Create Policy
Policies will help you to maintain strict guidelines for a deployment pipeline by allowing users to validate the application configuration while creating an application in spinnaker through a policy.
Policies are of two types:
- 1.Static Policy: A policy that is enforced at all times.
- 2.Run time Policy: A policy that can only take effect while running a pipeline.
To create a new policy follow the steps below:
- 1.From the ISD application dashboard, click "Setup" and then click "Policies" to access the policies page, where you can create, edit and delete the policies.
- 2.From the "Policies" page, click "New Policy" button to create a policy as shown in the image below.
- 3.New Policy creation screen appears and selects policy type from the drop-down as shown below:Static Policies can be created/edited only by the Administrators.Runtime Policies can be created/edited by the Developers.Enter the following details:
- Name: Enter the Name of the policy in the text box.
- Policy Type: Select the Policy type from the drop-down.
- Policy Engine: Select the Policy Engine as OPA from the drop-down.
- Policy Engine Account: Select the Policy Engine Account from the drop-down.
- Policy Description: Enter the Policy Description in the text box.
- Policy File: Select and add any available Policy file.
- 4.Enter the Policy Details in the text box and click “Save & Finish” to create the policy. Users can restrict the group permission to access this policy by enabling the “Policy permissions” as shown in the image below.
Note: The repository contains a collection of sample policies that can be used with OpsMx ISD. Refer to the below link to view the sample policies.

GitHub - OpsMx/policy-as-code-examples: Collection of policy as code examples
GitHub
Collection of sample policies
Here are a couple of examples from the repository:
- Static Policy to restrict image source while a pipeline is being saved#######IF# application named "sampleapp"# deploying to an account "production"# THEN# The image, if present MUST start with "docker.opsmx.com"## Other applications/pipelines can be saved without these restrictionspackage opa.spinnaker.pipelines.newdeny[msg] {count(input.new.stages)>0input.new.application == "sampleapp"input.new.stages[_].account == "production"images := input.new.stages[_].manifests[_].spec.template.spec.containers[_].imagenot startswith(images, "docker.opsmx.com/")msg := sprintf("[%v] being deployed to be from docker.opsmx.com", [images])}
- Dynamic policy that verifies the deployment is not happening during a blackout window# This policy verifies the deployment is not happening during a blackout window.# The blackout window can be configured by changing hourpackage opa.pipelines.datetimeslotdeny["Pipeline has no start time"] {startTime := input.startTimestartTime == 0}weekday {day := time.weekday(time.now_ns())day != "Saturday"day != "Sunday"}deny["No deployments allowed between 09am - 04pm on weekdays"] {[hour, minute, second] := time.clock([time.now_ns(), tz])tz = "Africa/Lagos"hour >= 9hour < 16weekday}
Last modified 6mo ago