All Policies

Check Kasten Policy RPO based on Namespace Label

Kasten Policy resources can be required to adhere to common Recovery Point Objective (RPO) best practices. This example policy validates that the Policy is set to run hourly if it explicitly protects any namespaces containing the `appPriority=critical` label. This policy can be adapted to enforce any Kasten Policy requirements based on a namespace label.

Policy Definition

/kasten/kasten-hourly-rpo/kasten-hourly-rpo.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: kasten-hourly-rpo
 5  annotations:
 6    policies.kyverno.io/title: Check Kasten Policy RPO based on Namespace Label
 7    policies.kyverno.io/category: Veeam Kasten
 8    kyverno.io/kyverno-version: 1.12.1
 9    policies.kyverno.io/minversion: 1.12.0
10    kyverno.io/kubernetes-version: "1.24-1.30"
11    policies.kyverno.io/subject: Policy
12    policies.kyverno.io/description: >-
13      Kasten Policy resources can be required to adhere to common Recovery Point Objective (RPO) best practices. 
14      This example policy validates that the Policy is set to run hourly if it explicitly protects any namespaces containing the `appPriority=critical` label. This policy can be adapted to enforce any Kasten Policy requirements based on a namespace label.
15spec:
16  validationFailureAction: Enforce  
17  rules:
18  - name: kasten-hourly-rpo
19    match:
20      any:
21      - resources:
22          kinds:
23          - config.kio.kasten.io/v1alpha1/Policy
24    context:
25    - name: namespacesWithPriorityLabel # Get list of namespaces with appPriority=critical label
26      apiCall:
27        urlPath: "/api/v1/namespaces?labelSelector=appPriority%3Dcritical"
28        jmesPath: "items[].metadata.name"
29    preconditions:
30      any:
31      - key: "{{ length(namespacesWithPriorityLabel) }}"
32        operator: GreaterThan
33        value: 0 # Only proceed if namespaces with appPriority=critical label exist
34    validate:
35      message: "Mission Critical RPO frequency should use no shorter than @hourly frequency"
36      foreach:
37        - list: "request.object.spec.selector.matchExpressions[0].values"
38          deny:
39            conditions:
40              all: # Deny admission if the policy is not hourly AND any namespaces listed in the Policy contain the appPriority=critical label
41              - key: "{{ element }}"
42                operator: AnyIn
43                value: "{{ namespacesWithPriorityLabel }}"
44              - key: "{{ request.object.spec.frequency }}"
45                operator: NotEquals
46                value: '@hourly'
Create policy issue