Introduction

A Policy is an Execution Condition. Organizations usually have a certain criteria to be checked before or during the execution of CI-CD pipelines. The pipeline execution should only begin (if the criteria is checked before the execution of the pipeline, aka, Static Policy) or proceed (if the criteria is checked during the pipeline runtime, aka, Runtime Policy) if the criteria is met.

Static policy lets users validate conditions before the start of execution, whereas Runtime policy enables users for automated decision making during execution.

A Policy defines a set of conditions/criteria that needs to be checked. As an example, a policy could be created to define a blackout window period (or a moratorium period) for performing production deployments. A moratorium period defines the time period within which no production deployments should be performed. Any deployment to the production environment during this period will automatically be rejected/stopped, if that deployment is triggered during the moratorium period.

OES lets users create a policy and use it for different applications to validate the criteria defined in the policy at runtime during the pipeline execution. The policy can define custom conditions required to be validated. This enables OES users to make decisions at run time without any manual intervention.

OES uses OPA policy engine for policy definition & execution. The Open Policy Agent (OPA) is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that lets you specify policy as code and simple APIs to offload policy decision-making from your software. OPA policies are expressed in a high-level declarative language called Rego. It is purpose-built for expressing policies over complex hierarchical data structures.

Overview

The policy management feature allows you to automatically create policies (in a declarative language) to set stringent guideline for safe and detailed controls on the Spinnaker deployment pipeline. This feature gives you the freedom to set or declare specific policy rules or guidelines. For e.g., Automated Testing should be completed before deployment, is a rule which must be completed when creating a Spinnaker pipeline and policies.

Policy management also allows you to validate policies in runtime through 3rd party policy engines (like Open Policy Agent) using REST API. Moreover, security managers can quickly add, modify, delete policies in tune with business policy changes. OES Policy Management allows you to quickly declare policies and integrate with 3rd party policy managers for validations.

Now that we have a fair idea about what Policy Management does and what are the benefits let's take a quick look how the policy management page looks. Refer to the image below: