# Using appsec class for assigning separate custom resources to specific deployments {% hint style="warning" %} The advanced configuration options explained on this page require an existing helm-based deployment on K8s with CRD version v1beta2. See here for instructions: [Install Using Helm - new flow (beta)](/getting-started/start-with-kubernetes/install-using-helm-new-flow-beta.md) {% endhint %} In deployment scenarios with **multiple parallel open-appsec deployments** on the same Kubernetes cluster (each having same or also different Proxy/API Gateway integration type) often also **separate, distinct sets of custom resources** for the open-appsec configuration of the different deployments are required. Starting with open-appsec CRD version [v1beta2](/getting-started/start-with-kubernetes/configuration-using-crds-v1beta2.md) you can now define multiple, distinct sets of custom resources for the configuration of different, parallel open-appsec deployments on the same Kubernetes cluster by specifying an appsec class. ## Using appsec class When you [deploy open-appsec using helm](/getting-started/start-with-kubernetes/install-using-helm-new-flow-beta.md), you can optionally specify an `appsec.className` as shown e.g. in the example below to associate that specific appsec class (`myCustomClass1` in the example) with your deployment. ```bash helm install ... --set appsec.className=myCustomClass1 ... ``` As a result, this specific open-appsec deployment (more specifically the open-appsec agent) will only look at those custom resources, which also have the key `appsecClassName` set to that exact same value. {% hint style="warning" %} When you do not specify appsec.className for a deployment of open-appsec, then that open-appsec agent will **ignore** the appsecClassName property in custom resources and apply both of the following custom resource definitions, those with no appsecClassName set as well as those with an appsecClassName specified with the helm install command. {% endhint %} Here's an example of a policy custom resource with the added property `appsecClassName` (see line 6) set to `myCustomClass1` so that a deployment, which was also configured with `appsec.className` `myCustomClass1` (see above) would consider/implement it: ```yaml apiVersion: openappsec.io/v1beta2 kind: Policy metadata: name: policy-example spec: appsecClassName: myCustomClass1 default: mode: detect-learn accessControlPractices: [access-control-practice-example] threatPreventionPractices: [threat-prevention-practice-example] triggers: [log-trigger-example] customResponse: custom-response-code-example sourceIdentifiers: "" trustedSources: "" exceptions: - exception-example specificRules: - host: "example.com" mode: prevent-learn threatPreventionPractices: [threat-prevention-practice-example] accessControlPractices: [access-control-practice-example] triggers: [log-trigger-example] customResponse: custom-response-code-example sourceIdentifiers: "" trustedSources: "" exceptions: - exception-example ``` {% hint style="danger" %} Make sure to set the `appsecClassName` property in all custom resources relevant for the specific open-appsec deployment which is configured to using it, including all relevant dependencies (e.g. the custom resources for customResponse, triggers, accessControlPractices, threatPreventionPractices, exceptions as referenced in the example policy custom resource above). {% endhint %} This approach is similar to how you can e.g. set different ingressClassNames to associate which ingress API resources should be satisfied by which Ingress Controllers. {% hint style="warning" %} open-appsec deployments without an `appsec.className` explicitly set, will only apply the configuration from those custom resources, which do not have any `appsecClassName` explicitly defined. open-appsec deployments with an `appsec.className` explicitly set, will only apply the configuration from those custom resources, which do also have the exact same `appsecClassName` explicitly defined. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.openappsec.io/getting-started/start-with-kubernetes/configuration-using-crds-special-options-for-large-scale-deployments/using-appsec-class-for-assigning-separate-custom-resources-to-specific-deployments.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.