Policy - Overview
A Policy is an Execution Condition. Organizations usually have specific criteria to be checked before or during the execution of CI-CD pipelines. The pipeline execution should only begin (if the criteria are checked before the execution of the pipeline, aka, Static Policy) or proceed (if the criteria are checked during the pipeline runtime, aka, Runtime Policy) if the criteria are met.
Static policy lets users validate conditions before the start of execution, whereas Runtime policy enables users to automate decision-making during execution.
A policy defines a set of conditions/criteria that needs to be checked. As an example, a policy could be created to define a blackout window period (or a moratorium period) for performing production deployments. A moratorium period defines the time period within which no production deployments should be performed. Any deployment to the production environment during this period will automatically be rejected/stopped if that deployment is triggered during the moratorium period.
OES lets users create a policy and use it for different applications to validate the criteria defined in the policy at runtime during the pipeline execution. The policy can define custom conditions required to be validated. This enables OES users to make decisions at run time without any manual intervention.
OES uses the OPA policy engine for policy definition & execution. The Open Policy Agent (OPA) is an open-source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that lets you specify policy as code and simple APIs to offload policy decision-making from your software. OPA policies are expressed in a high-level declarative language called Rego. It is purpose-built for expressing policies over complex hierarchical data structures.
Policies feature allows you to automatically create policies (in a declarative language) to set stringent guidelines for safe and detailed controls on the Spinnaker deployment pipeline. This feature gives you the freedom to set or declare specific policy rules or guidelines. For e.g., Automated Testing should be completed before deployment, a rule that must be completed when creating a Spinnaker pipeline and policies.
Policies feature also allows you to validate policies in runtime through 3rd party policy engines (like Open Policy Agent) using REST API. Moreover, security managers can quickly add, modify, and delete policies in tune with business policy changes. OES Policies feature allows you to quickly declare policies and integrate with 3rd party policy managers for validations.
Now that we have a fair idea about what the Policies feature does and what are the benefits let's take a quick look at how the Policies page looks. Refer to the image below: