All Policies
Check Immutable Location Profile
K10 Object Storage Location Profiles store K10 RestorePoints (App Backups) for import and export operations. AWS S3 or S3 compatible object storage that supports object lock can store immutable backups. Immutability is typically not enabled by default due to the increased costs of retaining storage. This policy checks that the Profile contains a 'protectionPeriod' which is the main configuration for immutability.
Policy Definition
/kasten/k10-immutable-location-profile/k10-immutable-location-profile.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: k10-immutable-location-profile
5 annotations:
6 policies.kyverno.io/title: Check Immutable Location Profile
7 policies.kyverno.io/category: Kasten K10 by Veeam
8 kyverno.io/kyverno-version: 1.6.2
9 policies.kyverno.io/minversion: 1.6.2
10 kyverno.io/kubernetes-version: "1.21-1.22"
11 policies.kyverno.io/subject: Profile
12 policies.kyverno.io/description: >-
13 K10 Object Storage Location Profiles store K10 RestorePoints (App Backups) for import and export operations.
14 AWS S3 or S3 compatible object storage that supports object lock can store immutable backups.
15 Immutability is typically not enabled by default due to the increased costs of retaining storage.
16 This policy checks that the Profile contains a 'protectionPeriod' which is the main configuration for immutability.
17spec:
18 validationFailureAction: audit
19 rules:
20 - name: k10-immutable-location-profile
21 match:
22 any:
23 - resources:
24 kinds:
25 - config.kio.kasten.io/v1alpha1/Profile
26 validate:
27 message: "Location Profile is not immutable (err: did not configure 'protectionPeriod')"
28 pattern:
29 spec:
30 type: Location
31 locationSpec:
32 location:
33 locationType: ObjectStore
34 objectStore:
35 protectionPeriod: "?*" # any value determines immutability is enabled