Policy Engine - No Policy Decision Detected, missing spinnaker.persistence.pipelines


Issue

Even though it may appear that your declarations are correct, Policy Engine can possibly return the below error when initializing. 

There was an error saving your pipeline: Policy Error: No policy decision detected. This is likely because a missing spinnaker.persistence.pipelines.before package.. [dismiss]

Cause

Setting Policy Engine to failOpen: false can cause the issue if no policies are declared.

When Spinnaker sends a specific payload via Policy Engine to OPA to be validated by a policy and the policy doesn't exist, it will return the error message.  By default, with this setting Front50 will fail close.

Solution

As an example, if Front50 configurations are set to failOpen: false in the Policy Engine, there has to be an existence of a policy in order for Spinnaker to allow it to continue.  Something must be there as a policy for the evaluation to happen, so that the process can continue.

An example of a simple policy that can be used to test is

package spinnaker.persistence.pipelines.before
import data.dataset
spinnaker := {
	"persistence": {"pipelines": {"before": {
		"deny": deny_pipelines,
		"response": response_pipelines,
	}}},
}
################################################
# Persistence Policies
deny_pipelines["Dummy policy -- should not fail"] {
    true == false
}
response_pipelines := {
	"allowed": count(deny_pipelines) == 0,
	"errors": deny_pipelines,
}

Adding a policy (such as a policy to validate pipelines) will end up solving the issue, because then a default policy is in place for the Policy Engine to compare with.

When using Policy Engine Plugin

Another option would just be to toggle the failOpen value to true.  However, depending on the company's internal security policies, this may not be actionable, as this will mean things will still work, even on error, or a missing policy.

To implement, please make the following change to the manifest, for the Policy Engine in general

spec:
  spinnakerConfig:
    profiles:
      spinnaker:
        armory:
          policyEngine:
            failOpen: true

As Tested On Version

2.20.x