OpsMx
HomeContact UsBlog
Search
⌃K
Links

Create Policy

Policies will help you to maintain strict guidelines for a deployment pipeline by allowing users to validate the application configuration while creating an application in spinnaker through a policy.
Policies are of two types:
  1. 1.
    Static Policy: A policy that is enforced at all times.
  2. 2.
    Run time Policy: A policy that can only take effect while running a pipeline.

Create Policy

To create a new policy follow the steps below:
  1. 1.
    From the ISD application dashboard, click "Setup" and then click "Policies" to access the policies page, where you can create, edit and delete the policies.
  2. 2.
    From the "Policies" page, click "New Policy" button to create a policy as shown in the image below.
  3. 3.
    New Policy creation screen appears and selects policy type from the drop-down as shown below:
    Static Policies can be created/edited only by the Administrators.
    Runtime Policies can be created/edited by the Developers.
    Enter the following details:
    • Name: Enter the Name of the policy in the text box.
    • Policy Type: Select the Policy type from the drop-down.
    • Policy Engine: Select the Policy Engine as OPA from the drop-down.
    • Policy Engine Account: Select the Policy Engine Account from the drop-down.
    • Policy Description: Enter the Policy Description in the text box.
    • Policy File: Select and add any available Policy file.
  4. 4.
    Enter the Policy Details in the text box and click “Save & Finish” to create the policy. Users can restrict the group permission to access this policy by enabling the “Policy permissions” as shown in the image below.
Note: The repository contains a collection of sample policies that can be used with OpsMx ISD. Refer to the below link to view the sample policies.

Examples from the repository

Here are a couple of examples from the repository:
  • Static Policy to restrict image source while a pipeline is being saved
    ######
    #IF
    # application named "sampleapp"
    # deploying to an account "production"
    # THEN
    # The image, if present MUST start with "docker.opsmx.com"
    #
    # Other applications/pipelines can be saved without these restrictions
    package opa.spinnaker.pipelines.new
    deny[msg] {
    count(input.new.stages)>0
    input.new.application == "sampleapp"
    input.new.stages[_].account == "production"
    images := input.new.stages[_].manifests[_].spec.template.spec.containers[_].image
    not startswith(images, "docker.opsmx.com/")
    msg := sprintf("[%v] being deployed to be from docker.opsmx.com", [images])
    }
  • Dynamic policy that verifies the deployment is not happening during a blackout window
    # This policy verifies the deployment is not happening during a blackout window.
    # The blackout window can be configured by changing hour
    package opa.pipelines.datetimeslot
    deny["Pipeline has no start time"] {
    startTime := input.startTime
    startTime == 0
    }
    weekday {
    day := time.weekday(time.now_ns())
    day != "Saturday"
    day != "Sunday"
    }
    deny["No deployments allowed between 09am - 04pm on weekdays"] {
    [hour, minute, second] := time.clock([time.now_ns(), tz])
    tz = "Africa/Lagos"
    hour >= 9
    hour < 16
    weekday
    }
To know more about policy as code, refer here.
Previous
Manage Policy
Next
Edit Policy
Last modified 6mo ago