In this lab we will install Armory Enterprise with OPA (Open Policy Agent). We will configure OPA to prevent the creation of pipelines without at least one manual judgment step.
If a pipeline doesn’t have at least one manual judgment step, the pipeline will not be able to be saved.
This manual judgment OPA logic is a basic “hello world” style example. After creating this configuration we will go through examples of more complex OPA logic and will choose interesting ones to try out together.
kubectl delete ns spinnakerkubectl create ns spinnakercurl -LO https://dl.k8s.io/release/v1.19.0/bin/linux/amd64/kubectlchmod +x kubectlcd spinnaker-kustomize-patches/secrets; ./create-secrets.shconfigMapGenerator:
# ConfigMap holding OPA policy definitions to use by Armory's policy engine. Required by patch-policyengine.yml
- name: spin-policies
files:
- armory/policies/manual-judgement.rego~/kubectl apply -k /home/ec2-user/spinnaker-kustomize-patcheswatch kubectl get pods -n spinnakerkubectl edit configmap spin-policies-dc79h66kbm -n spinnaker
remove the 1 := 0, it is a rego null valuekubectl get svc spin-deck -n spinnaker Now you can test it, Armory’s engine would not allow any application without Manual Judgement step.
Create an application in your spinnaker installation
Create a pipeline in your application
Try to save a pipeline without a manual judgment
Notice that the pipeline can not be saved due to the Open Policy Agent preventing it.
OPA Rules/Policies
kubectl -n spinnaker create configmap manual-judgment --from-file=manual-judgment.rego
kubectl -n spinnaker label configmap manual-judgment openpolicyagent.org/policy=regohttps://docs.armory.io/docs/armory-admin/policy-engine/policy-engine-use/example-policies/