Enable the Policy Engine to enforce policies on your Armory Enterprise instance. This page includes information about how to deploy and configure an OPA server, which the Policy Engine requires.
Policy Engine for Armory Enterprise
The Armory Policy Engine is a proprietary feature for Armory Enterprise that is designed to allow enterprises more complete control of their software delivery process by providing you with the hooks necessary to perform extensive verification of pipelines and processes in Armory Enterprise. The Policy Engine uses the Open Policy Agent (OPA) and input style documents to perform validations on the following:
- Save time validation - Validate pipelines as they’re created or modified. Tasks with no policies are not validated.
- Runtime validation - Validate deployments as a pipeline is executing. Tasks with no policies are not validated.
- Entitlements using API Authorization - Requires the Policy Engine Plugin. Enforce restrictions on who can perform certain actions in Armory Enterprise. Note that if you enable policies for API authorization, you must configure who can make API calls or else the API service (Gate) rejects all API calls.
If no policies are configured for these policy checks, all actions are allowed.
The Policy Engine exists as a plugin, which is its newer iteration, and as an extension of Armory Enterprise. The plugin has additional features that are not present in the extension. If you are getting started with the Policy Engine, Armory recommends using the plugin version of the Policy Engine. If you want to migrate from the extension to the plugin, see Migrating to the Policy Engine Plugin.
At a high level, adding policies for the Policy Engine to use is a two-step process:
- Create the policies and save them to a
- Add the policies to the OPA server with a ConfigMap or API request.
These policies are evaluated against the packages that Armory Enterprise services sends between its services. For list of packages that you can write policies against, see Policy Engine Packages, and for example policies that use those packages, see Example Policies
For information about how to use the Policy Engine, see Using the Policy Engine.
Learn how to add policies to your Open Policy Agent (OPA) server for Armory Enterprise to use when it performs validations to make sure your pipelines and users follow policy requirements. This page includes information about what goes into a policy and some basic policies for you to try. There are examples for save time validation, runtime validation, and entitlements.
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified February 28, 2022: (ad0572a)