Task Type: scaleManifest

Policy controls whether or not a scaleManifest that is triggered from outside a spinnaker pipeline (e.g. from the ‘Clusters’ tab of an application’s ‘edit’ action) can run.
  • Path: tasks
  • Method: Post
  • Package: spinnaker.http.authz

Compatibility note

Starting in 2.26, the UI has been updated to more closely follow immutable infrastructure principles.

When you navigate to the Infrastructure tab in the UI for an application that has the Kubernetes provider configured, actions that change the Kubernetes infrastructure (such as Create or Delete), including Clusters, Load Balancers, and Firewalls, are no longer available.

Impact

Users do not see these actions in the UI by default. You must configure the UI to display them if you want your users to be able to perform them through the UI. To write policies that control which user roles can see the UI actions and be able to use them, you must enable the actions.

Workaround

Whether or not these actions are available in the UI is controlled by the following property in settings-local.yml:

window.spinnakerSettings.kubernetesAdHocInfraWritesEnabled = <boolean>;

Note that disabling the UI does not completely prevent users from performing these actions. For that, you must create policies.

Set this property to true. Setting the value to false hides the buttons for all users regardless of whether you grant specific users access to the buttons through the Policy Engine.

Example Payload

Click to expand
{
  "input": {
    "body": {
      "application": "hostname",
      "description": "Scale manifest",
      "job": [
        {
          "account": "spinnaker",
          "cloudProvider": "kubernetes",
          "location": "staging",
          "manifestName": "deployment hostname",
          "reason": null,
          "replicas": "5",
          "type": "scaleManifest",
          "user": "myUserName"
        }
      ]
    },
    "method": "POST",
    "path": [
      "tasks"
    ],
    "user": {
      "isAdmin": false,
      "roles": [],
      "username": "myUserName"
    }
  }
}

Example Policy

  • This policy prevents requires users to enter a reason when performing a scale from outside or a pipeline.

    package spinnaker.http.authz
    default message=""
    allow = message==""
    message = "You must provide a reason when scaling a manifest outside of a pipeline."{
          createsTaskOfType("scaleManifest")
          object.get(input.body.job[_],"reason",null)==null
    }
    
    createsTaskOfType(tasktype){
        input.method="POST"
        input.path=["tasks"]
        input.body.job[_].type=tasktype
    }
    
  • This policy prevents non-admin users from initiating a scaleManifest from the ‘clusters’ tab of an application.

    package spinnaker.http.authz
    default message=""
    allow = message==""
    message = "Your role lacks permissions to scale applications outside of pipelines"{
          createsTaskOfType("scaleManifest")
          input.user.isAdmin!=true
    }
    
    createsTaskOfType(tasktype){
        input.method="POST"
        input.path=["tasks"]
        input.body.job[_].type=tasktype
    }
    

Keys

KeyTypeDescription
input.body.applicationstringThe name of the application for which the manifest is being scaled.
input.body.descriptionstringAlways “Scale Manifest”.
input.body.job[].accountstringThe name of the account in which the manifest is scaled.
input.body.job[].cloudProviderstringThe name of the cloud provider in which the manifest is being scaled.
input.body.job[].locationstringThe namespace of the manifest beign scaled.
input.body.job[].manifestNamestringThe name of the manifest being scaled.
input.body.job[].reasonstringThe reason the user entered to explain the change.
input.body.job[].replicasstringThe desired number of running pods after scaling.
input.body.job[].typestringAlways “scaleManifest”
input.body.job[].userstringThe username of the user starting the task. It is reccomended to write rules using input.user instead.
input.methodstringPOST
input.path[]string["tasks"]

input.user

This object provides information about the user performing the action. This can be used to restrict actions by role. See input.user for more information.


Last modified August 18, 2023: (02b163b7)