Announcing General Availability of Armory Policy Engine Plugin hero graphic

Announcing General Availability of Armory Policy Engine Plugin

Jun 28, 2021 by Stephen Atwell

Armory Policy Engine provides support for automating policy compliance with Spinnaker. Policy Engine Plugin is the latest version of Policy Engine and adds support for both advanced role-based access control (RBAC) use-cases and open source Spinnaker. The release of Policy Engine Plugin comes with new documentation, including a library of example policies from across Armory’s customers. 

Make policies apply to specific roles

Policy Engine Plugin adds details about the user invoking a task to many policy packages. This makes it possible to, for example, restrict which pipelines a user can edit or execute.

Additionally, two new packages provide role-based information that you can write policy against (spinnaker.http.authz & spinnaker.ui.entitlements.isFeatureEnabled). These new packages allow you to write policies that enable or disable additional Spinnaker functionality based on the user’s role.

Control API endpoints

The spinnaker.http.authz policy package allows you to write policies that enable or disable Spinnaker’s core APIs and restrict many actions from the UI or from custom API clients.

Use cases for this include restricting functionality or requiring fields that are normally optional in Spinnaker. For example, you can use these policies to restrict the use of the Edit and Delete operations on the Clusters tab of an application. You can use these operations to modify deployed infrastructure from outside of a pipeline. Furthermore, you can restrict these either by Spinnaker account (e.g. allow this functionality for non-production accounts or prevent it for production accounts) or by user role (e.g. allow it for admins users, but deny it for other users).

Completely hide functionality from a subset of users

Whereas spinnaker.http.authz allows you control over API functionality, spinnaker.ui.entitlements.isFeatureEnabled allows you to conditionally hide certain UI elements altogether. Many of Armory’s customers leverage this functionality to hide UI buttons based on role (e.g. restricting which roles can create new projects, or edit the definition of existing projects).

Available for open source Spinnaker

Historically, Policy Engine was only available in Armory Enterprise for Spinnaker. With the release of  Policy Engine Plugin, Policy Engine is now available for open source Spinnaker, versions 1.24 and later. This allows you to adopt Armory Policy Engine separately from other Armory features.

Accelerate policy implementation

Previously, the first step when writing a policy was to capture the policy request that Policy Engine sends to Open Policy Agent. Now, Policy Engine provides documentation for the packages against which you can write policies. This documentation:

  • Provides descriptions of the fields available to your policy and a sample payload against which you can develop your policy.
  • Includes both the packages that are new to Policy Engine Plugin and the packages that predate the plugin version of Policy Engine.
  • Provides a collection of example policies that you can leverage as a starting point.
  • Simplifies the process of developing new policies and accelerates policy implementation.

Getting started

Policy Engine Plugin is now available to Armory customers! For more information or a demo, reach out to your Armory Representative today. If you are not an Armory customer and would like to learn more, we would be happy to give you a demo of how Armory can help you implement your policy as code. If you are using an older version of Policy Engine, Armory recommends migrating to Policy Engine Plugin.

Recently Published Posts

A Faster Way to Evaluate Self-Hosted Continuous Deployment from Armory

Sep 30, 2022

Introducing Quick Spin One of the most common challenges that organizations face when implementing a continuous deployment strategy is the time and focus that it takes to set up the tools and processes. But a secure, flexible, resilient and scalable solution is available right now. Want to see if it’s the right tool for your […]

Read more

3 Common Spinnaker Challenges (and Easy Ways to Solve Them)

Sep 27, 2022

Spinnaker is the most powerful continuous delivery tool on the market.  DevOps engineers and developers recognize this power and are looking to use Spinnaker as a foundational tool in their Continuous Integration and Continuous Delivery (CI/CD) process for hybrid and multi-cloud deployments. Such a powerful, expansive open source tool needs expertise within your organization to […]

Read more

Streamline Advanced Kubernetes Deployments from GitHub Actions with New Armory Service

Sep 23, 2022

Today, Armory is excited to announce the availability of the GitHub Action for Armory Continuous Deployment-as-a-Service. GitHub is where developers shape the future of software. After a developer writes and tests their code in GitHub, it must be deployed. Armory’s GitHub Action for Continuous Deployment-as-a-Service extends the best-in-class deployment capabilities to Kubernetes. CD-as-a-Service enables declarative […]

Read more