May 11, 2022

Introducing Harness Policy as Code, Powered by OPA

Table of Contents

Key takeaway

We’re excited to announce Harness Policy as Code, powered by Open Policy Agent (OPA), a centralized policy management and rules service that empowers enterprises to centrally define and monitor policies that are enforced across all delivery pipelines and processes. Harness Policy as Code helps organizations create and enforce policies on deployments, infrastructure, and more, providing developer velocity without sacrificing compliance and standards.

Harness Policy as Code is based on OPA, an easy-to-use, extensible solution for creating and enforcing policies across the entire stack. OPA is an open source project accepted by the Cloud Native Computing Foundation (CNCF) with wide adoption across numerous software delivery use cases. Policies are written as declarative code, so they are easy to understand and modify—from simple to complex use cases.

Harness Policy as Code integrates with CI, CD, and Feature Flags enforcing automated approvals, denials, and other advanced pipeline functionality. Check out our technical documentation to learn more.

Why We Need Policy Management in Software Delivery

As DevOps is adopted within an enterprise, typically one team creates and maintains software delivery and processes. That team has full control and visibility, as they are the ‘creator’ of DevOps processes within the company. As more business units adopt DevOps within the company, that originating team’s manual processes can create a bottleneck, which hampers innovation by limiting team autonomy and slowing down software delivery.

 In an effort to remove the bottleneck and increase velocity, companies can give development teams more autonomy by allowing them to drive their own DevOps processes. That decentralization of process control can lead to more risks for the company.

When governance is decentralized, development teams can miss quality checks or approvals, introduce vulnerabilities, or break compliance. Organizations need to balance autonomy and governance, so they can empower teams with the confidence that they are adhering to all compliance standards and security policies – all without slowing down innovation.

Compliance becomes even more critical in regulated industries, such as financial services and healthcare—not only with enterprise standards, but with third-party regulations, like SOC2, PCI, and FedRamp. It is imperative that all software delivery pipelines meet compliance standards with full auditability; otherwise, the organization is at risk of failed audits, heavy fines, and reputational damage. 

Centralized management and governance of policies across DevOps processes allow enterprises to define standards for the entire organization while enforcing compliance with regulations. Policies enable individual teams to have autonomy over their processes with oversight and guardrails in place to prevent them from straying from standards, ensuring secure and compliant software delivery. 

Harness Policy as Code Features

Harness Policy as Code is a centralized policy management and rules service that leverages OPA to meet compliance requirements across software delivery. HPE enables organizations to centrally define and monitor policies that are enforced across all delivery pipelines and processes. 

Policy as Code features for writing and enforcing policies include:

  • A Policy Editor that enables developers to start writing policies-as-code quickly. With a library of policies to start from and a testing terminal, developers can try out policies on real inputs during development before enabling them.
  • Policies that are configured to be automatically enforced on Harness processes (e.g. on Pipeline Run, on Feature Flag save).
  • The ability to set severity, so a policy violation can issue a warning or throw an error to stop processes from continuing.
  • An audit trail that can maintain a full history of policy evaluations with detailed outputs for audit and compliance.
Sample policies that can be customized.

With the release of Policy as Code, policies can now be enforced on CI and CD pipelines and Feature Flags.

Pipeline policies govern the requirements of delivery pipelines, and they can be automatically enforced when the pipeline is saved or triggered, or even in the middle of pipeline execution. Policies can enforce specific pipeline configuration, advanced access control use cases, runtime validation, and more. Here are some examples of what the Policy as Code can do: 

  • Require an approval step before deployment to production.
  • Forbid use of Shell scripts in the pipeline.
  • Only allow deployment to approved namespace.
  • Only allow deployments from approved container registries.
  • Validate test step outcome meets minimum threshold before allowing the pipeline to continue.
Harness Policy Engine
A pipeline that could not be deployed due to policy noncompliance. 

Policies for Feature Flags are enforced when the flag is updated or toggled on/off, enabling policies for adhering to standards, flag process, and hygiene. This includes:

  • Only allowing creation of boolean flags.
  • Enforcing flag naming conventions.
  • Enforcing when creating a flag the default on and off values must both be false.
  • Requiring a Feature Flag be enabled in QA before it can be turned on in Production.

Policy as Code centralizes and standardizes policy management across software delivery, allowing engineering leaders to empower dev teams to own their tools and practices while ensuring that everyone is following company standards for compliance and security. With guardrails in place, security vulnerabilities won’t be introduced as development teams are writing their pipelines. Leaders can rest assured that compliance standards are being met, with full auditability of policies and failures, and they can find and report breaches as early as possible with shift-left governance.

Get Started

Check out our platform governance page to learn more about how Harness' modern approach to software delivery governance empowers teams with stable processes that don’t slow down delivery, or request your personalized demo today.

You might also like
No items found.

Similar Blogs

No items found.