Skip to main content

Policy as Code FAQs

This topic addresses some frequently asked questions about Policy as Code support in Harness.

Can we use our own Gatekeeper and have Harness manage Gatekeeper and policies?

No, Harness has an internal policy service that manages the policies and evaluates policies against Harness object payloads.

Can policies be managed in Git?

Yes, you can manage policies in Git. For more information, go to Configure Git Experience for OPA.

Can you reference Harness variables expressions in policies?

No, you cannot reference Harness variable expressions such as <+service.name> directly in a policy. You can map a Harness variable expression to a fixed JSON Key in the Governance Policy Step and then evaluate it against a policy. For more information, go to Add a Policy step to a pipeline.

What can I write policies against?

You can now write policies against:

  • Pipelines
  • Templates
  • Connectors
  • Secrets
  • Feature Flags
  • Custom
  • Service

Support for the following entities is on our long-term roadmap:

  • Service
  • Environments
  • RBAC

Can policy sets be managed in Git?

No, you cannot manage policy sets in Git.

When can policies be evaluated?

  • On Save: Policies can be applied via a policy set to a specific object when a user is trying to update or create it. The following object types are supported:
    • Feature Flags
    • Connectors
    • Secrets
    • Templates
    • Pipelines
    • Service
note

Policies applied to the Service entity during On Run and On Save events is currently behind the feature flag CDS_ENABLE_SERVICE_ON_RUN_OPA_EVAL. Contact Harness Support to enable the feature.

  • On Run: Policies can be applied when a pipeline is running and a value is computed. The following object type is supported:
    • Pipelines
    • Service
note

Policies applied to the Service entity during On Run and On Save events is currently behind the feature flag CDS_ENABLE_SERVICE_ON_RUN_OPA_EVAL. Contact Harness Support to enable the feature.

  • On Step: When using the Governance Step, you can evaluate a policy against the JSON that is generated from the step. The following object type is supported:
    • Custom

What version of the OPA library does Harness platform use?

Harness platform uses the Open Policy Agent (OPA) library version 0.62.0.

For more details, you can refer to OPA v0.62.0.