Skip to main content

Pipeline Policies With Spinnaker

May 29, 2019 by Isaac Mosquera

A pattern we’ve noticed working with large enterprises and Spinnaker is that compliance & security is a critical concern to on-boarding applications and developers. For these customers to on-board applications onto Spinnaker they must have security and compliance enforcement across their pipelines. There is an opportunity to solve this as a part of Spinnaker.

Customer problem

Spinnaker gives developers and users a great deal of control across their software delivery pipeline and infrastructure for their apps.  While there is a strong desire to achieve service-ownership it is challenging to hand over full control until there are compliance guarantees in place.  This causes bottlenecks in adoption because any changes to Spinnaker such as adding applications & pipelines must go through a central team.  Below are some of the use-cases covered in our initial customer discovery:

  • Conform to best practices by requiring certain stages and attributes (ex: security stage is required or certain namespace) (demo below)
  • Enforce certain thresholds within stages  (ex: failure rate of QA test stage cannot exceed x)
  • Validate a Terraform HCL or plan file against defined policy
  • Blacklist or Whitelist of accounts/targets/infra that a user can target
  • RBAC, Authz
  • Must include a particular pipelines as code module
  • Service Roles for services like Igor so that it can only fetch the appropriate credentials.
  • Avoid exposing unprotected resources (ex: s3) as a part of software delivery
  • Best practice policies to apply to software delivery to achieve Fedramp, ISO2700, SOX, PCI compliance
  • Globally applicable policy for a definition of done for all pipelines

Demo & Solution

Our solution relies on OPA, the policy agent used for the Admission Controller in Kubernetes.  This allows for defining arbitrary policies against the pipeline JSON in Spinnaker and, in the future, against its execution context.  The demo below focuses on our first use case:

Conform to best practices by requiring certain stages and attributes

If you’re interested in testing this policy engine with us or have feedback please reach out: https://www.armory.io/contact-us/

Recently Published Posts

October 26, 2021
|
by Stephen Atwell

How to Take the Pain of Rollbacks out of Deployments

  Software applications have become an integral part of the business climate in most modern organizations. With an ever-increasing demand for new features and enhancement of already-existing ones, software teams constantly face novel challenges, and the pace of software development is growing by the day. To keep up with this fast-paced business climate, software teams […]

Read more

October 20, 2021
|
by Jason McIntosh

Monitoring Spinnaker: Part 1

Overview One of the questions that comes up a lot is how you monitor Spinnaker itself.  Not the apps Spinnaker is deploying, but Spinnaker itself and how it’s performing.  This is a question that has a lot of different answers. There are a few guidelines, but many of the answers are the same as how […]

Read more

October 18, 2021
|
by David Morgenthaler

The Importance of Patents: Interview with Nick Petrella, Head of Legal

    In honor of Armory’s recent acquisition of a patent for continuous software deployment, we sat down with Nick Petrella, Head of Legal, for a casual conversation covering a wide range of subjects, from patent law to Nick’s background as a software engineer and why he made the leap to the law. Check out […]

Read more