Create Policy
Policies will help you to maintain strict guidelines for a deployment pipeline by allowing users to validate the application configuration while creating an application in spinnaker through a policy.
Policies are of two types:
Static Policy: A policy that is enforced at all times.
Run time Policy: A policy that can only take effect while you are running a pipeline.
Create Policy
To create a new policy follow the steps below:
From the ISD application dashboard, Click "Compliance" --> Click "Policy Management" tab and then Click "+New Policy" button as shown in the image below.

2. The Policy Management screen appears and select policy type from the drop down as shown below:

Enter the following details:
Enter the Name of the policy in the text box.
Select the Policy type from the drop-down.
Select the Policy Engine as OPA from the drop-down.
Select the Policy Engine Account from the drop-down.
Enter the Policy Description in the text box.
Select and add any available Policy file.
3. Enter the Policy Details in the text box and click “Save & Finish” to create the policy as shown in the image below:

Here are a couple of examples from the repository:
Static Policy to restrict image source while a pipeline is being saved
######
#IF
# application named "sampleapp"
# deploying to an account "production"
# THEN
# The image, if present MUST start with "docker.opsmx.com"
#
# Other applications/pipelines can be saved without these restrictions
package opa.spinnaker.pipelines.new
deny[msg] {
count(input.new.stages)>0
input.new.application == "sampleapp"
input.new.stages[_].account == "production"
images := input.new.stages[_].manifests[_].spec.template.spec.containers[_].image
not startswith(images, "docker.opsmx.com/")
msg := sprintf("[%v] being deployed to be from docker.opsmx.com", [images])
}
Dynamic policy that verifies the deployment is not happening during a blackout window
# This policy verifies the deployment is not happening during a blackout window.
# The blackout window can be configured by changing hour
package opa.pipelines.datetimeslot
deny["Pipeline has no start time"] {
startTime := input.startTime
startTime == 0
}
weekday {
day := time.weekday(time.now_ns())
day != "Saturday"
day != "Sunday"
}
deny["No deployments allowed between 09am - 04pm on weekdays"] {
[hour, minute, second] := time.clock([time.now_ns(), tz])
tz = "Africa/Lagos"
hour >= 9
hour < 16
weekday
}
To know more about policy as code, refer here.
Last updated
Was this helpful?