Framework Management
The GitHub Action integration allows you to implement policies across multiple clusters by using the Shipa policy frameworks.
The example below shows the different options you can leverage when creating a policy framework using GitHub Actions:
framework:
name: dev-policy
resources:
general:
setup:
provisioner: kubernetes
default: false
kubernetesNamespace: namespace-name
public: false
security:
disableScan: true
ignoreComponents: ["apt", "bash", "..."]
ignoreCves: ["CVE-2020-27350", "CVE-2011-3374", "..."]
router: traefik
appQuota:
limit: "4"
access:
append: ["shipa-team"]
plan:
name: "shipa-plan"
networkPolicy:
ingress:
policy_mode: allow-custom-rules-only
custom_rules:
- id: gateway
enabled: true
description: gateway rule
allowed_frameworks:
- cinema-gateway
egress:
policy_mode: allow-all
disableAppPolicies: false
containerPolicy:
allowedHosts: ["docker.io/shipasoftware", "docker.io/shiparepo"]
Top-Level Attributes
Here are the attributes that provide top-level information about each component definition.
Component | Type | Description |
|---|---|---|
name | string | The policy framework name |
resources |
Resources
Component | Type | Description |
|---|---|---|
general | General policy framework config definition. |
General
Component | Type | Description |
|---|---|---|
setup | Setup defines the basic information required by Shipa to set up your policy framework so applications can be properly deployed through it and how this framework will be exposed to teams inside Shipa. | |
security | The definition of security scan levels and exceptions, if any, that Shipa should run when applications are deployed through the policy framework. | |
router | The ingress controller that should be used by Shipa when applications are deployed through this framework. Required: Yes Options:
| |
appQuota | Implement application scalability limits. | |
access | Restricts the teams that can leverage the policy framework to deploy their applications. | |
plan | Resource consumption limits that are automatically assigned to applications deployed through the policy framework. | |
networkPolicy | Defines the default network policies that should be assigned to each application deployed through the policy framework. | |
containerPolicy | Implement limits on which container registries can be used when deploying applications to the policy framework. |
Setup
Component path: resources > general > setup
Component | Type | Description |
|---|---|---|
public | bool | Defines if the policy framework should be made publicly available to all teams on Shipa Required: No Default selection: Yes |
default | bool | Marking a policy framework as default, when creating applications, if a policy framework is not entered, Shipa will automatically use the one flagged as default. Required: No Default selection: No |
provisioner | string | Defines the backend where this policy framework will be bound. Required: No Options:
Default selection: kubernetes |
kubernetesNamespace | string | If you want Shipa to use an existing namespace in the cluster instead of creating a new one for the policy framework. If yes, you can add the name of an existing Kubernetes namespace here. Required: No Condition: Only when provisioner is kubernetes |
Security
Component path: resources > general > security
Component | Type | Description |
|---|---|---|
disableScan | bool | If application scan should be disabled when applications use the policy framework. Default selection: Enabled Required: No |
ignoreComponents | string | If security scanning is not disabled, Shipa won't allow any component vulnerabilities to be deployed using the policy framework. If there are specific components that should be ignored by Shipa during deployments, they should be listed here. Required: No |
ignoreCves | string | If security scanning is not disabled, Shipa won't allow any CVES vulnerabilities to be deployed using the policy framework. If there are specific CVES that should be ignored by Shipa during deployments, they should be listed here. Required: No |
Router
Component path: resources > general > router
Component | Type | Description |
|---|---|---|
router | string | The ingress controller that should be leveraged by Shipa when applications are deployed through the policy framework. Supported options are:
Required: No Default selection: Traefik |
Application Quota
Component path: resource > general > appQuota
Component | Type | Description |
|---|---|---|
limit | int | The number of container units that applications deployed using this policy framework can scale to. Required: Yes |
Access
Component path: resource > general > access
Component | Type | Description |
|---|---|---|
appends | string | The teams that can deploy applications using the policy framework. Multiple teams can be entered. Required: Yes |
Plan
Component path: resource > general > plan
Component | Type | Description |
|---|---|---|
name | string | The name of an existing Shipa plan that should be tied to this policy framework, so applications automatically receive limits around memory, CPU, and swap. Required: Yes |
Network Policy
Component path: resource > general > networkPolicy
Component | Type | Description |
|---|---|---|
ingress | Ingress definition that will be accepted by applications deployed using the policy framework Required: No If not defined, Shipa will automatically assign an allow-all ingress policy for applications deployed using the policy framework | |
policy_mode | string | The policy mode that should be applied to applications deployed using the policy framework Options are:
Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
custom_rules | If policy_mode is set to allow-custom-rules-only, users can define custom rules for detailed ingress or egress configuration for applications deployed using the policy framework. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | |
id | string | The name of the custom rule. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
enabled | bool | If the custom rule is enabled or not when applications are deployed using the policy framework. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
description | string | The description of the custom rule being enforced by the policy framework. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
allowed_apps | string | The specific applications that applications deployed using the policy framework can receive ingress or ingress from. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
ports | Port configuration where applications deployed using the policy framework can accept ingress or egress. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only | |
port | int | The specific port (or list of ports) where applications deployed using the policy framework can accept ingress or egress. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
protocol | string | The specific protocol where applications deployed using the policy framework can accept ingress or egress. Required: No Condition: Only when policy_mode is set to allow-custom-rules-only |
egress | Egress definition that will be accepted by applications deployed using the policy framework. Required: No If not defined, Shipa will automatically assign an allow-all egress policy for applications deployed using the framework. | |
disableAppPolicies | bool | Defines if application owners can change ingress and/or egress rules at the application-level post-deployment. Required: No If not defined, Shipa will automatically assign an allow-all egress policy for applications deployed using the framework. |
Defining detailed network policies
We recommend using Shipa's dashboard to define a policy framework where network policy rules are overly complex.
You can also export a policy framework configuration which gives you detailed network policy configuration in a file.
Container Policy
Component path: resources > general > containerPolicy
Component | Type | Description |
|---|---|---|
allowedHosts | string | The container registry (or list of) developers can use when deploying their applications using the policy framework. Required: No If not specified, developers will be able to deploy images from any container registry |
Updated 5 days ago