Skip to main content
Version: Next

policies

Policy

A Policy resource defines a policy evaluating the verification results for a subject.

View more CRD samples here. The metadata.name MUST be set to ratify-policy for Ratify to apply. Ratify will ensure that only one policy is actively under evaluation by limiting the metadata.name to ratify-policy.

Table of Contents

Scope

Policies can be defined as cluster-wide resources(using the kind Policy) or namespaced resources(using the kind NamespacedPolicy).

Namespaced policies will only apply to the namespace in which they are defined. If a verification request targeting a namespace cannot find a policy in required namespace, it will look up the cluster-wide policies.

Cluster-wide policies are applied as the default global policy if no namespaced policy is specified in required namespace.

Common properties

apiVersion: config.ratify.deislabs.io/v1beta1
kind: Policy # NamespacedPolicy has the same spec.
metadata:
name: "ratify-policy"
spec:
type: "rego-policy"
parameters: required. Parameters specific to this policy

Note: spec.type MUST be config-policy or rego-policy per the usage.

Configuration guidelines

config-policy

Example

apiVersion: config.ratify.deislabs.io/v1beta1
kind: Policy
metadata:
name: "ratify-policy"
spec:
type: "config-policy"
parameters:
artifactVerificationPolicies:
"application/vnd.cncf.notary.signature": "any"
default: "any"
NameRequiredDescriptionDefault Value
artifactVerificationPoliciesyesMap of artifact type to policy; each entry in the map's policy must be satisfied for Ratify to return true""
defaultnoThe default policy applies to unspecified artifact types."all"
application/vnd.cncf.notary.signaturenoIt could be any artifact type that is supported by Ratify.There is no default value, users must specify any or all

rego-policy

Template

apiVersion: config.ratify.deislabs.io/v1beta1
kind: Policy
metadata:
name: "ratify-policy"
spec:
spec: "rego-policy"
parameters:
passthroughEnabled: # OPTIONAL: [boolean], If set to true, Ratify will NOT make the decision but pass verifier reports to Gatekeeper.
policy: # OPTIONAL: [string], Rego policy query.
policyPath: # OPTIONAL: [string], The path to the policy file if policy is mounted as a volume
NameRequiredDescriptionDefault Value
passthroughEnabldnoIf set to true, Ratify will NOT make the decision but pass verifier reports to Gatekeeper.false
policynoRego policy query. Either policy or policyPath should be set, with policy taking precedence over policyPath.""
policyPathnoThe path to the policy file if policy is mounted as a volume.""

Example

Sample spec:

apiVersion: config.ratify.deislabs.io/v1beta1
kind: Policy
metadata:
name: "ratify-policy"
spec:
spec: "rego-policy"
parameters:
passthroughEnabled: false
policy: |
package ratify.policy

default valid := false

# all artifacts MUST be valid
valid {
not failed_verify(input)
}

# all reports MUST pass the verification
failed_verify(reports) {
[path, value] := walk(reports)
value == false
path[count(path) - 1] == "isSuccess"
}

# each artifact MUST have at least one report
failed_verify(reports) {
[path, value] := walk(reports)
path[count(path) - 1] == "verifierReports"
count(value) == 0
}
NameRequiredDescriptionDefault Value
passthroughEnablednoIf set to true, Ratify will NOT make the decision but pass verifier reports to Gatekeeper.false
policynoThe policy language that defines the policy.""
policyPathnoThe path to the policy file if policy is mounted as a volume""

Please refer to the Rego Templates for more examples on writing rego policies.