Skip to main content

Pipeline Policies With Spinnaker

A pattern we’ve noticed working with large enterprises and Spinnaker is that compliance & security is a critical concern to on-boarding applications and developers. For these customers to on-board applications onto Spinnaker they must have security and compliance enforcement across their pipelines. There is an opportunity to solve this as a part of Spinnaker.

Customer problem

Spinnaker gives developers and users a great deal of control across their software delivery pipeline and infrastructure for their apps.  While there is a strong desire to achieve service-ownership it is challenging to hand over full control until there are compliance guarantees in place.  This causes bottlenecks in adoption because any changes to Spinnaker such as adding applications & pipelines must go through a central team.  Below are some of the use-cases covered in our initial customer discovery:

  • Conform to best practices by requiring certain stages and attributes (ex: security stage is required or certain namespace) (demo below)
  • Enforce certain thresholds within stages  (ex: failure rate of QA test stage cannot exceed x)
  • Validate a Terraform HCL or plan file against defined policy
  • Blacklist or Whitelist of accounts/targets/infra that a user can target
  • RBAC, Authz
  • Must include a particular pipelines as code module
  • Service Roles for services like Igor so that it can only fetch the appropriate credentials.
  • Avoid exposing unprotected resources (ex: s3) as a part of software delivery
  • Best practice policies to apply to software delivery to achieve Fedramp, ISO2700, SOX, PCI compliance
  • Globally applicable policy for a definition of done for all pipelines

Demo & Solution

Our solution relies on OPA, the policy agent used for the Admission Controller in Kubernetes.  This allows for defining arbitrary policies against the pipeline JSON in Spinnaker and, in the future, against its execution context.  The demo below focuses on our first use case:

Conform to best practices by requiring certain stages and attributes

If you’re interested in testing this policy engine with us or have feedback please reach out: https://www.armory.io/contact

May 4, 2021
|
by Nikema Prophet

What Does It Mean To Deliver Software At The #SpeedOfLife?

In this blog post, I’m excited to announce the #SpeedOfLife campaign that I will be leading for the month of May. I’m looking forward to getting to know more of the awesome people who make up our DevOps community. What is #SpeedOfLife? #SpeedOfLife is a social campaign meant to highlight users and experts in the […]

Read more

April 23, 2021
|
by Chad Tripod

Armory Enterprise install in 10 minutes

I was introduced to Armory and the open-source project Spinnaker a little over 18 months ago.  Up to that point, I’d worked with numerous open-source and proprietary software and was a specialist in application delivery and data analytics.  I immediately found out that Spinnaker was the continuous delivery platform of choice for many large scale […]

Read more

April 21, 2021
|
by Nikema Prophet

#NikemaLearns About AWS – #4 Officially AWS Certified

I’m an AWS Certified Cloud Practitioner! I took the exam and I passed. I fell behind on blog updates starting about a month ago but I studied up until the day before the test. I was somewhat disappointed in myself for not keeping my schedule but in the end, I passed and that was the […]

Read more