Application-Scoped Policies

Users who are not administrators can create Veeam Kasten policies in an application's namespace for protecting only that specific application. The image below shows the dashboard as viewed by a non-admin user who has access to policies.

For information about setting up RBAC for users of application-scoped policies, refer to this page.

Creating the Policy

A user who does not have administrator privileges will see a different policy creation form compared to an admin user. The main difference is in the ability to select the applications that can be protected by such a policy. The image below shows that the user is allowed to only select a single application.

A Veeam Kasten Policy resource is created in the application's namespace.

kind: Policy
apiVersion: config.kio.kasten.io/v1alpha1
metadata:
  name: k10-basic-user-ns-1-pol1
  namespace: k10-basic-user-ns-1
spec:
  frequency: "@hourly"
  subFrequency:
    minutes:
      - 0
      - 30
      - 55
    hours:
      - 0
    weekdays:
      - 0
    days:
      - 1
    months:
      - 1
  retention:
    hourly: 24
    daily: 7
    weekly: 4
    monthly: 12
    yearly: 7
  selector:
    matchExpressions:
    - key: k10.kasten.io/appNamespace
        operator: In
        values:
        - k10-basic-user-ns-1
  actions:
    - action: backup
    - action: export
    exportParameters:
      frequency: "@hourly"
      receiveString: exampleReceiveString
      profile:
        name: profile1
        namespace: kasten-io
      migrationToken:
        name: k10-basic-user-ns-1-pol1-migration-token-n74p8
        namespace: kasten-io
      exportData:
        enabled: true
    retention: {}

Profiles

The users of application-scoped policies require read-only access to location profiles. They depend on the administrator for creation of profiles. The image below shows the profiles page as seen by such a user. The user can list/view the profiles that they have been given access to. But they cannot create, edit or delete them. Refer to this page for setting up RBAC to provide access to profiles in Veeam Kasten's namespace for non-admin users.

Backups

When the policy runs, the BackupActions and Restore Points will be created in the application's namespace. The image below shows a BackupAction. The originating policy indicates that the policy named k10-basic-user-ns-1-pol1 in the namespace named k10-basic-user-ns-1 created this BackupAction.

Exports

If the policy is configured to export Restore Points to object storage, the ExportAction will be created in the application's namespace. The image below shows an ExportAction. The originating policy indicates that the policy named tl-pol in the namespace named timelogger created this ExportAction.

It is possible to monitor the number of processed volumes and the data processed while the export is running via the Action Details view.

• Processed - How much data was checked for changes since the last backup. Data known to be unchanged since the last backup will not be read from disk but will still count as being processed.
• Read - How much data was read from the PVCs of the application.
• Transferred - How much data has been exported after deduplication and compression have been applied.

Restores

The non-admin user can restore the application using one of the Restore Points created by the application-scoped policy. This image below shows an exported Restore Point whose originating policy is an application-scoped policy.

In the Optional Restore Settings section of the restore form, the user can select Kanister blueprint actions that will run after a successful restore. The users of application-scoped policies require read-only access to such blueprints. They depend on the administrator for creation of blueprints. Refer to this page for setting up RBAC to provide access to blueprints in Veeam Kasten's namespace for non-admin users.

Imports

warning

To ensure Imports function correctly for non-admin users, the Kubernetes ValidatingAdmissionPolicy must be enabled in the cluster. For more information, visit the Kasten Policy Permissions VAP documentation.

A non-admin user can create a policy using the 'Import and Restore' policy form, which automatically restores after import and does not allow restoring cluster-scoped resources. The policy must include both an Import action to bring in RestorePointContents (RPCs) of an application and a Restore action to immediately restore from them, as RPCs are cluster-wide resources that non-admin users cannot restore directly.

The image below shows how the 'Create Policy' form will appear for a non-admin user, with the 'Import and Restore' option expanded.

The user does not have the ability to specify in-line transforms, but can reference existing transform sets to which they have access, as shown in the image below.

On creating the policy, its validation occurs in the application namespace and can be viewed in the Policies page. In the image below, the Import and Restore policy named test-import succeeded validation.

When the policy runs, the Import and Restore Actions will be created in the application's namespace and they can be viewed both in the Actions dashboard as well as in the Action Details page on expanding on the action. In the following image, the status of the completed Import and Restore policy can be seen in the non-admin user's view of the Kasten dashboard.

The image below shows how the 'Create Policy' form will appear for a non-admin user if the VAP Helm Value has been disabled. The 'Import' option will not be expanded to display a form and a tooltip showing 'Insufficient permissions to perform imports' will be displayed on hovering over the option.