Policy as Code FAQs
This topic addresses some frequently asked questions about Policy as Code support in Harness.
Can we use our own Gatekeeper and have Harness manage Gatekeeper and policies?
No, Harness has an internal policy service that manages the policies and evaluates policies against Harness object payloads.
Can policies be managed in Git?
Yes, you can manage policies in Git. For more information, go to Configure Git Experience for OPA.
Can you reference Harness variables expressions in policies?
No, you cannot reference Harness variable expressions such as <+service.name>
directly in a policy. You can map a Harness variable expression to a fixed JSON Key in the Governance Policy Step and then evaluate it against a policy. For more information, go to Add a Policy step to a pipeline.
What can I write policies against?
You can now write policies against:
- Pipelines
- Templates
- Connectors
- Secrets
- Feature Flags
- Custom
Support for the following entities is on our long-term roadmap:
- Service
- Environments
- RBAC
Can policy sets be managed in Git?
No, you cannot manage policy sets in Git.
When can policies be evaluated?
- On Save: Policies can be applied via a policy set to a specific object when a user is trying to update or create it. The following object types are supported:
- Feature Flags
- Connectors
- Secrets
- Templates
- Pipelines
- On Run: Policies can be applied when a pipeline is run and a value is computed. The following object type is supported:
- Pipelines
- On Step: When using the Governance Step, you can evaluate a policy against the JSON that is generated from the step. The following object type is supported:
- Custom