Multi-Region Operations Solutions
This page contains reference solutions for the exercises in the Multi-Region Operations Guide. Try to complete the exercises on your own first, then refer here if you get stuck.
Add a New Region
Add a "Middle East" region with clusters in Dubai and Tel Aviv.
1. Create cluster labels
Create a new file multi-region-labels-me-dubai-prod.yaml:
| YAML |
|---|
| discovery:
labels:
region: "me-dubai"
environment: "production"
role: "authoritative"
tier: "critical"
|
2. Add Middle East dashboard
Add to your dashboard configuration:
| YAML |
|---|
| middle-east-region:
title: "Middle East Region"
url: /regions/middle-east
icon: pi-globe
requires:
- "dashboard_middle_east_region"
graphs:
- widget: "cc-state-tree-table"
args:
filter: 'region in ("me-dubai", "me-telaviv")'
title: "Middle East Clusters"
- widget: "cc-readiness-heatmap"
args:
filter: 'region in ("me-dubai", "me-telaviv")'
|
Add to the Regional Views menu, after the APAC section:
| YAML |
|---|
| - name: "Middle East"
items:
- name: "Middle East Overview"
url: "/regions/middle-east"
description: "All Middle East clusters"
- name: "ME Dubai"
url: "/regions/me-dubai"
description: "Dubai clusters"
- name: "ME Tel Aviv"
url: "/regions/me-telaviv"
description: "Tel Aviv clusters"
|
4. Add REGO policies
Add regional mapping to user.rego:
| Rego |
|---|
| has_matching_region if {
some region_label in input.cluster.labels.region
region_label in ["me-dubai", "me-telaviv"]
"middle-east" in roles
}
|
Add dashboard permission to pdns_global_flags.rego:
| Rego |
|---|
| dashboard_middle_east_region if "admin" in input.user.roles
dashboard_middle_east_region if "global" in input.user.roles
dashboard_middle_east_region if "middle-east" in input.user.roles
|
5. Add Middle East operator user
Add to static users configuration:
| YAML |
|---|
| policy:
staticUsers:
- username: "me-operator"
password: "middleeast123"
roles:
- "middle-east"
- "authoritative"
- "recursor"
- "production"
- "staging"
- "operator"
- "observer"
|
Change Dashboard Filters
Examples of different filter expressions:
Show only critical tier clusters globally
| YAML |
|---|
| filter: 'tier = "critical"'
|
Show production recursors across all regions
| YAML |
|---|
| filter: 'environment = "production" and role = "recursor"'
|
Exclude experimental tier from a regional view
| YAML |
|---|
| filter: 'region in ("us-east", "us-west") and tier != "experimental"'
|
Show clusters matching multiple criteria
| YAML |
|---|
| filter: 'region = "eu-west" and environment = "production" and tier = "critical"'
|
Add a Cross-Region Dashboard
Create a dashboard showing critical infrastructure across all regions.
Dashboard configuration
| YAML |
|---|
| global-critical-infrastructure:
title: "Global Critical Infrastructure"
url: /global/critical
icon: pi-exclamation-triangle
requires:
- "dashboard_global_critical"
graphs:
- widget: "cc-state-tree-table"
args:
filter: 'tier = "critical"'
title: "All Critical Tier Clusters"
- widget: "cc-readiness-heatmap"
args:
filter: 'tier = "critical" and environment = "production"'
title: "Critical Production Health"
|
REGO policy for cross-region access
| Rego |
|---|
| # Allow regional directors to see global critical view
dashboard_global_critical if "admin" in input.user.roles
dashboard_global_critical if "global" in input.user.roles
dashboard_global_critical if "americas" in input.user.roles
dashboard_global_critical if "europe" in input.user.roles
dashboard_global_critical if "apac" in input.user.roles
|
Implement Time-Based Access Control
Restrict production access to business hours only.
Conceptual Example
This is a conceptual example. Implementing actual time-based access requires external time input to the policy engine.
Updated can_manage_instances rules
| Rego |
|---|
| # Non-production: standard operator access
can_manage_instances if {
can_see_cluster
"operator" in roles
input.cluster.labels.environment != "production"
}
# Production: requires additional "after-hours-operator" role outside business hours
can_manage_instances if {
can_see_cluster
"operator" in roles
input.cluster.labels.environment == "production"
"after-hours-operator" in roles
}
|
This approach:
- Allows operators to manage non-production clusters anytime
- Requires the additional
after-hours-operator role for production changes
- In practice, you would grant/revoke the
after-hours-operator role based on time or on-call schedules
Add a Read-Only Global User
Create a user that can view all regions but cannot perform any operations.
Static user configuration
| YAML |
|---|
| # Add to staticUsers
- username: "global-readonly"
password: "readonly123"
roles:
- "global" # Access all regions
- "authoritative"
- "recursor"
- "production"
- "staging"
- "development"
- "observer" # Read-only access
# Note: no "operator" or "content-manager" roles
|
This user can:
- View all regional dashboards (has
global role)
- Read logs from any cluster (has
observer role)
- Perform DNS checks
- Access all environments and cluster types
But cannot:
- Restart instances (no
operator role)
- Clear cache (no
content-manager role)
- Delete pods (no
operator role)
Create Environment-Specific Regional Views
Add dashboards that combine region and environment filters.
Americas Production dashboard
| YAML |
|---|
| americas-production:
title: "Americas Production"
url: /regions/americas/production
icon: pi-shield
requires:
- "dashboard_americas_production"
graphs:
- widget: "cc-state-tree-table"
args:
filter: 'region in ("us-east", "us-west", "us-central") and environment = "production"'
title: "Americas Production Clusters"
|
Americas Non-Production dashboard
| YAML |
|---|
| americas-non-prod:
title: "Americas Non-Production"
url: /regions/americas/non-prod
icon: pi-code
requires:
- "dashboard_americas_non_prod"
graphs:
- widget: "cc-state-tree-table"
args:
filter: 'region in ("us-east", "us-west", "us-central") and environment != "production"'
title: "Americas Staging & Development"
|
You can apply this pattern to other regions (Europe, APAC) by adjusting the region filter values accordingly.