Skip to main content
Version: 1.2

Policy

A Policy resource defines a policy evaluating the verification results for a subject.

View more CRD samples here. The metadata.name MUST be set to ratify-policy for Ratify to apply. Ratify will ensure that only one policy is actively under evaluation by limiting the metadata.name to ratify-policy.

Scope

Policies can be defined as cluster-wide resources(using the kind Policy) or namespaced resources(using the kind NamespacedPolicy).

Namespaced policies will only apply to the namespace in which they are defined. If a verification request targeting a namespace cannot find a policy in required namespace, it will look up the cluster-wide policies.

Cluster-wide policies are applied as the default global policy if no namespaced policy is specified in required namespace.

Common properties

apiVersion: config.ratify.deislabs.io/v1beta1
kind: Policy # NamespacedPolicy has the same spec.
metadata:
name: "ratify-policy"
spec:
type: "rego-policy"
parameters: required. Parameters specific to this policy

Note: spec.type MUST be config-policy or rego-policy per the usage.

configpolicy

Sample spec:

apiVersion: config.ratify.deislabs.io/v1beta1
kind: Policy
metadata:
name: "ratify-policy"
spec:
spec: "config-policy"
parameters:
artifactVerificationPolicies:
"application/vnd.cncf.notary.signature": "any"
default: "any"
NameRequiredDescriptionDefault Value
artifactVerificationPoliciesyesMap of artifact type to policy; each entry in the map's policy must be satisfied for Ratify to return true""
defaultnoThe default policy applies to unspecified artifact types."all"
application/vnd.cncf.notary.signaturenoIt could be any artifact type that is supported by Ratify.There is no default value, users must specify any or all

regopolicy

Sample spec:

apiVersion: config.ratify.deislabs.io/v1beta1
kind: Policy
metadata:
name: "ratify-policy"
spec:
spec: "rego-policy"
parameters:
passthroughEnabled: false
policy: |
package ratify.policy

default valid := false

# all artifacts MUST be valid
valid {
not failed_verify(input)
}

# all reports MUST pass the verification
failed_verify(reports) {
[path, value] := walk(reports)
value == false
path[count(path) - 1] == "isSuccess"
}

# each artifact MUST have at least one report
failed_verify(reports) {
[path, value] := walk(reports)
path[count(path) - 1] == "verifierReports"
count(value) == 0
}
NameRequiredDescriptionDefault Value
passthroughEnablednoIf set to true, Ratify will NOT make the decision but pass verifier reports to Gatekeeper.false
policynoThe policy language that defines the policy.""
policyPathnoThe path to the policy file if policy is mounted as a volume""

Note: Users MUST provide at least one of policy and policyPath. If both are specified, policy will be used.