The GitHub Action integration allows you to implement policies across multiple clusters by using the Shipa policy frameworks.

The example below shows the different options you can leverage when creating a policy framework using GitHub Actions:

framework:
  name: dev-policy
  resources:
    general:
      setup:
        provisioner: kubernetes
        default: false
        kubernetesNamespace: namespace-name
        public: false
      security:
        disableScan: true
        ignoreComponents: ["apt", "bash", "..."]
        ignoreCves: ["CVE-2020-27350", "CVE-2011-3374", "..."]
      router: ngnix
      nodeSelectors:
        terms:
          environment: team1
          os: linux
        strict: true
      podAutoScaler:
        minReplicas: 1
        maxReplicas: 10
        targetCPUUtilizationPercentage: 50
        disableAppOverride: true
      domainPolicy:
        allowedCnames:
          - "*.shipa.io"
          - "*.devshipa.io"
      appAutoDiscovery:
        appSelector:
          - label: app
        suffix: ""
      access:
        append: ["shipa-team"]
      plan:
        name: "shipa-plan"  
      networkPolicy:
        ingress:
          policy_mode: allow-custom-rules-only
          custom_rules:
            - id: gateway
              enabled: true
              description: gateway rule
              allowed_frameworks:
                - cinema-gateway
        egress:
          policy_mode: allow-all
        disableAppPolicies: false
      containerPolicy:
        allowedHosts: ["docker.io/shipasoftware", "docker.io/shiparepo"]

Top-Level Attributes

Here are the attributes that provide top-level information about each component definition.

Component	Type	Description
name	string	The policy framework name
resources	resources

Resources

Component	Type	Description
general	general	General policy framework config definition.

General

Component	Type	Description
setup	setup	Setup defines the basic information required by Shipa to set up your policy framework so applications can be properly deployed through it and how this framework will be exposed to teams inside Shipa.
security	security	The definition of security scan levels and exceptions, if any, that Shipa should run when applications are deployed through the policy framework.
router	router	The ingress controller that should be used by Shipa when applications are deployed through this framework. Options: traefik istio ngnix Default: If not entered, Shipa will automatically install and configure an NGNIX controller.
nodeSelector	nodeSelector	limits which nodes can be used when applications are deployed using the framework.
podAutoScaler	podAutoScaler	implements default autoscale rules for applications deployed using the framework.
domainPolicy	domainPolicy	limits the domains developers can use when adding CNAMEs to their applications.
appAutoDiscovery	appAutoDiscovery	Discovers and displays on Shipa dashboard any existing applications. For this to work, you need to connect the framework to an existing namespace in your cluster by using the kubernetesNamespace property.
access	access	Restricts the teams that can leverage the policy framework to deploy their applications.
plan	plan	Resource consumption limits that are automatically assigned to applications deployed through the policy framework.
networkPolicy	networkPolicy	Defines the default network policies that should be assigned to each application deployed through the policy framework.
containerPolicy	containerPolicy	Implement limits on which container registries can be used when deploying applications to the policy framework.

Setup

Component path: resources > general > setup

Component	Type	Description
public	bool	Defines if the policy framework should be made publicly available to all teams on Shipa Required: No Default selection: Yes
default	bool	Marking a policy framework as default, when creating applications, if a policy framework is not entered, Shipa will automatically use the one flagged as default. Required: No Default selection: No
provisioner	string	Defines the backend where this policy framework will be bound. Required: No Options: kubernetes shipa Default selection: kubernetes
kubernetesNamespace	string	If you want Shipa to use an existing namespace in the cluster instead of creating a new one for the policy framework. If yes, you can add the name of an existing Kubernetes namespace here. Required: No Condition: Only when provisioner is kubernetes

Security

Component path: resources > general > security

Component	Type	Description
disableScan	bool	If application scan should be disabled when applications use the policy framework. Default selection: Enabled Required: No
ignoreComponents	string	If security scanning is not disabled, Shipa won't allow any component vulnerabilities to be deployed using the policy framework. If there are specific components that should be ignored by Shipa during deployments, they should be listed here. Required: No
ignoreCves	string	If security scanning is not disabled, Shipa won't allow any CVES vulnerabilities to be deployed using the policy framework. If there are specific CVES that should be ignored by Shipa during deployments, they should be listed here. Required: No

Component

Type

Description

disableScan

bool

If application scan should be disabled when applications use the policy framework.

Default selection: Enabled

Required: No

ignoreComponents

string

If security scanning is not disabled, Shipa won't allow any component vulnerabilities to be deployed using the policy framework.

If there are specific components that should be ignored by Shipa during deployments, they should be listed here.

Required: No

ignoreCves

string

If security scanning is not disabled, Shipa won't allow any CVES vulnerabilities to be deployed using the policy framework.

If there are specific CVES that should be ignored by Shipa during deployments, they should be listed here.

Required: No

Router

Component path: resources > general > router

Component	Type	Description
router	string	The ingress controller that should be leveraged by Shipa when applications are deployed through the policy framework. Supported options are: istio traefik ngnix Required: No Default selection: NGNIX

Component

Type

Description

router

string

The ingress controller that should be leveraged by Shipa when applications are deployed through the policy framework.

Supported options are:

istio
traefik
ngnix

Required: No

Default selection: NGNIX

Node Selector

Component path: resource > general > nodeSelector

Component	Type	Description
terms		The combination of lable: value that Shipa should use when finding a node to deploy applications bound to the framework. Multiple options can be defined, one per line. Required: Yes
strict	boolean	When specifying multiple values, users can enable strict to make sure Shipa finds nodes where all values are true. Required: Yes

Component

Type

Description

terms

The combination of lable: value that Shipa should use when finding a node to deploy applications bound to the framework.

Multiple options can be defined, one per line.

Required: Yes

strict

boolean

When specifying multiple values, users can enable strict to make sure Shipa finds nodes where all values are true.

Required: Yes

Pod Autoscaler

Component path: resource > general > podAutoScaler

Component	Type	Description
minReplicas	int	the minimum number of replicas applications deployed using this framework should have. Required: Yes
maxReplicas	int	the maximum number of replicas applications deployed using this framework should have. Required: Yes
targetCPUUtilizationPercentage	int	the target CPU utilization that should trigger the auto scale rule for the application. Required: Yes
disableAppOverride	boolean	defines if the auto scale rule assigned automatically to the applications deployed using the framework can be changed post-deployment. Required: Yes

Domain Policy

Component path: resource > general > domainPolicy

Component	Type	Description
allowedCnames	string	one, or multiple, allowed domains developers can use to assign to their applications as CNAME. Required: Yes

Component

Type

Description

allowedCnames

string

one, or multiple, allowed domains developers can use to assign to their applications as CNAME.

Required: Yes

Application Discovery

Component path: resource > general > appAutoDiscovery

Component	Type	Description
appSelector	string	the label that Shipa should look for when importing and exposing applications on the dashboard once the framework is connected to a cluster. For applications to be imported, the appSelector should be used together with the kubernetesNamespace option. Required: Yes
suffix	string	suffix that should be automatically added to an application name when imported. Required: No

Component

Type

Description

appSelector

string

the label that Shipa should look for when importing and exposing applications on the dashboard once the framework is connected to a cluster.

For applications to be imported, the appSelector should be used together with the kubernetesNamespace option.

Required: Yes

suffix

string

suffix that should be automatically added to an application name when imported.

Required: No

Access

Component path: resource > general > access

Component	Type	Description
appends	string	The teams that can deploy applications using the policy framework. Multiple teams can be entered. Required: Yes

Component

Type

Description

appends

string

The teams that can deploy applications using the policy framework. Multiple teams can be entered.

Required: Yes

Plan

Component path: resource > general > plan

Component	Type	Description
name	string	The name of an existing Shipa plan that should be tied to this policy framework, so applications automatically receive limits around memory, CPU, and swap. Required: Yes

Component

Type

Description

name

string

The name of an existing Shipa plan that should be tied to this policy framework, so applications automatically receive limits around memory, CPU, and swap.

Required: Yes

Network Policy

Component path: resource > general > networkPolicy

Component	Type	Description
ingress		Ingress definition that will be accepted by applications deployed using the policy framework Required: No If not defined, Shipa will automatically assign an allow-all ingress policy for applications deployed using the policy framework
policy_mode	string	The policy mode that should be applied to applications deployed using the policy framework Options are: allow-all deny-all allow-custom-rules-only Required: No Condition: Only when policy_mode is set to allow-custom-rules-only
custom_rules		If policy_mode is set to allow-custom-rules-only, users can define custom rules for detailed ingress or egress configuration for applications deployed using the policy framework. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only
id	string	The name of the custom rule. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only
enabled	bool	If the custom rule is enabled or not when applications are deployed using the policy framework. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only
description	string	The description of the custom rule being enforced by the policy framework. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only
allowed_apps	string	The specific applications that applications deployed using the policy framework can receive ingress or ingress from. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only
ports		Port configuration where applications deployed using the policy framework can accept ingress or egress. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only
port	int	The specific port (or list of ports) where applications deployed using the policy framework can accept ingress or egress. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only
protocol	string	The specific protocol where applications deployed using the policy framework can accept ingress or egress. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only
egress		Egress definition that will be accepted by applications deployed using the policy framework. Required: No If not defined, Shipa will automatically assign an allow-all egress policy for applications deployed using the framework.
disableAppPolicies	bool	Defines if application owners can change ingress and/or egress rules at the application-level post-deployment. Required: No If not defined, Shipa will automatically assign an allow-all egress policy for applications deployed using the framework.

📘
Defining detailed network policies
We recommend using Shipa's dashboard to define a policy framework where network policy rules are overly complex.
You can also export a policy framework configuration which gives you detailed network policy configuration in a file.

Container Policy

Component path: resources > general > containerPolicy

Component	Type	Description
allowedHosts	string	The container registry (or list of) developers can use when deploying their applications using the policy framework. Required: No If not specified, developers will be able to deploy images from any container registry

Component

Type

Description

allowedHosts

string

The container registry (or list of) developers can use when deploying their applications using the policy framework.

Required: No

If not specified, developers will be able to deploy images from any container registry

Framework Management

Top-Level Attributes

Resources

General

Setup

Security

Router

Node Selector

Pod Autoscaler

Domain Policy

Application Discovery

Access

Plan

Network Policy

📘
Defining detailed network policies

Container Policy

Top-Level Attributes

Resources

General

Setup

Security

Router

Node Selector

Pod Autoscaler

Domain Policy

Application Discovery

Access

Plan

Network Policy

📘Defining detailed network policies

Container Policy

📘
Defining detailed network policies