Framework Management

Implement policies across multiple clusters by using the Shipa policy frameworks.

The example below shows the different options you can leverage when creating a policy framework through Pulumi:

import * as pulumi from "@pulumi/pulumi";
import * as shipa from "@shipa-corp/pulumi";


const item = new shipa.Framework("shipa-framework", {
    framework: {
        name: "pulumi-framework-1",
        provisioner: "kubernetes",
        kubernetesNamespace: "existing-namespace",
        resources: {
            general: {
                setup: {
                    public: true,
                    default: false,
                },
                security: {
                    disableScan: true,
                    ignoreComponents: ["apt", "bash", "..."],
                    ignoreCves: ["CVE-2020-27350", "CVE-2011-3374", "..."],
                },
                router: "ngnix",
                nodeSelectors: {
                    terms: {
                        environment: "shipa-team",
                        os: "linux",
                    },
                    strict: true,
                },
                podAutoScaler: {
                    minReplicas: 1,
                    maxReplicas: 10,
                    targetCpuUtilizationPercentage: 50,
                    disableAppOverride: true,
                },
                domainPolicy: {
                    allowedCnames: [
                        "*.example.com", "*.acme.bar",
                    ]
                },
                appAutoDiscovery: {
                    appSelector: {
                        label: "app"
                    },
                    suffix: "",
                },              
                plan: {
                    name: "shipa-plan",
                },
                access: {
                    appends: ["shipa-team"],
                },
                networkPolicy: {
                    ingress: {
                        policyMode: "allow-custom-rules-only",
                        customRules: [
                            {
                                id: "pm-fw",
                                enabled: true,
                                description: "framework block",
                                allowedApps: ["app1", "appx"],
                                allowedFrameworks: ["dev", "qa"],
                                ports: [{
                                    port: 8080,
                                    protocol: "TCP"
                                },
                                {
                                    port: 8081,
                                    protocol: "TCP",
                                }]
                            },
                        ]
                    },
                    egress: {
                        policyMode: "allow-all",
                    },
                    disableAppPolicies: false,
                    },
                containerPolicy: {
                    allowedHosts: ["docker.io/shipasoftware", "docker.io/shiparepo"],
                }
            }
        }
    }
});

export const frameworkName = item.framework.name;

Top-Level Attributes

Here are the attributes that provide top-level information about each component definition.

ComponentTypeDescription
namestringThe framework name
provisionerstringThe provisioner where the policy framework will be bound to.

Options:
- kubernetes
- shipa

Required: Yes

Standard selection when not specified:
- kubernetes
resourcesresources

Resources

ComponentTypeDescription
generalgeneralGeneral policy framework config definition.

General

ComponentTypeDescription
setupsetupSetup defines the basic information required by Shipa to set up your policy framework so applications can be properly deployed through it and how this framework will be exposed to teams inside Shipa.
securitysecurityThe definition of security scan levels and exceptions, if any, that Shipa should run when applications are deployed through the policy framework.
routerrouterThe ingress controller that should be used by Shipa when applications are deployed through this framework.

Required: Yes

Options:
- traefik
- istio
nodeSelectornodeSelectorLimits which nodes can be used when applications are deployed using the framework.
podAutoScalerpodAutoScalerImplements default autoscale rules for applications deployed using the framework.
domainPolicydomainPolicyLimits the domains developers can use when adding CNAMEs to their applications.
appAutoDiscoveryappAutoDiscoveryDiscovers and displays on Shipa dashboard any existing applications.

For this to work, you need to connect the framework to an existing namespace in your cluster by using the kubernetesNamespace property.
accessaccessRestricts the teams that can leverage the policy framework to deploy their applications.
planplanResource consumption limits that are automatically assigned to applications deployed through the policy framework.
networkPolicynetworkPolicyDefines the default network policies that should be assigned to each application deployed through the policy framework.
containerPolicycontainerPolicyImplement limits on which container registries can be used when deploying applications to the policy framework.

Setup

Component path: resources > general > setup

ComponentTypeDescription
publicboolDefines if the policy framework should be made publicly available to all teams on Shipa

Required: No

Default selection: Yes
defaultboolMarking a policy framework as default, when creating applications, if a policy framework is not entered, Shipa will automatically use the one flagged as default.

Required: No

Default selection: No
kubernetesNamespacestringIf you want Shipa to use an existing namespace in the cluster instead of creating a new one for the policy framework.

If yes, you can add the name of an existing Kubernetes namespace here.

Required: No

Condition: Only when provisioner is kubernetes

Security

Component path: resources > general > security

ComponentTypeDescription
disableScanboolIf application scan should be disabled when applications use the policy framework.

Default selection: Enabled

Required: No
ignoreComponentsstringIf security scanning is not disabled, Shipa won't allow any component vulnerabilities to be deployed using the policy framework.

If there are specific components that should be ignored by Shipa during deployments, they should be listed here.

Required: No
ignoreCvesstringIf security scanning is not disabled, Shipa won't allow any CVES vulnerabilities to be deployed using the policy framework.

If there are specific CVES that should be ignored by Shipa during deployments, they should be listed here.

Required: No

Router

Component path: resources > general > router

ComponentTypeDescription
routerstringThe ingress controller that should be leveraged by Shipa when applications are deployed through the policy framework.

Supported options are:
- istio
- traefik
- ngnix

Required: No

Default selection: NGNIX

Node Selector

Component path: resource > general > nodeSelector

ComponentTypeDescription
termsstringThe combination of lable: value that Shipa should use when finding a node to deploy applications bound to the framework.

Multiple options can be defined, one per line.

Required: Yes
strictstringWhen specifying multiple values, users can enable strict to make sure Shipa finds nodes where all values are true.

Required: Yes

Pod Autoscaler

Component path: resource > general > podAutoScaler

ComponentTypeDescription
minReplicasintthe minimum number of replicas applications deployed using this framework should have.

Required: Yes
maxReplicasintthe maximum number of replicas applications deployed using this framework should have.

Required: Yes
targetCPUUtilizationPercentageintthe target CPU utilization that should trigger the auto scale rule for the application.

Required: Yes
disableAppOverridebooleandefines if the auto scale rule assigned automatically to the applications deployed using the framework can be changed post-deployment.

Required: Yes

Domain Policy

Component path: resource > general > domainPolicy

ComponentTypeDescription
allowedCnamesstringone, or multiple, allowed domains developers can use to assign to their applications as CNAME.

Required: Yes

Application Discovery

Component path: resource > general > appAutoDiscovery

ComponentTypeDescription
appSelectorstringthe label that Shipa should look for when importing and exposing applications on the dashboard once the framework is connected to a cluster.

For applications to be imported, the appSelector should be used together with the kubernetesNamespace option.

Required: Yes
suffixstringsuffix that should be automatically added to an application name when imported.

Required: No

Access

Component path: resource > general > access

ComponentTypeDescription
appendsstringThe teams that can deploy applications using the policy framework. Multiple teams can be entered.

Required: Yes
blackliststringThe teams that should be removed from the framework, so they cannot deploy their applications. Multiple teams can be entered.

Required: No

Plan

Component path: resource > general > plan

ComponentTypeDescription
namestringThe name of an existing Shipa plan that should be tied to this policy framework, so applications automatically receive limits around memory, CPU, and swap.

Required: Yes

Network Policy

Component path: resource > general > network_policy

ComponentTypeDescription
ingressIngress definition that will be accepted by applications deployed using the policy framework

Required: No

If not defined, Shipa will automatically assign an allow-all ingress policy for applications deployed using the policy framework
policyModestringThe policy mode that should be applied to applications deployed using the policy framework

Options are:
- allow-all
- deny-all
- allow-custom-rules-only

Required: No

Condition: Only when policy_mode is set to allow-custom-rules-only
customRulesstringIf policy_mode is set to allow-custom-rules-only, users can define custom rules for detailed ingress or egress configuration for applications deployed using the policy framework.

Required: No

Condition: Only when policy_mode is set to allow-custom-rules-only
idThe name of the custom rule.

Required: No

Condition: Only when policy_mode is set to allow-custom-rules-only
enabledboolIf the custom rule is enabled or not when applications are deployed using the policy framework.

Required: No

Condition: Only when policy_mode is set to allow-custom-rules-only
descriptionstringThe description of the custom rule being enforced by the policy framework.

Required: No

Condition: Only when policy_mode is set to allow-custom-rules-only
allowedAppsstringThe specific applications that applications deployed using the policy framework can receive ingress or ingress from.

Required: No

Condition: Only when policy_mode is set to allow-custom-rules-only
portsPort configuration where applications deployed using the policy framework can accept ingress or egress.

Required: No

Condition: Only when policy_mode is set to allow-custom-rules-only
portintThe specific port (or list of ports) where applications deployed using the policy framework can accept ingress or egress.

Required: No

Condition: Only when policy_mode is set to allow-custom-rules-only
protocolstringThe specific protocol where applications deployed using the policy framework can accept ingress or egress.

Required: No

Condition: Only when policy_mode is set to allow-custom-rules-only
egressEgress definition that will be accepted by applications deployed using the policy framework.

Required: No

If not defined, Shipa will automatically assign an allow-all egress policy for applications deployed using the framework.
disableAppPoliciesboolDefines if application owners can change ingress and/or egress rules at the application-level post-deployment.

Required: No

Condition: Only when policy_mode is set to allow-custom-rules-only

📘

Defining detailed network policies

We recommend you use Shipa's dashboard to define a policy framework where network policy rules are overly complex.

You can also export a policy framework configuration which gives you detailed network policy configuration in a file.

Container Policy

Component path: resources > general > containerPolicy

ComponentTypeDescription
allowedHostsstringThe container registry (or list of) developers can use when deploying their applications using the policy framework.

Required: No

If not specified, developers will be able to deploy images from any container registry