Create Policy

Policies will help you to maintain strict guidelines for a deployment pipeline by allowing users to validate the application configuration while creating an application in spinnaker through a policy.

Policies are of two types:

1. Static Policy: A policy that is enforced at all times.

2. Run time Policy: A policy that can only take effect while running a pipeline.

Create Policy

To create a new policy follow the steps below:

1. From the ISD application dashboard, click Setup and then click Policies to access the policies page, where you can create, edit and delete the policies.

2. In the Policies page, click New Policy button to create a policy as shown in the image below.

3. New Policy creation screen appears and selects policy type from the drop-down as shown below:

   Static Policies can be created/edited only by the Administrators.

   Runtime Policies can be created/edited by the Developers.

   Enter the following details:

   • Name: Enter the Name of the policy in the text box.

   • Policy Type: Select the Policy type from the drop-down.

   • Policy Engine: Select the Policy Engine as OPA from the drop-down.

   • Policy Engine Account: Select the Policy Engine Account from the drop-down.

   • Policy Description: Enter the Policy Description in the text box.

   • Policy File: Select and add any available Policy file.

4. Enter the Policy Details in the text box and click Save & Finish to create the policy. Users can restrict the group permission to access this policy by enabling the Policy permissions as shown in the image below.

Examples from the repository

Here are a couple of examples from the repository:

• Static Policy to restrict image source while a pipeline is being saved

  Copy

  ######
  #IF
  # application named "sampleapp"
  # deploying to an account "production"
  # THEN
  # The image, if present MUST start with "docker.opsmx.com"
  #
  # Other applications/pipelines can be saved without these restrictions
  package opa.spinnaker.pipelines.new
  deny[msg] {
     count(input.new.stages)>0
     input.new.application == "sampleapp"
     input.new.stages[_].account == "production"
  
     images := input.new.stages[_].manifests[_].spec.template.spec.containers[_].image
     not startswith(images, "docker.opsmx.com/")
     msg := sprintf("[%v] being deployed to be from docker.opsmx.com", [images])
  }

• Dynamic policy that verifies the deployment is not happening during a blackout window

  Copy

  # This policy verifies the deployment is not happening during a blackout window.
  # The blackout window can be configured by changing hour
  
  package opa.pipelines.datetimeslot
  
   deny["Pipeline has no start time"] {
       startTime := input.startTime
       startTime == 0
   }
    weekday {
       day := time.weekday(time.now_ns())
       day != "Saturday"
       day != "Sunday"
    }
  
    deny["No deployments allowed between 09am - 04pm on weekdays"] {
       [hour, minute, second] := time.clock([time.now_ns(), tz])
       tz = "Africa/Lagos"
  
       hour >= 9
       hour < 16
       weekday
     }

To know more about policy as code, refer here.