forked from chainloop-dev/chainloop
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(docs): document policy groups (chainloop-dev#1489)
Signed-off-by: Jose I. Paris <[email protected]>
- Loading branch information
Showing
1 changed file
with
66 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -195,3 +195,69 @@ For example | |
|
|
||
| ## How to write a Chainloop policy in Rego | ||
| Check [this how-to](/guides/rego-policies) to know how you can write Chainloop policies in [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language/#learning-rego). | ||
|
|
||
|
|
||
| ## Policy Groups | ||
|
|
||
| This feature allow operators to group related policies into one single entity that can be reused across the organization. | ||
| With Policy Groups, materials and policies can be enforced in Chainloop contracts with little or no effort. | ||
|
|
||
| For example, they might want to create a "SBOM quality" group with some SBOM-related policies. The policy groups can be defined this way: | ||
| ```yaml | ||
| # sbom-quality.yaml | ||
| apiVersion: workflowcontract.chainloop.dev/v1 | ||
| kind: PolicyGroup | ||
| metadata: | ||
| name: sbom-quality | ||
| description: This policy group applies a number of SBOM-related policies | ||
| annotations: | ||
| category: SBOM | ||
| spec: | ||
| inputs: | ||
| - name: bannedLicenses | ||
| description: comma separated list of licenses to ban | ||
| required: true | ||
| - name: bannedComponents | ||
| description: comma separated list of components to ban | ||
| required: true | ||
| policies: | ||
| materials: | ||
| - name: sbom | ||
| type: SBOM_CYCLONEDX_JSON | ||
| policies: | ||
| - ref: sbom-banned-licenses | ||
| with: | ||
| licenses: {{ inputs.bannedLicenses }} | ||
| - ref: sbom-banned-components | ||
| with: | ||
| components: {{ inputs.bannedComponents }} | ||
| ``` | ||
|
|
||
| ### Using Policy Groups | ||
|
|
||
| This policy group could be applied to any contract: | ||
| ```yaml | ||
| schemaVersion: v1 | ||
| materials: [] | ||
| policyGroups: | ||
| - ref: file://groups/sbom-quality-group.yaml | ||
| with: | ||
| bannedComponents: [email protected] | ||
| bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later | ||
| ``` | ||
|
|
||
| As we introduced earlier, policy groups define both materials and policies applied to them. Once they are included to a contract, | ||
| they become part of the contract. From this point of view, they can be seen as subcontracts. | ||
|
|
||
| ### Policy group parameters | ||
|
|
||
| In the same way as [policies](policies#policy-arguments), groups can accept arguments, which are specified in the `inputs` section. | ||
| Then those inputs can be passed down to policies using interpolation. | ||
|
|
||
| In the example above, `bannedComponents` input parameter (which is mandatory) is passed to the underlying policy with the expression `{{ inputs.banneComponents }}` | ||
| ```yaml | ||
| - ref: sbom-banned-components | ||
| with: | ||
| components: {{ inputs.bannedComponents }} | ||
| ``` | ||
|
|
||