Policies

The Drone policy file gives you the ability to define policies that set and enforce pipeline values. For example, this gives you the ability to set namespace, tolerations and more based on organization, repository and other matching criteria.

Example policy file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
---
kind: policy
name: octocat

match:
  repo:
  - "octocat/*"
  - "octocat/hello-world"

metadata:
  namespace: octocat

resources:
  request:
    cpu: 1000
    memory: 512MiB
  limit:
    cpu: 4000
    memory: 1GiB

node_selector:
  disktype: ssd

---
kind: policy
name: default

metadata:
  namespace: default

The policy file must be mounted into your runner container and you must provide the runner the location of the policy file. See the policy configuration parameter for configuration instructions.

Multiple Policies

You can define multiple policies in the policy file. The match section is used to match the policy the pipeline. The first matching policy is applied to the pipeline.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
---
kind: policy
name: octocat

match:
  repo:
  - "octocat/*"
  - "octocat/hello-world"

metadata:
  namespace: octocat

---
kind: policy
name: default

metadata:
  namespace: default

Default Policies

You can optionally define a default policy in the policy file, named accordingly. The default policy is applied if no other policy matches the pipeline.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
---
kind: policy
name: octocat

match:
  repo:
  - "octocat/*"
  - "octocat/hello-world"

metadata:
  namespace: octocat

---
kind: policy
name: default

metadata:
  namespace: default

File Format

  • kind
    The kind attribute defines the kind of object.
  • name
    The name attribute defines a name for your policy.
  • metadata
    The metadata section defines metadata attached to the pipeline pod.
    • namespace
      The namespace attribute defines the namespace in which the pipeline pod is created. This takes precedence over the value defined in the yaml.
    • annotations
      The annotations attribute defines a set of arbitrary key / value pairs that are attached to the pipeline pod. These are appended to existing annotations that are defined in the yaml and take precedence on conflict.
    • labels
      The annotations attribute defines a set of arbitrary key / value pairs that are attached to the pipeline pod. These are appended to existing labels that are defined in the yaml and take precedence on conflict.
  • resources
    The resource attribute defines resource requirements and limits for pipeline steps.
    • request
      The request section defines resource requirements used when the scheduler defines which node to place the pipeline pod on.
      • cpu
        The cpu attribute defines cpu requirements in millicores.
      • memory
        The memory attribute defines memory requirements.
    • limit
      The limit section defines container resource limits applied to each pipeline step.
      • cpu
        The cpu attribute defines cpu limits in millicores.
      • memory
        The memory attribute defines memory limits.
  • service_account
    The service_account attribute defines the kubernetes service account used to create the pipeline pod. This takes precedence over the value defined in the yaml.
  • node_selector
    The node_selector attribute defines a set of key / value pairs used to route pipeline pods to matching nodes. This takes precedence over the values defined in the yaml.
  • tolerations
    The tolerations section defines and applies tolerations to pipeline pods to schedule onto nodes with matching taints.
    • effect
      The effect attribute defines the taint effect.
    • key
      The key attribute defines the toleration key.
    • operator
      The key attribute defines the toleration operator.
    • toleration_seconds
      The key attribute defines the toleration seconds.
    • value
      The key attribute defines the toleration value.

Examples

  • Example policy sets the default service account:

    1
    2
    3
    4
    
    kind: policy
    name: default
    
    service_account: drone
    
  • Example policy sets the default service account for matching pipelines:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    
    kind: policy
    name: default
    
    service_account: drone
    
    match:
      repo:
      - "octocat/*"
      - "octocat/hello-world"
    
  • Example policy sets the default namespace:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    
    kind: policy
    name: default
    
    metadata:
      namespace: default
    
    match:
      repo:
      - "octocat/*"
      - "octocat/hello-world"
    
  • Example policy sets the default resource limits:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    
    kind: policy
    name: default
    
    metadata:
      namespace: default
    
    resources:
      request:
        cpu: 1000
        memory: 512MiB
      limit:
        cpu: 4000
        memory: 1GiB
    
  • Example policy sets the default node selection:

    1
    2
    3
    4
    5
    6
    7
    8
    
    kind: policy
    name: default
    
    metadata:
      namespace: default
    
    node_selector:
      disktype: ssd
    
  • Example policy sets the default metadata:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    
    kind: policy
    name: default
    
    metadata:
      namespace: default
      labels:
        keyA: valueA
        keyB: valueB
      annotations:
        keyA: valueA
        keyB: valueB