Jun 28, 2021 by Stephen Atwell
Armory Policy Engine provides support for automating policy compliance with Spinnaker. Policy Engine Plugin is the latest version of Policy Engine and adds support for both advanced role-based access control (RBAC) use-cases and open source Spinnaker. The release of Policy Engine Plugin comes with new documentation, including a library of example policies from across Armory’s customers.
Policy Engine Plugin adds details about the user invoking a task to many policy packages. This makes it possible to, for example, restrict which pipelines a user can edit or execute.
Additionally, two new packages provide role-based information that you can write policy against (spinnaker.http.authz & spinnaker.ui.entitlements.isFeatureEnabled). These new packages allow you to write policies that enable or disable additional Spinnaker functionality based on the user’s role.
The spinnaker.http.authz
policy package allows you to write policies that enable or disable Spinnaker’s core APIs and restrict many actions from the UI or from custom API clients.
Use cases for this include restricting functionality or requiring fields that are normally optional in Spinnaker. For example, you can use these policies to restrict the use of the Edit and Delete operations on the Clusters tab of an application. You can use these operations to modify deployed infrastructure from outside of a pipeline. Furthermore, you can restrict these either by Spinnaker account (e.g. allow this functionality for non-production accounts or prevent it for production accounts) or by user role (e.g. allow it for admins users, but deny it for other users).
Whereas spinnaker.http.authz
allows you control over API functionality, spinnaker.ui.entitlements.isFeatureEnabled
allows you to conditionally hide certain UI elements altogether. Many of Armory’s customers leverage this functionality to hide UI buttons based on role (e.g. restricting which roles can create new projects, or edit the definition of existing projects).
Historically, Policy Engine was only available in Armory Enterprise for Spinnaker. With the release of Policy Engine Plugin, Policy Engine is now available for open source Spinnaker, versions 1.24 and later. This allows you to adopt Armory Policy Engine separately from other Armory features.
Previously, the first step when writing a policy was to capture the policy request that Policy Engine sends to Open Policy Agent. Now, Policy Engine provides documentation for the packages against which you can write policies. This documentation:
Policy Engine Plugin is now available to Armory customers! For more information or a demo, reach out to your Armory Representative today. If you are not an Armory customer and would like to learn more, we would be happy to give you a demo of how Armory can help you implement your policy as code. If you are using an older version of Policy Engine, Armory recommends migrating to Policy Engine Plugin.
Multi-target deployments can feel tedious as you deploy the same code over and over to multiple clouds and environments — and none of them in the same way. With an automatic multi-target deployment tool, on the other hand, you do the work once and deliver your code everywhere it needs to be. Armory provides an […]
Read more →
KubeCon+CloudNativeCon EU is one of the world’s largest tech conferences. Here, users, developers, and companies who have and intend to adopt the Cloud Native standard of running applications with Kubernetes in their organizations come together for 5 days. From May 16-20, 2022, tech enthusiasts will congregate both virtually and in person in Valencia, Spain to […]
Read more →
Deciding how frequently to release a product is an interesting challenge faced by many companies. There are definite pros and cons related to adjusting your release cadence that have to be evaluated on an individual basis. Faster release cycles in theory might sound good, but of course, there can be tradeoffs. Looking at historical release […]
Read more →