Issue
Even though it may appear that your declarations are correct, Policy Engine can possibly return the below error when initializing.
There was an error saving your pipeline: Policy Error: No policy decision detected. This is likely because a missing spinnaker.persistence.pipelines.before package.. [dismiss]
Cause
Setting Policy Engine to failOpen: false
can cause the issue if no policies are declared.
When Spinnaker sends a specific payload via Policy Engine to OPA to be validated by a policy and the policy doesn't exist, it will return the error message. By default, with this setting Front50 will fail close
.
Solution
As an example, if Front50 configurations are set to failOpen: false
in the Policy Engine, there has to be an existence of a policy in order for Spinnaker to allow it to continue. Something must be there as a policy for the evaluation to happen, so that the process can continue.
An example of a simple policy that can be used to test is
package spinnaker.persistence.pipelines.before
import data.dataset
spinnaker := {
"persistence": {"pipelines": {"before": {
"deny": deny_pipelines,
"response": response_pipelines,
}}},
}
################################################
# Persistence Policies
deny_pipelines["Dummy policy -- should not fail"] {
true == false
}
response_pipelines := {
"allowed": count(deny_pipelines) == 0,
"errors": deny_pipelines,
}
Adding a policy (such as a policy to validate pipelines) will end up solving the issue, because then a default policy is in place for the Policy Engine to compare with.
When using Policy Engine Plugin
Another option would just be to toggle the failOpen
value to true
. However, depending on the company's internal security policies, this may not be actionable, as this will mean things will still work, even on error, or a missing policy.
To implement, please make the following change to the manifest, for the Policy Engine in general
spec:
spinnakerConfig:
profiles:
spinnaker:
armory:
policyEngine:
failOpen: true
As Tested On Version
2.20.x