{"id":1529,"date":"2023-07-24T14:42:37","date_gmt":"2023-07-24T14:42:37","guid":{"rendered":"http:\/\/patriciocerda.com\/?p=1529"},"modified":"2023-07-24T15:09:44","modified_gmt":"2023-07-24T15:09:44","slug":"automate-kasten-policy-creation-with-kyverno","status":"publish","type":"post","link":"https:\/\/patriciocerda.com\/?p=1529","title":{"rendered":"Automate Kasten policy creation with Kyverno"},"content":{"rendered":"<p>Hello and welcome back!\u00a0 In this new post I&#8217;ll be talking about\u00a0 <strong>Kyverno<\/strong> and how to use it to automate the policy creation in Kasten to protect new applications.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Contenidos<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/patriciocerda.com\/?p=1529\/#Why_do_we_need_to_automate_the_policy_creation\" >Why do we need to automate the policy creation?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/patriciocerda.com\/?p=1529\/#Installing_Kyverno\" >Installing Kyverno<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/patriciocerda.com\/?p=1529\/#How_Kyverno_works\" >How Kyverno works?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/patriciocerda.com\/?p=1529\/#Automate_the_Kasten_Policy_Creation_with_Kyverno\" >Automate the Kasten Policy Creation with Kyverno<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Why_do_we_need_to_automate_the_policy_creation\"><\/span>Why do we need to automate the policy creation?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In a cloud-native organization is very common to have devops teams deploying new applications using CI\/CD pipelines or IaC very frequently, which usually cause that the IT team struggles to provision the required data protection policies in a timely manner.\u00a0 So, how can we be sure that every new application deployed in Kubernetes is properly protected with backup policy?\u00a0 How can we automate the backup policy creation and enforce that policy in an efficient way?<\/p>\n<p>Kasten can integrate with Kyverno (a Cloud Native Computing Foundation Sandbox project) to provide \u201cguardrails\u201d for these types of scenarios.\u00a0 Kyverno implements a custom Kubernetes admission controller, which for instance, can prevent deployments, pods or StatefulSets from being scheduled onto a Kubernetes node when a Kyverno policy is violated.\u00a0 In addition, Kyverno allows to automate the creation of new Kubernetes resources, including of course Kasten policies.<\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Installing_Kyverno\"><\/span>Installing Kyverno<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Installing Kyverno is extremely easy, as you can see in the official documentation, basically using Helm.\u00a0 If you want to install Kyverno in a high-availability configuration, all you need to do is running the following command:<\/p>\n<style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-1 > .CodeMirror, .fusion-syntax-highlighter-1 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-1 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-1 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-1 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:var(--awb-color3);\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_1\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><label for=\"fusion_syntax_highlighter_1\" class=\"screen-reader-text\">Syntax Highlighter<\/label><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_1\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/x-sh\">helm install kyverno kyverno\/kyverno -n kyverno --create-namespace \\\n--set admissionController.replicas=3 \\\n--set backgroundController.replicas=2 \\\n--set cleanupController.replicas=2 \\\n--set reportsController.replicas=2<\/textarea><\/div>\n<p>&nbsp;<\/p>\n<p>Once Kyverno is installed, you can also install an optional chart containing the full set of Kyverno policies which implement the Kubernetes Pod Security Standards.<\/p>\n<style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-2 > .CodeMirror, .fusion-syntax-highlighter-2 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-2 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-2 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-2 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:var(--awb-color3);\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_2\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><label for=\"fusion_syntax_highlighter_2\" class=\"screen-reader-text\">Syntax Highlighter<\/label><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_2\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/x-sh\">helm install   kyverno-policies kyverno\/kyverno-policies -n kyverno<\/textarea><\/div>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_Kyverno_works\"><\/span>How Kyverno works?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Kyverno basically works using Cluster Policies.\u00a0 In a ClusterPolicy you must do the following using YAML format:<\/p>\n<ul>\n<li>One or more rules, which are going to define a specific action, like enforce specific configurations, or create\/generate new resources in the Kubernetes cluster.\u00a0 <a href=\"https:\/\/kyverno.io\/docs\/writing-policies\/policy-settings\/\" target=\"_blank\" rel=\"noopener\">https:\/\/kyverno.io\/docs\/writing-policies\/policy-settings\/<\/a><\/li>\n<li>For every rule you must select the resources where the policy will be used, for instance a deployment or a statefulset: <a href=\"https:\/\/kyverno.io\/docs\/writing-policies\/match-exclude\/\" target=\"_blank\" rel=\"noopener\">https:\/\/kyverno.io\/docs\/writing-policies\/match-exclude\/<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>So, for instance, we can have a ClusterPolicy to enforce that any Kubernetes application running in a production environment includes the proper settings to be protected by a Kasten Policy:<\/p>\n<ul>\n<li>In the &#8220;rules&#8221; section, first you select the resources where this policy will be applied.\u00a0 In this case it will be applied to any resource of type &#8220;<strong>Deployment<\/strong>&#8220;<\/li>\n<li>Then you define the rule type, in this case &#8220;<strong>validate<\/strong>&#8220;.\u00a0 In a validation rule, one defines the mandatory properties with which a given resource should be created.\n<ul>\n<li>When a new resource is created, in this case a new Deployment, the properties of that resource are checked by Kyverno against the validate rule.<\/li>\n<li>If those properties are validated, the resource is allowed to be created.<\/li>\n<li>If those properties are different, the creation is blocked.<\/li>\n<li>In this example, the rule will &#8220;validate&#8221; that the Deployment includes the following labels:\u00a0 &#8220;dataprotection: k10-?*&#8221; and &#8220;immutable: enabled&#8221;<\/li>\n<\/ul>\n<\/li>\n<li>So, if a new Deployment is created, but this resource doesn&#8217;t include the labels &#8220;dataprotection: k10-?*&#8221; and &#8220;immutable: enabled&#8221;, then Kyverno will prevent this resource from being scheduled in the Kubernetes cluster.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-3 > .CodeMirror, .fusion-syntax-highlighter-3 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-3 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-3 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-3 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:var(--awb-color3);\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_3\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><label for=\"fusion_syntax_highlighter_3\" class=\"screen-reader-text\">Syntax Highlighter<\/label><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_3\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/x-sh\">apiVersion: kyverno.io\/v1\nkind: ClusterPolicy\nmetadata:\n name: enforce-deployment-label\nspec:\n validationFailureAction: Enforce\n rules:\n - name: production-apps-enforcement\n   match:\n     resources:\n       kinds:\n       - Deployment\n       selector:\n         matchLabels:\n           purpose: production\n   validate:\n     message: \"Production Deployments must have Data Protection Policies with Immutability Enabled (use labels: dataprotection: k10-<policy-preset-name> and immutable: enabled)\"\n     pattern:\n       metadata:\n         labels:\n           dataprotection: k10-?*\n           immutable: enabled<\/textarea><\/div>\n<p>&nbsp;<\/p>\n<p>So, what if now I try to deploy a new application (Deployment) but without including the required labels &#8220;dataprotection: k10-?*&#8221; and &#8220;immutable: enabled&#8221;?\u00a0 Well, we should see an error like this:<\/p>\n<p><a href=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-17.05.07.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1545\" src=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-17.05.07-300x43.png\" alt=\"\" width=\"530\" height=\"76\" srcset=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-17.05.07-200x29.png 200w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-17.05.07-300x43.png 300w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-17.05.07-400x57.png 400w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-17.05.07-600x86.png 600w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-17.05.07-768x110.png 768w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-17.05.07-800x115.png 800w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-17.05.07-1024x147.png 1024w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-17.05.07-1200x172.png 1200w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-17.05.07-1536x221.png 1536w\" sizes=\"(max-width: 530px) 100vw, 530px\" \/><\/a><\/p>\n<p>So, in order to allow this application to run properly, we must add the required labels as we see in the picture bellow:<\/p>\n<p><a href=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-17.42.00.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-1532\" src=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-17.42.00-300x121.png\" alt=\"\" width=\"352\" height=\"142\" srcset=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-17.42.00-200x80.png 200w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-17.42.00-300x121.png 300w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-17.42.00-400x161.png 400w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-17.42.00-600x241.png 600w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-17.42.00-669x272.png 669w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-17.42.00-768x309.png 768w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-17.42.00-800x322.png 800w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-17.42.00.png 820w\" sizes=\"(max-width: 352px) 100vw, 352px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>After this change, we will be able to create the Deployment and deploy and run the application in the Kubernetes cluster.\u00a0\u00a0\u00a0 Now, at this point, the application is still not protected by Kasten, unless you already have a Kasten policy set to use the Labels defined in the application as a selector.\u00a0 In the next section we will describe how to use Kyverno to automate the creation of Kasten policies when a new application is created.<\/p>\n<p><a href=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.15.05.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1540\" src=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.15.05-300x153.png\" alt=\"\" width=\"424\" height=\"216\" srcset=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.15.05-200x102.png 200w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.15.05-300x153.png 300w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.15.05-400x204.png 400w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.15.05-600x306.png 600w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.15.05-768x392.png 768w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.15.05-800x409.png 800w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.15.05-1024x523.png 1024w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.15.05-1200x613.png 1200w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.15.05.png 1496w\" sizes=\"(max-width: 424px) 100vw, 424px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Automate_the_Kasten_Policy_Creation_with_Kyverno\"><\/span>Automate the Kasten Policy Creation with Kyverno<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>So far, we have seen how to use Kyverno to enforce that applications be deployed in Kubernetes includes certain specifications.\u00a0 But Kyverno allows to do much more, and when talking about Kasten, Kyverno also allows (among other options) to <strong>automatically create a backup policy<\/strong> as soon as a new application is deployed in the Kubernetes cluster.<\/p>\n<p>For the following example, I&#8217;ve created some <a href=\"https:\/\/docs.kasten.io\/latest\/usage\/protect.html#using-policy-presets\" target=\"_blank\" rel=\"noopener\">Policy Presets in Kasten<\/a>, which help to simplify the Policy creation process.\u00a0 This presets are like templates that can be used to create new Policies based on these presets.\u00a0 Some samples can be found in my github repository: <a href=\"https:\/\/github.com\/prcerda\/K10-Ansible-Install-Configure\/tree\/main\/Ansible_K10TKG\/policypresets\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/prcerda\/K10-Ansible-Install-Configure\/tree\/main\/Ansible_K10TKG\/policypresets<\/a><\/p>\n<p><a href=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-13.34.32.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1535\" src=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-13.34.32-300x148.png\" alt=\"\" width=\"389\" height=\"192\" srcset=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-13.34.32-200x99.png 200w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-13.34.32-300x148.png 300w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-13.34.32-400x197.png 400w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-13.34.32-600x296.png 600w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-13.34.32-768x379.png 768w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-13.34.32-800x395.png 800w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-13.34.32-1024x506.png 1024w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-13.34.32-1200x592.png 1200w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-13.34.32-1536x758.png 1536w\" sizes=\"(max-width: 389px) 100vw, 389px\" \/><\/a><\/p>\n<p>So, what will be doing next?\u00a0 In the previous example we made sure the application included some labels in order to be allowed to be scheduled in the Kubernetes cluster using an &#8220;enforce&#8221; policy, but nothing more has been done so far, so the application is still not protected by Kasten:<\/p>\n<p><a href=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-1537\" src=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06-300x192.png\" alt=\"\" width=\"300\" height=\"192\" srcset=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06-200x128.png 200w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06-300x192.png 300w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06-400x256.png 400w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06-460x295.png 460w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06-600x384.png 600w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06-768x492.png 768w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06-800x512.png 800w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06-1024x656.png 1024w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06-1200x768.png 1200w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06-1536x983.png 1536w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-17-a-las-18.01.06.png 1662w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Now, we will create an additional Kyverno ClusterPolicy to automatically create a new Kasten Policy, based on one of the policy presets I&#8217;ve already created.\u00a0 The ClusterPolicy should look like this:<\/p>\n<ul>\n<li>In the &#8220;rules&#8221; section, first you select the resources where this policy will be applied.\u00a0 In this case it will be applied to any resource of type &#8220;<strong>Deployment<\/strong>&#8220;, which also must include all the required labels.<\/li>\n<li>Then, we set &#8220;generate&#8221; as the rule type, which allows to create a new resource.<\/li>\n<li>Finally, we define the Kasten policy settings, in this case using the Policy Preset called &#8220;golden-policy-preset&#8221;, and selecting the application based on the application&#8217;s namespace.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<style type=\"text\/css\" scopped=\"scopped\">.fusion-syntax-highlighter-4 > .CodeMirror, .fusion-syntax-highlighter-4 > .CodeMirror .CodeMirror-gutters {background-color:var(--awb-color1);}.fusion-syntax-highlighter-4 > .CodeMirror .CodeMirror-gutters { background-color: var(--awb-color2); }.fusion-syntax-highlighter-4 > .CodeMirror .CodeMirror-linenumber { color: var(--awb-color8); }<\/style><div class=\"fusion-syntax-highlighter-container fusion-syntax-highlighter-4 fusion-syntax-highlighter-theme-light\" style=\"opacity:0;margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;font-size:14px;border-width:1px;border-style:solid;border-color:var(--awb-color3);\"><div class=\"syntax-highlighter-copy-code\"><span class=\"syntax-highlighter-copy-code-title\" data-id=\"fusion_syntax_highlighter_4\" style=\"font-size:14px;\">Copy to Clipboard<\/span><\/div><label for=\"fusion_syntax_highlighter_4\" class=\"screen-reader-text\">Syntax Highlighter<\/label><textarea class=\"fusion-syntax-highlighter-textarea\" id=\"fusion_syntax_highlighter_4\" data-readOnly=\"nocursor\" data-lineNumbers=\"1\" data-lineWrapping=\"\" data-theme=\"default\" data-mode=\"text\/x-sh\">apiVersion: kyverno.io\/v1\nkind: ClusterPolicy\nmetadata:\n name: k10-gold-prod\nspec:\n  background: true\n  rules:\n  - name: generate-policy\n    match:\n      any:\n      - resources:\n          kinds:\n            - Deployment\n          selector:\n            matchLabels:\n              purpose: production\n              dataprotection: k10-gold\n              immutable: enabled\n    generate:\n      apiVersion: config.kio.kasten.io\/v1alpha1\n      kind: Policy\n      name: k10-{{request.namespace}}-gold-policy\n      namespace: kasten-io\n      data:\n        metadata:\n          name: k10-{{request.namespace}}-gold-policy\n          namespace: kasten-io\n        spec:\n          comment: K10 \"gold\" immutable production backup policy\n          presetRef:\n            name: golden-policy-preset\n            namespace: kasten-io\n          actions:\n          - action: backup\n          selector:\n            matchExpressions:\n            - key: k10.kasten.io\/appNamespace\n              operator: In\n              values:\n              - \"{{request.namespace}}\"<\/textarea><\/div>\n<p>&nbsp;<\/p>\n<p>So, if now we deploy the application, in our case the pacman app, and we are using the proper labels, Kyverno will create the Kasten policy for us, following the settings specified in the Cluster Policy describe above.<\/p>\n<p><a href=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.23.26.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1541\" src=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.23.26-208x300.png\" alt=\"\" width=\"415\" height=\"599\" srcset=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.23.26-200x289.png 200w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.23.26-208x300.png 208w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.23.26-400x578.png 400w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.23.26-600x867.png 600w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.23.26-709x1024.png 709w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.23.26-768x1109.png 768w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.23.26-800x1155.png 800w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.23.26-1064x1536.png 1064w, https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/Captura-de-pantalla-2023-07-24-a-las-16.23.26.png 1094w\" sizes=\"(max-width: 415px) 100vw, 415px\" \/><\/a><\/p>\n<p>As you can see, using Kyverno could be a very good option to make sure every new application is protected by Kasten as soon it is deployed in the Kubernetes cluster.\u00a0 If you want to get some additional examples of how to use Kyverno with Kasten, you can check the following link: <a href=\"https:\/\/kyverno.io\/policies\/?policytypes=Kasten%2520K10%2520by%2520Veeam\" target=\"_blank\" rel=\"noopener\">https:\/\/kyverno.io\/policies\/?policytypes=Kasten%2520K10%2520by%2520Veeam<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hello and welcome back!\u00a0 In this new post I&#8217;ll be<\/p>\n","protected":false},"author":1,"featured_media":1542,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[25,27],"tags":[85,37,33,32,29,31,84],"aioseo_notices":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Automate Kasten policy creation with Kyverno - vLatam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/patriciocerda.com\/?p=1529\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Automate Kasten policy creation with Kyverno - vLatam\" \/>\n<meta property=\"og:description\" content=\"Hello and welcome back!\u00a0 In this new post I&#8217;ll be\" \/>\n<meta property=\"og:url\" content=\"https:\/\/patriciocerda.com\/?p=1529\" \/>\n<meta property=\"og:site_name\" content=\"vLatam\" \/>\n<meta property=\"article:published_time\" content=\"2023-07-24T14:42:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-24T15:09:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/IntroBlog1529.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"pcerda\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"pcerda\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/patriciocerda.com\/?p=1529\",\"url\":\"https:\/\/patriciocerda.com\/?p=1529\",\"name\":\"Automate Kasten policy creation with Kyverno - vLatam\",\"isPartOf\":{\"@id\":\"https:\/\/patriciocerda.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/patriciocerda.com\/?p=1529#primaryimage\"},\"image\":{\"@id\":\"https:\/\/patriciocerda.com\/?p=1529#primaryimage\"},\"thumbnailUrl\":\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/IntroBlog1529.png\",\"datePublished\":\"2023-07-24T14:42:37+00:00\",\"dateModified\":\"2023-07-24T15:09:44+00:00\",\"author\":{\"@id\":\"https:\/\/patriciocerda.com\/#\/schema\/person\/613aa192d7dbcedcd20e08318891aa2a\"},\"breadcrumb\":{\"@id\":\"https:\/\/patriciocerda.com\/?p=1529#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/patriciocerda.com\/?p=1529\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/patriciocerda.com\/?p=1529#primaryimage\",\"url\":\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/IntroBlog1529.png\",\"contentUrl\":\"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/IntroBlog1529.png\",\"width\":1920,\"height\":1080},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/patriciocerda.com\/?p=1529#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/patriciocerda.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Automate Kasten policy creation with Kyverno\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/patriciocerda.com\/#website\",\"url\":\"https:\/\/patriciocerda.com\/\",\"name\":\"vLatam\",\"description\":\"El Blog de Patricio Cerda\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/patriciocerda.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/patriciocerda.com\/#\/schema\/person\/613aa192d7dbcedcd20e08318891aa2a\",\"name\":\"pcerda\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/patriciocerda.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/patriciocerda.com\/wp-content\/litespeed\/avatar\/ce92117b9294544adeaad229a8fbac13.jpg?ver=1775562647\",\"contentUrl\":\"https:\/\/patriciocerda.com\/wp-content\/litespeed\/avatar\/ce92117b9294544adeaad229a8fbac13.jpg?ver=1775562647\",\"caption\":\"pcerda\"},\"url\":\"https:\/\/patriciocerda.com\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Automate Kasten policy creation with Kyverno - vLatam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/patriciocerda.com\/?p=1529","og_locale":"en_US","og_type":"article","og_title":"Automate Kasten policy creation with Kyverno - vLatam","og_description":"Hello and welcome back!\u00a0 In this new post I&#8217;ll be","og_url":"https:\/\/patriciocerda.com\/?p=1529","og_site_name":"vLatam","article_published_time":"2023-07-24T14:42:37+00:00","article_modified_time":"2023-07-24T15:09:44+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/IntroBlog1529.png","type":"image\/png"}],"author":"pcerda","twitter_card":"summary_large_image","twitter_misc":{"Written by":"pcerda","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/patriciocerda.com\/?p=1529","url":"https:\/\/patriciocerda.com\/?p=1529","name":"Automate Kasten policy creation with Kyverno - vLatam","isPartOf":{"@id":"https:\/\/patriciocerda.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/patriciocerda.com\/?p=1529#primaryimage"},"image":{"@id":"https:\/\/patriciocerda.com\/?p=1529#primaryimage"},"thumbnailUrl":"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/IntroBlog1529.png","datePublished":"2023-07-24T14:42:37+00:00","dateModified":"2023-07-24T15:09:44+00:00","author":{"@id":"https:\/\/patriciocerda.com\/#\/schema\/person\/613aa192d7dbcedcd20e08318891aa2a"},"breadcrumb":{"@id":"https:\/\/patriciocerda.com\/?p=1529#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/patriciocerda.com\/?p=1529"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/patriciocerda.com\/?p=1529#primaryimage","url":"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/IntroBlog1529.png","contentUrl":"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/IntroBlog1529.png","width":1920,"height":1080},{"@type":"BreadcrumbList","@id":"https:\/\/patriciocerda.com\/?p=1529#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/patriciocerda.com\/"},{"@type":"ListItem","position":2,"name":"Automate Kasten policy creation with Kyverno"}]},{"@type":"WebSite","@id":"https:\/\/patriciocerda.com\/#website","url":"https:\/\/patriciocerda.com\/","name":"vLatam","description":"El Blog de Patricio Cerda","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/patriciocerda.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/patriciocerda.com\/#\/schema\/person\/613aa192d7dbcedcd20e08318891aa2a","name":"pcerda","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/patriciocerda.com\/#\/schema\/person\/image\/","url":"https:\/\/patriciocerda.com\/wp-content\/litespeed\/avatar\/ce92117b9294544adeaad229a8fbac13.jpg?ver=1775562647","contentUrl":"https:\/\/patriciocerda.com\/wp-content\/litespeed\/avatar\/ce92117b9294544adeaad229a8fbac13.jpg?ver=1775562647","caption":"pcerda"},"url":"https:\/\/patriciocerda.com\/?author=1"}]}},"jetpack_featured_media_url":"https:\/\/patriciocerda.com\/wp-content\/uploads\/2023\/07\/IntroBlog1529.png","_links":{"self":[{"href":"https:\/\/patriciocerda.com\/index.php?rest_route=\/wp\/v2\/posts\/1529"}],"collection":[{"href":"https:\/\/patriciocerda.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/patriciocerda.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/patriciocerda.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/patriciocerda.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1529"}],"version-history":[{"count":5,"href":"https:\/\/patriciocerda.com\/index.php?rest_route=\/wp\/v2\/posts\/1529\/revisions"}],"predecessor-version":[{"id":1547,"href":"https:\/\/patriciocerda.com\/index.php?rest_route=\/wp\/v2\/posts\/1529\/revisions\/1547"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/patriciocerda.com\/index.php?rest_route=\/wp\/v2\/media\/1542"}],"wp:attachment":[{"href":"https:\/\/patriciocerda.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/patriciocerda.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/patriciocerda.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}