Example Policies

This page collects and indexes all the example poplicies in the Policy Engine package documentation.

Requires a reason to be provided for any rollback. ( spinnaker.execution.stages.before.undoRolloutManifest )
This policy will prevent scaleManifest stages from running in a pipeline unless it is triggered by a webhook with a source of ‘prometheus’ ( spinnaker.execution.stages.before.scaleManifest )
This example policy will prevent execution of any manual judgement stage that can be approved by multiple roles, or for which the approving role is not on a whitelist of approving roles. ( spinnaker.execution.stages.before.manualJudgment )
This policy will prevent a pipeline from starting execution of other pipelines unless it waits for them to complete before continuing. ( spinnaker.execution.stages.before.pipeline )
This example policy requires delete manifest stages to provide a minimum 2 minute grace period when run in production. ( spinnaker.execution.stages.before.deleteManifest )
Requires that baked images are of type hvm. ( spinnaker.execution.stages.before.bake )
This policy requires that a set of annotations have been applied to any manifests that are being deployed. Specifically the annotations ‘app’ and ‘owner’ must have been applied. ( spinnaker.execution.stages.before.deployManifest )
This policy prevents exposing a set of ports that are unencrypted buy have encrypted alternatives. Specifically this policy prevents exposing HTTP, FTP, TELNET, POP3, NNTP, IMAP, LDAP, and SMTP from a pod, deployment, or replicaset. ( spinnaker.execution.stages.before.deployManifest )
This policy checks whether or not the image being approved is on a list of imaged that are approved for deployment. The list of what images are approved must seperately be uploaded to the OPA data document ( spinnaker.execution.stages.before.deployManifest )
This policy prevents applications from deploying to namespaces that they are not whitelisted for. ( spinnaker.execution.stages.before.deployManifest )
This example disables the use of concourse stages. ( spinnaker.execution.stages.before.concourse )
Prevent server groups from being created in production with fewer than 1 instance. ( spinnaker.execution.stages.before.createServerGroup )
This example checks the manifest being applied and ensures that it contains a set of required annotations. ( spinnaker.execution.stages.before.patchManifest )
This example prevents patchManifest stages from running unless they require recording the patch annotation. ( spinnaker.execution.stages.before.patchManifest )
Disables the Configure Application, Create Application, and Create Project buttons in the UI for non-admin users unless they have a particular role. ( spinnaker.ui.entitlements.isFeatureEnabled )
Requires a manual approval by the qa role, and a manual approval by the infosec role happen earlier in a pipeline than any deployment to a production account. Production accounts must have been loaded into the OPA data document in an array named production_accounts. ( opa.pipelines )
Only allows applications to deploy to namespaces that are on an allow list. ( opa.pipelines )
Prevents users from saving pipelines that deploy to production unless the pipeline includes a deployment window. Executions outside of that window are not allowed. ( opa.pipelines )
This policy prevents scaling a deployment or replicaset in a production account to have <2 replicas. ( spinnaker.deployment.tasks.before.scaleManifest )
This example policy will prevent deleteManifest tasks from running unless they provide a grace period of 30 seconds or more. ( spinnaker.deployment.tasks.before.deleteManifest )
Prevents cleanupArtifacts tasks from running on any account in a predefined list. ( spinnaker.deployment.tasks.before.cleanupArtifacts )
This example prevents deploying of pods, pod templates (deployments/jobs/replicasets) and services that use the following services: HTTP, FTP, TELNET, POP3, NNTP, IMAP, LDAP, SMTP ( spinnaker.deployment.tasks.before.deployManifest )
This policy simply grants all users access to all APIs. It is a good policy to enable on spinnaker.http.authz if you do not need a more complicated policy. ( spinnaker.http.authz )
This policy disables the ability to create new applications for non-admin users unless their role is ‘applicationCreators’ ( Task Type: createApplication )
This policy disables the ability to create new applications, or update existing applications unless the applications have specified at least 1 role with ‘write’ permissions. ( Task Type: createApplication )
This example will prevent users from deleting deployed manifests from production accounts on the ‘Clusters’ tab of the spinnaker UI. ( Task Type: deleteManifest )
This policy prevents requires users to enter a reason when performing a scale from outside or a pipeline. ( Task Type: scaleManifest )
This policy prevents non-admin users from initiating a scaleManifest from the ‘clusters’ tab of an application. ( Task Type: scaleManifest )
This policy disables the ability to create new applications, or update existing applications unless the applications have specified at least 1 role with ‘write’ permissions. ( Task Type: updateApplication )
Prevents editing manifests from outside of a pipeline on production accounts. ( Task Type: deployManifest )

Feedback

Was this page helpful?

Thank you for letting us know!

Sorry to hear that. Please tell us how we can improve.

Last modified August 19, 2021: (e38de5f)