Configure a Backup Compliance Policy
If you have strict data protection requirements, you can use Atlas Kubernetes Operator to enable a Backup Compliance Policy to protect your backup data.
Important
You Can't Disable a Backup Compliance Policy
After you enable a Backup Compliance Policy, you can't disable it without MongoDB support. To disable a Backup Compliance Policy, the security or legal representative specified for the Backup Compliance Policy must request support and complete an extensive verification process. Before you enable a Backup Compliance Policy, carefully review the prohibited actions and considerations. You can re-enable a Backup Compliance Policy at any time.
Prohibited Actions
If you enable a Backup Compliance Policy, no user, regardless of role, can do certain actions. Carefully review the prohibited actions.
Important
If you set this parameter to true, Atlas upgrades all
backup policies in the project regardless of what is specified in
the AtlasBackupPolicy Custom Resource. Atlas overrides
the AtlasBackupPolicy Custom Resource and the status
of that custom resource updates to Ready: False. You must
manually update the AtlasBackupPolicy Custom Resource to
align with the Backup Compliance Policy.
If you set this parameter to false, creating the Backup Compliance Policy fails
if the existing backup policies do not satisfy the Backup Compliance Policy.
Considerations
After you enable a Backup Compliance Policy, certain behaviors apply. Carefully review the considerations.
Required Access
To configure a Backup Compliance Policy, you must have Project Owner access
to the project. Users with Organization Owner access must
add themselves as a Project Owner to the project before configuring
a Backup Compliance Policy.
Prerequisites
Only MongoDB Support can do the following actions:
Disable the Backup Compliance Policy.
Disable Continuous Cloud Backup if the Backup Compliance Policy has the Require Point in Time Restore to all clusters option set to On.
Reduce the Continuous Cloud Backup Restore Window.
Delete policy items specified in the Backup Compliance Policy.
Only the specified security or legal representative can request support.
You can apply a Backup Compliance Policy to
M10+dedicated clusters only.Note
You can't convert a dedicated cluster to an
M0free cluster, anM2orM5shared cluster, or a serverless instance.
Procedure
Create the Backup Compliance Policy.
To learn more about the parameters for a Backup Compliance Policy, see the
AtlasBackupCompliancePolicy Custom Resource.
Example:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasBackupCompliancePolicy metadata: name: my-backup-compliance-policy namespace: mongdb-atlas-system spec: authorizedEmail: john.doe@example.com authorizedUserFirstName: John authorizedUserLastName: Doe copyProtectionEnabled: false encryptionAtRestEnabled: false onDemandPolicy: retentionUnit: weeks retentionValue: 3 overwriteBackupPolicies: false pointInTimeEnabled: true restoreWindowDays: 42 scheduledPolicyItems: - frequencyInterval: 2 frequencyType: daily retentionUnit: days retentionValue: 7 EOF
Note
This Backup Compliance Policy applies as the minimum backup policy to all clusters in the project. The Backup Compliance Policy protects all existing snapshots. The Backup Compliance Policy prevents any user, regardless of role, from modifying or deleting existing snapshots prior to their expiration. Changes made to this Backup Compliance Policy apply only to future snapshots. If you enable a Backup Compliance Policy, the Backup Compliance Policy limits your ability to reduce backup storage costs. You can't adjust the retention or delete a backup to reduce the backup storage costs.
Apply the Backup Compliance Policy to the project.
In the spec.backupCompliancePolicyRef parameter in the
AtlasProject Custom Resource, specify the name and
namespace of the opaque secret that references the
AtlasBackupCompliancePolicy Custom Resource.
Example:
cat <<EOF | kubectl apply -f - apiVersion: atlas.mongodb.com/v1 kind: AtlasProject metadata: name: my-project spec: backupCompliancePolicyRef: name: my-backup-compliance-policy namespace: mongodb-atlas-system EOF