Create Policy

Policies will help you to maintain strict guidelines for a deployment pipeline by allowing users to validate the application configuration while creating an application in spinnaker through a policy.

Policies are of two types:

Static Policy: A policy that is enforced at all times.
Run time Policy: A policy that can only take effect while you are running a pipeline.

Create Policy

To create a new policy follow the steps below:

From the ISD application dashboard, Click "Compliance" --> Click "Policy Management" tab and then Click "+New Policy" button as shown in the image below.

2. The Policy Management screen appears and select policy type from the drop down as shown below:

Static Policies can be created/edited only by the Administrators.

Runtime Policies can be created/edited by the Developers.

Enter the following details:

Enter the Name of the policy in the text box.
Select the Policy type from the drop-down.
Select the Policy Engine as OPA from the drop-down.
Select the Policy Engine Account from the drop-down.
Enter the Policy Description in the text box.
Select and add any available Policy file.

3. Enter the Policy Details in the text box and click “Save & Finish” to create the policy as shown in the image below:

Note: The repository contains a collection of sample policies that can be used with OpsMx ISD. Refer to the below link to view the sample policies.

Here are a couple of examples from the repository:

Static Policy to restrict image source while a pipeline is being saved

######
#IF
# application named "sampleapp"
# deploying to an account "production"
# THEN
# The image, if present MUST start with "docker.opsmx.com"
#
# Other applications/pipelines can be saved without these restrictions
package opa.spinnaker.pipelines.new
deny[msg] {
   count(input.new.stages)>0
   input.new.application == "sampleapp"
   input.new.stages[_].account == "production"

   images := input.new.stages[_].manifests[_].spec.template.spec.containers[_].image
   not startswith(images, "docker.opsmx.com/")
   msg := sprintf("[%v] being deployed to be from docker.opsmx.com", [images])
}

Dynamic policy that verifies the deployment is not happening during a blackout window

# This policy verifies the deployment is not happening during a blackout window.
# The blackout window can be configured by changing hour

package opa.pipelines.datetimeslot

 deny["Pipeline has no start time"] {
     startTime := input.startTime
     startTime == 0
 }
  weekday {
     day := time.weekday(time.now_ns())
     day != "Saturday"
     day != "Sunday"
  }

  deny["No deployments allowed between 09am - 04pm on weekdays"] {
     [hour, minute, second] := time.clock([time.now_ns(), tz])
     tz = "Africa/Lagos"

     hour >= 9
     hour < 16
     weekday
   }

To know more about policy as code, refer here.

PreviousManage Policy NextEdit Policy

Last updated 2 years ago

###### #IF # application named "sampleapp" # deploying to an account "production" # THEN # The image, if present MUST start with "docker.opsmx.com" # # Other applications/pipelines can be saved without these restrictions package opa.spinnaker.pipelines.new deny[msg] { count(input.new.stages)>0 input.new.application == "sampleapp" input.new.stages[_].account == "production" images := input.new.stages[_].manifests[_].spec.template.spec.containers[_].image not startswith(images, "docker.opsmx.com/") msg := sprintf("[%v] being deployed to be from docker.opsmx.com", [images]) }

# This policy verifies the deployment is not happening during a blackout window. # The blackout window can be configured by changing hour package opa.pipelines.datetimeslot deny["Pipeline has no start time"] { startTime := input.startTime startTime == 0 } weekday { day := time.weekday(time.now_ns()) day != "Saturday" day != "Sunday" } deny["No deployments allowed between 09am - 04pm on weekdays"] { [hour, minute, second] := time.clock([time.now_ns(), tz]) tz = "Africa/Lagos" hour >= 9 hour < 16 weekday }