Create Policy
Policies will help you to maintain strict guidelines for a deployment pipeline by allowing users to validate the application configuration while creating an application in spinnaker through a policy.
Policies are of two types:
  • Static Policy: A policy that is enforced at all times.
  • Run time Policy: A policy that can only take effect while you are running a pipeline.

Create Policy

To create a new policy follow the steps below:
  1. 1.
    From the ISD application dashboard, Click "Compliance" --> Click "Policy Management" tab and then Click "+New Policy" button as shown in the image below.
2. The Policy Management screen appears and select policy type from the drop down as shown below:
Static Policies can be created/edited only by the Administrators.
Runtime Policies can be created/edited by the Developers.
Enter the following details:
  • Enter the Name of the policy in the text box.
  • Select the Policy type from the drop-down.
  • Select the Policy Engine as OPA from the drop-down.
  • Select the Policy Engine Account from the drop-down.
  • Enter the Policy Description in the text box.
  • Select and add any available Policy file.
3. Enter the Policy Details in the text box and click “Save & Finish” to create the policy as shown in the image below:
Note: The repository contains a collection of sample policies that can be used with OpsMx ISD. Refer to the below link to view the sample policies.
GitHub - OpsMx/policy-as-code-examples: Collection of policy as code examples
GitHub
Collection of sample policies

Here are a couple of examples from the repository:

Static Policy to restrict image source while a pipeline is being saved
1
######
2
#IF
3
# application named "sampleapp"
4
# deploying to an account "production"
5
# THEN
6
# The image, if present MUST start with "docker.opsmx.com"
7
#
8
# Other applications/pipelines can be saved without these restrictions
9
package opa.spinnaker.pipelines.new
10
deny[msg] {
11
count(input.new.stages)>0
12
input.new.application == "sampleapp"
13
input.new.stages[_].account == "production"
14
15
images := input.new.stages[_].manifests[_].spec.template.spec.containers[_].image
16
not startswith(images, "docker.opsmx.com/")
17
msg := sprintf("[%v] being deployed to be from docker.opsmx.com", [images])
18
}
Copied!
Dynamic policy that verifies the deployment is not happening during a blackout window
1
# This policy verifies the deployment is not happening during a blackout window.
2
# The blackout window can be configured by changing hour
3
4
package opa.pipelines.datetimeslot
5
6
deny["Pipeline has no start time"] {
7
startTime := input.startTime
8
startTime == 0
9
}
10
weekday {
11
day := time.weekday(time.now_ns())
12
day != "Saturday"
13
day != "Sunday"
14
}
15
16
deny["No deployments allowed between 09am - 04pm on weekdays"] {
17
[hour, minute, second] := time.clock([time.now_ns(), tz])
18
tz = "Africa/Lagos"
19
20
hour >= 9
21
hour < 16
22
weekday
23
}
Copied!
To know more about policy as code, refer here.