Setting up automatic policy assignment
You can set up automatic assignment of policies to SaaS applications, Google Kubernetes Engine (GKE) applications, instances, or buckets by using one of the following methods:
Method 1 (labels, tags, or metadata)
| Entities | Instructions |
|---|---|
|
SaaS applicationsa |
Add labels or tags to SaaS applications, and then specify the corresponding keys and values in R‑Cloud policies. For details, see Creating custom policies. |
| GKE applications |
Add metadata labels to applications in Google Kubernetes Engine, and then specify the corresponding keys and values in R‑Cloud policies. For details, see Creating custom policies. |
| Instances | Add tags to instances in Amazon EC2, or labels (preferred) or custom metadata to instances in Google Compute Engine, and then specify the corresponding keys and values in R‑Cloud policies. For details, see Creating custom policies. |
| Buckets |
Add labels to buckets in Google Cloud Storage, or tags to buckets in Amazon S3, and then specify the corresponding keys and values in R‑Cloud policies. For details, see Creating custom policies. |
a Setting up automatic policy assignment is not supported for all SaaS applications. For more information, see the
Method 2 (the hycu-policy tag)
| Entities | Instructions |
|---|---|
|
SaaS applicationsa |
Add the Key: Value: In this case, |
| GKE applications | |
| Instances | |
| Buckets |
a Setting up automatic policy assignment is not supported for all SaaS applications. For more information, see the
The corresponding policies are automatically assigned to the SaaS applications, GKE applications, instances, or buckets during the next entity synchronization in R‑Cloud.
Prerequisites
-
All relevant prerequisites that apply also for manual policy assignment must be fulfilled. For details, see Backing up SaaS applications, Backing up Google Kubernetes Engine applications, Backing up instances, or Backing up buckets.
-
For Google Kubernetes Engine applications: The resource objects for which you want to set up automatic policy assignment must be deployed as applications (the resource object of
kind: Applicationmust be defined in the application deployment).
Considerations
- Assigning policies automatically takes precedence over assigning policies manually or setting a default policy. This means that the label, the tag, or the metadata added to the preferred SaaS application, GKE application, instance, or bucket defines which policy is assigned to it, even if the same entity already has an assigned policy.
-
If you want to assign a new policy to a SaaS application, a GKE application, an instance, or a bucket for which automatic policy assignment has been set up, do one of the following:
- Define new tags, labels, or metadata as described in this section.
- Assign the policy to the entity as described in Backing up SaaS applications, Backing up Google Kubernetes Engine applications, Backing up instances, or Backing up buckets. In this case, the manually assigned policy will not be overridden by the automatically assigned one again.