Create Policy

Policies will help you to maintain strict guidelines for a deployment pipeline by allowing users to validate the application configuration while creating an application in spinnaker through a policy.

Policies are of two types:

  • Static Policy: A policy that is enforced at all times.

  • Run time Policy: A policy that can only take effect while you are running a pipeline.

Create Policy

To create a new policy follow the steps below:

  1. From the ISD application dashboard, Click "Compliance" --> Click "Policy Management" tab and then Click "+New Policy" button as shown in the image below.

2. The Policy Management screen appears and select policy type from the drop down as shown below:

Static Policies can be created/edited only by the Administrators.

Runtime Policies can be created/edited by the Developers.

Enter the following details:

  • Enter the Name of the policy in the text box.

  • Select the Policy type from the drop-down.

  • Select the Policy Engine as OPA from the drop-down.

  • Select the Policy Engine Account from the drop-down.

  • Enter the Policy Description in the text box.

  • Select and add any available Policy file.

3. Enter the Policy Details in the text box and click “Save & Finish” to create the policy as shown in the image below:

Note: The repository contains a collection of sample policies that can be used with OpsMx ISD. Refer to the below link to view the sample policies.

LogoGitHub - OpsMx/policy-as-code-examples: Collection of policy as code examplesGitHub
Collection of sample policies

Here are a couple of examples from the repository:

Static Policy to restrict image source while a pipeline is being saved

######
#IF
# application named "sampleapp"
# deploying to an account "production"
# THEN
# The image, if present MUST start with "docker.opsmx.com"
#
# Other applications/pipelines can be saved without these restrictions
package opa.spinnaker.pipelines.new
deny[msg] {
   count(input.new.stages)>0
   input.new.application == "sampleapp"
   input.new.stages[_].account == "production"

   images := input.new.stages[_].manifests[_].spec.template.spec.containers[_].image
   not startswith(images, "docker.opsmx.com/")
   msg := sprintf("[%v] being deployed to be from docker.opsmx.com", [images])
}

Dynamic policy that verifies the deployment is not happening during a blackout window

# This policy verifies the deployment is not happening during a blackout window.
# The blackout window can be configured by changing hour

package opa.pipelines.datetimeslot

 deny["Pipeline has no start time"] {
     startTime := input.startTime
     startTime == 0
 }
  weekday {
     day := time.weekday(time.now_ns())
     day != "Saturday"
     day != "Sunday"
  }

  deny["No deployments allowed between 09am - 04pm on weekdays"] {
     [hour, minute, second] := time.clock([time.now_ns(), tz])
     tz = "Africa/Lagos"

     hour >= 9
     hour < 16
     weekday
   }

To know more about policy as code, refer here.

PreviousManage PolicyNextEdit Policy

Last updated

Was this helpful?