Application-Scoped Policies
Users who are not administrators can create K10 policies in an application's namespace for protecting only that specific application. The image below shows the dashboard as viewed by a non-admin user who has access to policies.
For information about setting up RBAC for users of application-scoped policies, refer to this page.
Creating the Policy
A user who does not have administrator privileges will see a different policy creation form compared to an admin user. The main difference is in the ability to select the applications that can be protected by such a policy. The image below shows that the user is allowed to only select a single application.
A K10 Policy resource is created in the application's namespace.
kind: Policy
apiVersion: config.kio.kasten.io/v1alpha1
metadata:
name: k10-basic-user-ns-1-pol1
namespace: k10-basic-user-ns-1
spec:
frequency: "@hourly"
subFrequency:
minutes:
- 0
- 30
- 55
hours:
- 0
weekdays:
- 0
days:
- 1
months:
- 1
retention:
hourly: 24
daily: 7
weekly: 4
monthly: 12
yearly: 7
selector:
matchExpressions:
- key: k10.kasten.io/appNamespace
operator: In
values:
- k10-basic-user-ns-1
actions:
- action: backup
- action: export
exportParameters:
frequency: "@hourly"
receiveString: exampleReceiveString
profile:
name: profile1
namespace: kasten-io
migrationToken:
name: k10-basic-user-ns-1-pol1-migration-token-n74p8
namespace: kasten-io
exportData:
enabled: true
retention: {}
Profiles
The users of application-scoped policies require read-only access to location profiles. They depend on the administrator for creation of profiles. The image below shows the profiles page as seen by such a user. The user can list/view the profiles that they have been given access to. But they cannot create, edit or delete them. Refer to this page for setting up RBAC to provide access to profiles in K10's namespace for non-admin users.
Backups
When the policy runs, the BackupActions and Restore Points will
be created in the application's namespace. The image below shows
a BackupAction. The originating policy indicates that the policy
named k10-basic-user-ns-1-pol1 in the namespace
named k10-basic-user-ns-1 created this BackupAction.
Exports
If the policy is configured to export Restore Points to object storage,
the ExportAction will be created in the application's
namespace. The image below show an ExportAction. The originating policy
indicates that the policy named tl-pol in the
namespace named timelogger created this ExportAction.
It is possible to monitor the number of processed volumes and the data processed while the export is running via the Action Details view.
Processed - How much data was checked for changes since the last backup. Data known to be unchanged since the last backup will not be read from disk but will still count as being processed.
Read - How much data was read from the PVCs of the application.
Transferred - How much data has been exported after deduplication and compression have been applied.
Restores
The non-admin user can restore the application using one of the Restore Points created by the application-scoped policy. This image below shows an exported Restore Point whose originating policy is an application-scoped policy.
In the Optional Restore Settings section of the restore form, the user can select Kanister blueprint actions that will run after a successful restore. The users of application-scoped policies require read-only access to such blueprints. They depend on the administrator for creation of blueprints. Refer to this page for setting up RBAC to provide access to blueprints in K10's namespace for non-admin users.
