Create Policy

Policies will help you to maintain strict guidelines for a deployment pipeline by allowing users to validate the application configuration while creating an application in spinnaker through a policy.

Policies are of two types:

  • Static Policy: A policy that is enforced at all times.

  • Run time Policy: A policy that can only take effect while you are running a pipeline.

Create Policy

To create a new policy follow the steps below:

  1. From the ISD application dashboard, Click "Compliance" --> Click "Policy Management" tab and then Click "+New Policy" button as shown in the image below.

2. The Policy Management screen appears and select policy type from the drop down as shown below:

Static Policies can be created/edited only by the Administrators.

Runtime Policies can be created/edited by the Developers.

Enter the following details:

  • Enter the Name of the policy in the text box.

  • Select the Policy type from the drop-down.

  • Select the Policy Engine as OPA from the drop-down.

  • Select the Policy Engine Account from the drop-down.

  • Enter the Policy Description in the text box.

  • Select and add any available Policy file.

3. Enter the Policy Details in the text box and click “Save & Finish” to create the policy as shown in the image below:

Note: The repository contains a collection of sample policies that can be used with OpsMx ISD. Refer to the below link to view the sample policies.

Here are a couple of examples from the repository:

Static Policy to restrict image source while a pipeline is being saved

# application named "sampleapp"
# deploying to an account "production"
# The image, if present MUST start with ""
# Other applications/pipelines can be saved without these restrictions
deny[msg] {
   count(>0 == "sampleapp"[_].account == "production"

   images :=[_].manifests[_].spec.template.spec.containers[_].image
   not startswith(images, "")
   msg := sprintf("[%v] being deployed to be from", [images])

Dynamic policy that verifies the deployment is not happening during a blackout window

# This policy verifies the deployment is not happening during a blackout window.
# The blackout window can be configured by changing hour

package opa.pipelines.datetimeslot

 deny["Pipeline has no start time"] {
     startTime := input.startTime
     startTime == 0
  weekday {
     day := time.weekday(time.now_ns())
     day != "Saturday"
     day != "Sunday"

  deny["No deployments allowed between 09am - 04pm on weekdays"] {
     [hour, minute, second] := time.clock([time.now_ns(), tz])
     tz = "Africa/Lagos"

     hour >= 9
     hour < 16

To know more about policy as code, refer here.

Last updated