Policies

A Policy custom resource (CR) is used to perform operations on K10 Policies. K10 Policies allow you to manage application protection and migration at scale. You can learn more about using K10 Policies in the Protecting Applications section.

Example Policy Operations

Create Backup Policy

The following example illustrates how to create a backup policy which executes hourly and retains 24 hourly and 7 daily snapshots. The policy covers an application running in the namespace sampleApp.

$ cat > sample-backup-policy.yaml <<EOF
apiVersion: config.kio.kasten.io/v1alpha1
kind: Policy
metadata:
  name: sample-policy
  namespace: kasten-io
spec:
  comment: My sample backup policy
  frequency: '@daily'
  retention:
    hourly: 24
    daily: 7
  actions:
  - action: backup
  selector:
    matchLabels:
      k10.kasten.io/appNamespace: sampleApp
EOF

$ kubectl apply -f sample-backup-policy.yaml
policy.config.kio.kasten.io/sample-backup-policy created

# make sure it initializes and validates properly
$ kubectl get policies.config.kio.kasten.io --namespace kasten-io -w
NAME                          STATUS
sample-backup-policy          Running
sample-backup-policy          Success

For complete documentation of the Policy CR, refer to Policy API Type.

Create Import Policy

The following example illustrates how to create a policy which executes hourly and imports an application that was previously exported to the application-imports Profile.

$ cat > sample-import-policy.yaml <<EOF
apiVersion: config.kio.kasten.io/v1alpha1
kind: Policy
metadata:
  name: sample-import-policy
  namespace: kasten-io
spec:
  comment: My sample import policy
  frequency: '@hourly'
  actions:
  - action: import
    importParameters:
      profile:
        namespace: kasten-io
        name: application-imports
      receiveString: <encoded string received on Export>
EOF

$ kubectl apply -f sample-import-policy.yaml
policy.config.kio.kasten.io/sample-import-policy created

# make sure it initializes and validates properly
$ kubectl get policies.config.kio.kasten.io --namespace kasten-io -w
NAME                          STATUS
sample-import-policy          Running
sample-import-policy          Success

For complete documentation of the Policy CR, refer to Policy API Type.

Update Policy

To update a Policy, edit the spec portion of a Policy CR using your preferred method of submitting resource changes with kubectl.

$ kubectl apply -f sample-backup-policy-changed.yaml
policy.config.kio.kasten.io/sample-backup-policy configured

Once the change is submitted, K10 will re-validate the Policy and update .status.validation accordingly.

$ kubectl get policies.config.kio.kasten.io -w
NAME                          STATUS
sample-backup-policy          Running
sample-backup-policy          Success

Since K10 processes API object changes asynchronously, to avoid confusion with a previous Policy status, it is recommended as convention that the status portion of the Policy is omitted when submitting changes.

Delete Policy

You can delete a Policy using the following command.

# delete policy "sample-backup-policy" for K10 installed in "kasten-io"
$ kubectl delete policies.config.kio.kasten.io sample-backup-policy --namespace kasten-io
policy.config.kio.kasten.io "sample-backup-policy" deleted

# delete policy "sample-import-policy" for K10 installed in "kasten-io"
$ kubectl delete policies.config.kio.kasten.io sample-import-policy --namespace kasten-io
policy.config.kio.kasten.io "sample-import-policy" deleted

Policy API Type

The following is a complete specification of the Policy CR.

# Standard Kubernetes API Version declaration. Required.
apiVersion: config.kio.kasten.io/v1alpha1
# Standard Kubernetes Kind declaration. Required.
kind: Policy
# Standard Kubernetes metadata. Required.
metadata:
  # Policy name. May be any valid Kubernetes object name. Required.
  # Policy name is not mutable once created.
  name: sample-backup-policy
  # Policy names must be unique and as an alternative to name above
  # one can take advantage of Kubernetes auto name generation.
  generateName: backup-policy-
  # Policy namespace. Required. Must be namespace where K10 is installed
  namespace: kasten-io
# Policy parameters. Required.
spec:
  # User friendly comment describing the policy. Optional.
  comment:
  # Selector for the application that the backup policy applies to.
  # Required for backup policy.
  selector:
    # Standard Kubernetes set-based selector. Optional.
    # One of matchExpressions or matchLabels required.
    matchExpressions:
      # Standard Kubernetes set-based selector key.
      # 'k10.kasten.io/appNamespace' is a special label indicating that
      # the selector is targeting an application namespace
      - key: k10.kasten.io/appNamespace
        # Standard Kubernetes set-based selector operator.
        # Only In is supported
        operator: In
        # Array of values (labels on app names) to use in the selector.
        # With this construct ANY value of the label key will match
        # Use this construct if creating a policy for multiple applications.
        values:
        - myApp
    # Standard Kubernetes label selector. Optional.
    # One of matchExpressions or matchLabels required.
    #
    # NOTE: Label selector that resolves to a given Kubernetes resource
    # will have the effect of selecting the entire application that the
    # resource belongs to
    matchLabels:
      # Map of label key and value pairs to match
      # 'k10.kasten.io/appNamespace' special label described above is supported
      # With this construct ALL labels must match for an object
      myLabelKey1: myLabelValue1
      myLabelKey2: myLabelValue2
  # Execution frequency. Required.
  # Allowable values: '@hourly', '@daily', '@weekly', '@monthly', '@yearly'
  frequency: '@hourly'
  # Execution frequency modifier. Optional.
  subFrequency:
    # subFrequency specifies when to run and how many times to run within frequency.
    minutes:
      # minutes within hour. Valid only for '@hourly' frequency.
      # Valid values are [0,30], [0,20,40], [0,15,30,45], [0,10,20,30,40,50],
      # and [0,5,10,15,20,25,30,35,40,45,50,55]
  retention:
    # Number of retained artifacts for different frequencies. Required.
    # The number of retained artifacts can only be specified for frequencies
    # of the same or lower granularity than the policy frequency. For example,
    # if the policy frequency is '@daily', then retention can have values for
    # 'daily', 'weekly', 'monthly' and 'yearly', but not for 'hourly'.
    # If the policy frequency is 'hourly', then all retention values are
    # allowed.
    hourly: 24
    daily: 7
    weekly: 4
    monthly: 12
    yearly: 5
  # Actions executed by the policy. Required: at least one of backup or import.
  actions:
  # Backup policy action.
  - action: backup
    # Optional backup parameters
    backupParameters:
      # Filters describe which Kubernetes resources should be included or excluded
      # in the backup. If no filters are specified, all the API resources in a
      # namespace are captured by the BackupActions created by this Policy.
      #
      # Resource types are identified by group, version, and resource type names,
      # or GVR, e.g. networking.k8s.io/v1/networkpolicies. Core Kubernetes types
      # do not have a group name and are identified by just a version and resource
      # type name, e.g. v1/configmaps.
      #
      # Individual resources are identified by their resource type and resource
      # name, or GVRN. In a filter, an empty or omitted group, version, resource
      # type or resource name matches any value.
      #
      # Filters reduce the resources in the backup by selectively including and
      # then excluding resources.
      # - If includeResources is not specified, all the API resources in a
      #   namespace are included in the set of resources to be backed up.
      # - If includeResources is specified, resources matching any GVRN entry in
      #   includeResources are included in the set of resources to be backed up.
      # - If excludeResources is specified, resources matching any GVRN entry in
      #   excludeResources are excluded from the set of resources to be backed up.
      #
      # For RestorePoint usefulness after BackupActions, K10 automatically
      # includes associated PVCs and PVs when a statefulset, deployment, or
      # deploymentconfig is included by includeResources unless the PVC is
      # excluded by excludeResources.
      filters:
        # Include only resources that match any of the following NGVRs
        includeResources:
          # Include individual resource
        - name: <resource1 resource name>
          group: <resource1 group>
          version: <resource1 version>
          resource: <resource1 type name>
          # Include resource type
        - group: <resource2 group>
          version: <resource2 version>
          resource: <resource2 type name>
        # Exclude resources that match any of the following NGVRs
        excludeResources:
          # Exclude specific instance of resource2 type
        - name: <resource2 resource name>
          group: <resource2 group>
          version: <resource2 version>
          resource: <resource2 type name>
      # Optional: Ignore exceptions and continue if possible.
      # Snapshots with exceptions will be flagged as potentially flawed.
      # Default: false
      ignoreExceptions: false
  # Export action. Export can only be specified after a backup action.
  - action: export
    exportParameters:
      # How often should a backup be exported. This frequency has to be less
      # or equal than the policy frequency.
      frequency: '@hourly'
      # Name of the export profile used for the operation
      profile:
        name: my-profile
        namespace: kasten-io
      # Backup portability setting.
      exportData:
        # Default setting for all storage classes.
        enabled: false
        # Overrides for individual storage classes.
        overrides:
          # Name and overide setting of a storage class.
          - storageClassName: gp2
            enabled: false
          - storageClassName: gp2-eu-west-1a
            enabled: true
    retention:
      # Optional exported artifact retention. If not provided, exported
      # artifacts are retained by the policy retention table.
      # Number of retained export artifacts for different frequencies.
      # The number of retained artifacts can only be specified for frequencies
      # of the same or lower granularity than the exportParameters frequency.
      hourly: 24
      daily: 7
      weekly: 4
      monthly: 12
      yearly: 5
  # Import action.
  - action: import
    # Parameters available to import actions. Required.
    importParameters:
      # Import Profile CR to be used with this policy. Required.
      profile:
        # Profile name. Required.
        name: sample-import-profile
        # Namespace where the Profile CR resides. Required.
        namespace: kasten-io
      # Encoded string generated on Export. Required.
      receiveString: VGhpcyBpcyBhIHNhbXBsZSBleHBvcnQgc3RyaW5nLgo=
  # Restore action. Restore can only be specified after an import action.
  - action: restore
    # Optional restore parameters
    restoreParameters:
      # Optional: set to true to only restore the application data.
      # Must be false if filters are specified.
      # Default: false
      dataOnly: false
      # Optional: Filters describe which Kubernetes resources should be restored
      # from the RestorePoint.  If no filters are specified, all the artifacts
      # in the RestorePoint are restored.
      #
      # Filters reduce the resources restored by selectively including and then
      # excluding resources.
      # - If includeResources is not specified, all resources in the RestorePoint
      #   are included in the set of resources to be restored.
      # - If includeResources is specified, resources matching any GVRN entry in
      #   includeResources are included in the set of resources to be restored.
      # - If excludeResources is specified, resources matching any GVRN entry in
      #   excludeResources are excluded from the set of resources to be restored.
      # - In a filter, an empty or omitted group, version, resource type or
      #   resource name matches any value.
      #
      # For precise control of RestoreActions, K10 only restores resources that
      # are explicitly included by includeResources. For RestoreActions, when a
      # statefulset, deployment, or deploymentconfig is included by includeResources,
      # K10 does not restore associated PVCs unless the PVC is included by
      # includeResources.
      filters:
        # Include only resources that match any of the following NGVRs
        includeResources:
          # Include individual resource
        - name: <resource1 resource name>
          group: <resource1 group>
          version: <resource1 version>
          resource: <resource1 type name>
          # Include resource type
        - group: <resource2 group>
          version: <resource2 version>
          resource: <resource2 type name>
        # Exclude resources that match any of the following NGVRs
        excludeResources:
          # Exclude specific instance of resource2 type
        - name: <resource2 resource name>
          group: <resource2 group>
          version: <resource2 version>
          resource: <resource2 type name>
      # Optional: Namespace where the application is to be restored.
      # Defaults to the namespace of the application in the imported
      # RestorePoint.
      targetNamespace: mysql
      # Only used with Kanister blueprints that support point-in-time restore
      # Value is the desired timestamp. Optional.
      pointInTime: "2019-02-11T05:13:10Z"
# Status of the Policy. Users should not set any data here.
status:
  # Validation status of the Policy
  # Valid values are:
  #   # Pending - policy has been created
  #   # Running - undergoing initialization and validation
  #   # Success - successfully initialized and validated
  #   # Failed - not properly initialized on validated
  # Only policies which have status of Success will be used by the system
  validation: Success
  # If action: ExportAction was specified and properly validate policy
  exportString: 'export string to use in import comes here'