Setting up automatic policy assignment
You can set up automatic assignment of policies to SaaS applications, Google Kubernetes Engine (GKE) applications, instances, or buckets by using one of the following methods:
Method 1 (labels, tags, or metadata)
| Entities | Instructions |
|---|---|
|
SaaS applicationsa |
Add labels or tags to SaaS applications, and then specify the corresponding keys and values in R‑Cloud policies. For details, see Creating custom policies. |
| GKE applications |
Add metadata labels to applications in Google Kubernetes Engine, and then specify the corresponding keys and values in R‑Cloud policies. For details, see Creating custom policies. |
| Instances |
Add the following:
When done, specify the corresponding keys and values in R‑Cloud policies. For details, see Creating custom policies. Note Keep in mind that Azure virtual machines are referred to as Azure instances in R‑Cloud. |
| Buckets |
Add the following:
When done, specify the corresponding keys and values in R‑Cloud policies. For details, see Creating custom policies. Note Keep in mind that Azure storage accounts are referred to as Azure buckets in R‑Cloud. |
aSetting up automatic policy assignment is not supported for all SaaS applications. For more information, see the dedicated topic for your SaaS application in Protecting SaaS applications.
Method 2 (the hycu-policy tag)
| Entities | Instructions |
|---|---|
|
SaaS applicationsa |
Add the Key: Value: In this case, |
| GKE applications | |
| Instances | |
| Buckets |
a Setting up automatic policy assignment is not supported for all SaaS applications. For more information, see Protecting SaaS applications.
Method 3 (the hycu-source-policy label)
| Entities | Instructions |
|---|---|
|
SaaS applicationsa |
Create a custom policy and enable the Labels option as described in Creating custom policies. Use the following label key/value pair: Key: Value: In this case, |
| GKE applications | |
| Instances | |
| Buckets |
a Setting up automatic policy assignment is not supported for all SaaS applications. For more information, see Protecting SaaS applications.
The corresponding policies are automatically assigned to the SaaS applications, GKE applications, instances, or buckets during the next entity synchronization in R‑Cloud.
Prerequisites
-
All relevant prerequisites that apply also for manual policy assignment must be fulfilled. For details, see Backing up SaaS applications, Backing up Google Kubernetes Engine applications, Backing up instances, or Backing up buckets.
-
For Google Kubernetes Engine applications: The resource objects for which you want to set up automatic policy assignment must be deployed as applications (the resource object of
kind: Applicationmust be defined in the application deployment).
Considerations
- Assigning policies automatically takes precedence over assigning policies manually or setting a default policy. This means that the label added to the custom policy, or the label, the tag, or the metadata added to the preferred SaaS application, GKE application, instance, or bucket defines which policy gets assigned, even if the same entity already has an assigned policy.
-
If you want to assign a new policy to a SaaS application, a GKE application, an instance, or a bucket for which automatic policy assignment has been set up, do one of the following:
- Define new tags, labels, or metadata as described in this topic.
- Assign the policy to the entity as described in Backing up SaaS applications, Backing up Google Kubernetes Engine applications, Backing up instances, or Backing up buckets. In this case, the manually assigned policy will not be overridden by the automatically assigned one again.