/kubernetes-version: "1.24-1.30"
34    policies.kyverno.io/description: >-
35      Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist.
36      Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces.      
37spec:
38  rules:
39  - name: kasten-generate-policy-by-preset-label
40    match:
41      any:
42      - resources:
43          kinds:
44            - Namespace
45          selector:
46            matchExpressions:
47              - key: dataprotection 
48                operator: In
49                values: 
50                - gold
51                - silver
52                - bronze
53    context:
54    - name: existingPolicy
55      apiCall:
56        urlPath: "/apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policies" # returns list of Kasten policies from kasten-io namespace
57        jmesPath: "items[][[@.spec.presetRef][?name=='{{ request.object.metadata.labels.dataprotection }}'] && [@.spec.selector.matchExpressions[].values[?@=='{{ request.namespace }}']]][][][][] | length(@)" # queries if a policy based on the dataprotection label value, covering that app namespace already exists 
58    preconditions:
59      any:
60      - key: "{{ existingPolicy }}"
61        operator: Equals
62        value: 0 # Only generate the policy if it does not already exist
63    generate:
64      apiVersion: config.kio.kasten.io/v1alpha1
65      kind: Policy
66      name: "{{ request.namespace }}-{{ request.object.metadata.labels.dataprotection }}-backup"
67      namespace: kasten-io
68      data:
69        spec:
70          comment: "Auto-generated by Kyverno"
71          paused: false
72          actions:
73            - action: backup
74          presetRef:
75            name: "{{ request.object.metadata.labels.dataprotection }}"
76            namespace: kasten-io
77          selector:
78            matchExpressions:
79              - key: k10.kasten.io/appNamespace
80                operator: In
81                values:
82                  - "{{ request.namespace }}"