All Policies

Generate Kasten Policy from Preset

Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces.

Policy Definition

/kasten/kasten-generate-policy-by-preset-label/kasten-generate-policy-by-preset-label.yaml

 1# This example assumes that Kasten policy presets named
 2# "gold", "silver", and "bronze" have been pre-created
 3# and Kasten was deployed into the `kasten-io` namespace.
 4#
 5# Additionally, the Kyverno background controller requires
 6# additional permissions to create Kasten Policy resources.
 7# Apply the create-kasten-policies-clusterrole.yaml manifest
 8# first to grant the required permissions.
 9apiVersion: kyverno.io/v1
10kind: ClusterPolicy
11metadata:
12  name: kasten-generate-policy-by-preset-label
13  annotations:
14    policies.kyverno.io/title: Generate Kasten Policy from Preset
15    policies.kyverno.io/category: Veeam Kasten
16    policies.kyverno.io/subject: Policy
17    kyverno.io/kyverno-version: 1.12.1
18    policies.kyverno.io/minversion: 1.12.0
19    kyverno.io/kubernetes-version: "1.24-1.30"
20    policies.kyverno.io/description: >-
21      Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist.
22
23      Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces.      
24spec:
25  rules:
26  - name: kasten-generate-policy-by-preset-label
27    match:
28      any:
29      - resources:
30          kinds:
31            - Namespace
32          selector:
33            matchExpressions:
34              - key: dataprotection 
35                operator: In
36                values: 
37                - gold
38                - silver
39                - bronze
40    context:
41    - name: existingPolicy
42      apiCall:
43        urlPath: "/apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policies" # returns list of Kasten policies from kasten-io namespace
44        jmesPath: "items[][[@.spec.presetRef][?name=='{{ request.object.metadata.labels.dataprotection }}'] && [@.spec.selector.matchExpressions[].values[?@=='{{ request.namespace }}']]][][][][] | length(@)" # queries if a policy based on the dataprotection label value, covering that app namespace already exists 
45    preconditions:
46      any:
47      - key: "{{ existingPolicy }}"
48        operator: Equals
49        value: 0 # Only generate the policy if it does not already exist
50    generate:
51      apiVersion: config.kio.kasten.io/v1alpha1
52      kind: Policy
53      name: "{{ request.namespace }}-{{ request.object.metadata.labels.dataprotection }}-backup"
54      namespace: kasten-io
55      data:
56        spec:
57          comment: "Auto-generated by Kyverno"
58          paused: false
59          actions:
60            - action: backup
61          presetRef:
62            name: "{{ request.object.metadata.labels.dataprotection }}"
63            namespace: kasten-io
64          selector:
65            matchExpressions:
66              - key: k10.kasten.io/appNamespace
67                operator: In
68                values:
69                  - "{{ request.namespace }}"
Create policy issue