Enforce and Automate Policies for Kubernetes Data Protection with Kyverno

Enforce and Automate Policies for Kubernetes Data Protection with Kyverno

*** This blog was originally posted on Kasten; for more information, click here***

Achieving data protection for developers is easy, right? Let’s “whip up” a daily cron job backup script and call it “production-ready.” 

However, battle-hardened IT experts will know that it’s much more challenging than that.

  • The CIO wants to reduce the RPO (acceptable data loss) to minutes.
  • The General Manager (GM) wants to limit financial impact due to downtime of a revenue-generating app by reducing RTO (acceptable recovery time) to 1 hour.
  • The CISO demands immutable backups (backups that cannot be deleted or modified), a necessary defense against ransomware.

Data protection policies exist to mitigate these risks, but organizations struggle to enforce them, relying on tightly coordinated runbooks, after-the-fact reporting, or specialized operations teams whose sole job is to ensure backup compliance.  

The reality is that the cloud-native organization is deploying applications to multiple clouds using CI/CD pipelines or infrastructure as code at a rapid pace – faster than IT can provision data protection policies. By the time the data protection team is done provisioning one policy, the developer team is already getting ready to deploy its next release.

Enter Data Protection Cloud-Native Posture Management. Cloud-native policies enforce good security hygiene that a developer would not necessarily be expected to know. Think of security policies that reject weak RBAC, identify container images with known CVEs, recommend network policies that aren’t too open, or deny authorization for requests that are not least privileged. 

The same strategy can apply for enforcing data protection objectives.  

In a world in which deployments are happening frequently, a small misconfiguration such as not having immutable backups can have disastrous real-world results, such as backups being susceptible to data destruction, exposing a vulnerability to ransomware. This, in turn, could put pressure on, forcing organizations to consider paying multi-million dollar ransoms.

Here at Kasten by Veeam, we’ve authored Kubernetes-native policies that can be integrated into Infrastructure as Code to provide “guardrails” for these types of problems. These policies are enforced by essentially preventing misconfigured apps from going to production.

The approach works by leveraging Kubernetes Admission Controllers that prevent pods, deployments, or StatefulSets from being scheduled onto a Kubernetes node, should a policy be violated.  

Our implementation was developed using Kyverno (a Cloud Native Computing Foundation Sandbox project), which implements a custom Kubernetes admission controller.

How It Works

Like Kasten K10, Kyverno is Kubernetes-native. It’s a cloud-native policy engine donated to the CNCF by Nirmata, and was designed with Kubernetes professionals in mind. Kyverno is simple to author policies with and only requires an understanding of Kubernetes APIs (by means of declarative YAMLs).

If you’re familiar with Kubernetes YAML, see below. For everyone else, here’s a synopsis:

  • Enforce this policy on deployments and StatefulSets that are being deployed.
  • Look in the metadata header for a label called “purpose” with value “production.”
  • If that matches, look for a “dataprotection” label that starts with the value “k10” (regexp wildcards are supported).
  • Also, look for the existence of an immutable backup target.

If a developer attempts to deploy a StatefulSet or deployment without these labels, they will get immediate feedback with a customizable message:

Kyverno also has an ability to “generate” custom resources, which can automate scheduling of this application into a Kasten K10 App-Scoped Policy –  a policy visible only by a sysadmin or admin of the app’s namespace.

In this example, the Generate policy is assigning the highest level of data protection (the “Gold” backup policy) for any apps matching the label “k10-goldpolicy.” It also looks for the assignment of an immutable Location Profile (a Kasten K10 backup target).


Combining enforcement and automation is very powerful. You can ensure compliance according to your organization’s data protection policies and schedule the operational jobs, completing both Day 1 and Day 2 operations, just like that. Best of all, you can combine other standard benchmarks or community policies to harden your security posture across the network –  and your data management processes, as well.

This approach can be scaled in DevOps platforms such as Nirmata’s DevSecOps platform. Furthermore, CISOs can achieve visibility on the violations of this policy using Nirmata’s Policy Manager to have governance over all developer activity. You can learn even more about Kyverno by visiting this page. Please contact Nirmata if you have specific questions you wish addressed.


Getting started with Kubernetes Policy Management with Kyverno on Red Hat OpenShift Container Platform
Runtime Security for Kubernetes
No Comments

Sorry, the comment form is closed at this time.