Pipeline Policies With Spinnaker

May 29, 2019 by Isaac Mosquera

A pattern we’ve noticed working with large enterprises and Spinnaker is that compliance & security is a critical concern to on-boarding applications and developers. For these customers to on-board applications onto Spinnaker they must have security and compliance enforcement across their pipelines. There is an opportunity to solve this as a part of Spinnaker.

Customer problem

Spinnaker gives developers and users a great deal of control across their software delivery pipeline and infrastructure for their apps.  While there is a strong desire to achieve service-ownership it is challenging to hand over full control until there are compliance guarantees in place.  This causes bottlenecks in adoption because any changes to Spinnaker such as adding applications & pipelines must go through a central team.  Below are some of the use-cases covered in our initial customer discovery:

  • Conform to best practices by requiring certain stages and attributes (ex: security stage is required or certain namespace) (demo below)
  • Enforce certain thresholds within stages  (ex: failure rate of QA test stage cannot exceed x)
  • Validate a Terraform HCL or plan file against defined policy
  • Blacklist or Whitelist of accounts/targets/infra that a user can target
  • RBAC, Authz
  • Must include a particular pipelines as code module
  • Service Roles for services like Igor so that it can only fetch the appropriate credentials.
  • Avoid exposing unprotected resources (ex: s3) as a part of software delivery
  • Best practice policies to apply to software delivery to achieve Fedramp, ISO2700, SOX, PCI compliance
  • Globally applicable policy for a definition of done for all pipelines

Demo & Solution

Our solution relies on OPA, the policy agent used for the Admission Controller in Kubernetes.  This allows for defining arbitrary policies against the pipeline JSON in Spinnaker and, in the future, against its execution context.  The demo below focuses on our first use case:

Conform to best practices by requiring certain stages and attributes

If you’re interested in testing this policy engine with us or have feedback please reach out: https://www.armory.io/contact-us/

Recently Published Posts

Reduce the Blast Radius of a Bad Deployment with Automated Canary Analysis

May 23, 2022

Software deployment processes differ across organizations, teams, and applications. The most basic, and perhaps the riskiest, is the “big bang deployment.” This strategy updates all nodes within the target environment simultaneously with the new software version. This deployment strategy causes many issues, including potential downtime or other issues while the update is in progress. It […]

Read more

Reliable and Automatic Multi-Target Deployments

May 16, 2022

Multi-target deployments can feel tedious as you deploy the same code over and over to multiple clouds and environments — and none of them in the same way. With an automatic multi-target deployment tool, on the other hand, you do the work once and deliver your code everywhere it needs to be. Armory provides an […]

Read more

Learning out Loud: KubeCon EU edition

May 11, 2022

KubeCon+CloudNativeCon EU is one of the world’s largest tech conferences. Here, users, developers, and companies who have and intend to adopt the Cloud Native standard of running applications with Kubernetes in their organizations come together for 5 days. From May 16-20, 2022, tech enthusiasts will congregate both virtually and in person in Valencia, Spain to […]

Read more