Plugins: Example Policies

Mon, 01 Jan 0001 00:00:00 +0000

Requires a reason to be provided for any rollback. (spinnaker.execution.stages.before.undoRolloutManifest )
This policy will prevent scaleManifest stages from running in a pipeline unless it is triggered by a webhook with a source of ‘prometheus’ (spinnaker.execution.stages.before.scaleManifest )
This example policy will prevent execution of any manual judgement stage that can be approved by multiple roles, or for which the approving role is not on a whitelist of approving roles. (spinnaker.execution.stages.before.manualJudgment )
This policy will prevent a pipeline from starting execution of other pipelines unless it waits for them to complete before continuing. (spinnaker.execution.stages.before.pipeline )
This example policy requires delete manifest stages to provide a minimum 2 minute grace period when run in production. (spinnaker.execution.stages.before.deleteManifest )
Requires that baked images are of type hvm. (spinnaker.execution.stages.before.bake )
This policy requires that a set of annotations have been applied to any manifests that are being deployed. Specifically the annotations ‘app’ and ‘owner’ must have been applied. (spinnaker.execution.stages.before.deployManifest )
This policy prevents exposing a set of ports that are unencrypted buy have encrypted alternatives. Specifically this policy prevents exposing HTTP, FTP, TELNET, POP3, NNTP, IMAP, LDAP, and SMTP from a pod, deployment, or replicaset. (spinnaker.execution.stages.before.deployManifest )
This policy checks whether or not the image being approved is on a list of imaged that are approved for deployment. The list of what images are approved must seperately be uploaded to the OPA data document (spinnaker.execution.stages.before.deployManifest )
This policy prevents applications from deploying to namespaces that they are not whitelisted for. (spinnaker.execution.stages.before.deployManifest )
This example disables the use of concourse stages. (spinnaker.execution.stages.before.concourse )
Prevent server groups from being created in production with fewer than 1 instance. (spinnaker.execution.stages.before.createServerGroup )
This example checks the manifest being applied and ensures that it contains a set of required annotations. (spinnaker.execution.stages.before.patchManifest )
This example prevents patchManifest stages from running unless they require recording the patch annotation. (spinnaker.execution.stages.before.patchManifest )
Disables the Configure Application, Create Application, and Create Project buttons in the UI for non-admin users unless they have a particular role. (spinnaker.ui.entitlements.isFeatureEnabled )
Requires a manual approval by the qa role, and a manual approval by the infosec role happen earlier in a pipeline than any deployment to a production account. Production accounts must have been loaded into the OPA data document in an array named production_accounts. ( opa.pipelines )
Only allows applications to deploy to namespaces that are on an allow list. ( opa.pipelines )
Prevents users from saving pipelines that deploy to production unless the pipeline includes a deployment window. Executions outside of that window are not allowed. ( opa.pipelines )
This policy prevents scaling a deployment or replicaset in a production account to have <2 replicas. (spinnaker.deployment.tasks.before.scaleManifest )
This example policy will prevent deleteManifest tasks from running unless they provide a grace period of 30 seconds or more. (spinnaker.deployment.tasks.before.deleteManifest )
Prevents cleanupArtifacts tasks from running on any account in a predefined list. (spinnaker.deployment.tasks.before.cleanupArtifacts )
This example prevents deploying of pods, pod templates (deployments/jobs/replicasets) and services that use the following services: HTTP, FTP, TELNET, POP3, NNTP, IMAP, LDAP, SMTP (spinnaker.deployment.tasks.before.deployManifest )
This policy simply grants all users access to all APIs. It is a good policy to enable on spinnaker.http.authz if you do not need a more complicated policy. (spinnaker.http.authz )
This policy disables the ability to create new applications for non-admin users unless their role is ‘applicationCreators’ (Task Type: createApplication )
This policy disables the ability to create new applications, or update existing applications unless the applications have specified at least 1 role with ‘write’ permissions. (Task Type: createApplication )
This example will prevent users from deleting deployed manifests from production accounts on the ‘Clusters’ tab of the spinnaker UI. (Task Type: deleteManifest )
This policy prevents requires users to enter a reason when performing a scale from outside or a pipeline. (Task Type: scaleManifest )
This policy prevents non-admin users from initiating a scaleManifest from the ‘clusters’ tab of an application. (Task Type: scaleManifest )
This policy disables the ability to create new applications, or update existing applications unless the applications have specified at least 1 role with ‘write’ permissions. (Task Type: updateApplication )
Prevents editing manifests from outside of a pipeline on production accounts. (Task Type: deployManifest )
Restrict which named users can edit which pipelines for which applications. Any pipeline not explicitly specified in the policy is editable as usual. ( spinnaker.execution.stages.before.savePipeline )

Plugins: Policy Engine Packages

Mon, 01 Jan 0001 00:00:00 +0000

Packages

The following is an index of key / value pairs for each of the packages Spinnaker provides to OPA. Use these as reference to create your own policies.

Armory Docs – How to Use the Policy Engine

Plugins: Example Policies

Plugins: Policy Engine Packages

Packages