Restoring SUSE® Security Configuration

Restoring SUSE® Security Configuration

A backup of the SUSE® Security configuration can be applied to restore a previous configuration of SUSE® Security. The backup file can be generated manually as well as imported from the console in Settings → Configuration, choosing all configuration (e.g. registry configurations, integrations, other settings plus policy) or Policy only (e.g. rules/security policy). The rest API can also be used to automatically backup the configuration, as seen in this example.

Cluster events where all controllers stop running, thereby losing real-time configuration state, can be automatically restored when persistent storage has been properly configured.

SUSE® Security does not support partial restoration of objects (e.g. network rules only) nor timestamped restoration (e.g. restore from date/time snapshots). Please use automation scripts to regularly backup configuration files and manage timestamps.

The backup configuration files should not be edited in any way. Any changes to these from their exported state could result in restoration errors and an unpredictable result.

Backup configuration files should be used to restore a SUSE® Security state on the same cluster from which they were exported. Applying a backup configuration file from a different cluster could result in unpredictable results.

Recommended High Availability Settings

Manual backup and restore of configuration should be planned only as a last resort. The following steps are recommended for high availability.

  1. Use Helm with a ConfigMap for initial deployment and configuration.

  2. Use CRDs for defining policy such as network/process, admission control, and other rules.

  3. Run multiple controllers (minimum 3) to auto-sync configuration between running pods, and ensure they run on different hosts.

  4. Configure persistent storage (as part of step 1) to recover from any cluster wide failures where all controllers stop running.

  5. Regularly backup configuration to timestamped backup files.

  6. Restore a cluster’s SUSE® Security configuration from a backup file as a last resort, applying any CRDs after restoration that were new or changed since the previous backup.