Protecting Applications

This section demonstrates how one can define policies in K10 to protect applications, verify policy activity, and take manual snapshots when needed.

Policy-Based Protection

The easiest way to define policies for unprotected applications is to click on Applications card on the main dashboard. This will take you to a page where you can see all applications in your Kubernetes cluster.

../_images/overview_apps.png

To protect any unmanaged application, simply click Create a policy and that will take you to the policy creation section:

../_images/policies_create.png

Give your policy a name, add Snapshot as an action, and then set the desired action frequency. Once you pick a frequency, you have the option of modifying the retention schedule by simply editing the displayed numbers.

Notice that the policy creation panel automatically selected the application and includes all objects in this namespace as this policy creation was initiated through the Namespaces page. You can also click on Labels to to apply a policy to more than one application, including creating policies that will apply to applications deployed in the future.

../_images/policies_selectors.png

Through the judicious use of labels within your application and, in turn as selectors in policies (multiple labels are logically ORed together), you can create wildcard or forward-looking policies that will apply to any addition of applications into the cluster. For example, using the heritage: Tiller selector will apply the policy you are creating to any new Helm-deployed applications as that tool automatically adds that label to any workload it creates.

Once you are done with policy configuration, simply hit Create Policy.

Viewing Policy Activity

Once you are back on the main dashboard, if you pay careful attention you will see the applications quickly switch from unmanaged to non-compliant (i.e., a policy covers the objects but no action has been taken yet). Soon after, they will both switch to compliant as snapshots get invoked and the application enters a protected state. You can also scroll down on the page to see the activity, how long each snapshot took, and the generated artifacts. Your page will now look similar to this:

../_images/dashboard_compliant.png

More detailed job information can be obtained by clicking on the in-progress or completed jobs.

Editing Policies

It is also possible to edit created policies by clicking the edit button on the policies page.

../_images/policies_edit.png

Changes made to the policy (e.g., new labels added or resource filtering applied) will take effect during the next scheduled policy run.

Policy Exceptions

Even if a namespace is covered by a policy, it is possible to have the namespace be ignored by the policy. You can add the k10.kasten.io/ignorebackuppolicy annotation to the namespace(s) you want ignored. Namespaces that are tagged with k10.kasten.io/ignorebackuppolicy annotation will be skipped during scheduled backup operations.

Manual Protection

While the previous restore point created right after policy creation will work, we can also manually create snapshots. To do so, go back to the dashboard and click on the Applications card. For the selected application, select the dropdown:

../_images/applications_protected_manual.png

and then select Manually Protect Application. This starts the creation of a manual restore point and you can check the progress on the dashboard.

Note that you can also perform manual protection actions on applications that have no policy associated with them.