Try Devtron Enterprise!
Start Free Trial
LogoLogo
WebsiteDevtron demoGithub RepoJoin Discord
main
main
  • Introduction
  • Getting Started
  • Install Devtron
    • Install Devtron with CI/CD
    • Install Devtron with CI/CD and GitOps (Argo CD)
    • Install Devtron without Integrations
    • Install Devtron on Minikube, Microk8s, K3s, Kind, Cloud VMs
    • Install Devtron on Airgapped Environment
    • Demo on Popular Cloud Providers
    • Backup for Disaster Recovery
    • Uninstall Devtron
    • FAQs
  • Install Devtron Enterprise Trial
  • Devtron Kubernetes Client
  • Configurations
    • Installation Configurations
    • Override Configurations
    • Ingress Setup
  • Global Configurations
    • Host URL
    • GitOps
    • Projects
    • Clusters & Environments
    • Git Accounts
    • Container/OCI Registry
    • Chart Repositories
    • Deployment Charts
    • Authorization
      • SSO Login Services
        • Google
        • GitHub
        • GitLab
        • Microsoft
        • LDAP
        • OIDC
          • Keycloak
          • Okta
        • OpenShift
      • User Permissions
      • Permission Groups
      • API Tokens
    • Notifications
    • Deployment Window
    • Approval Policy
    • External Links
    • Catalog Framework
    • Scoped Variables
    • Plugin Policy
    • Pull Image Digest
    • Tags Policy
    • Filter Condition
    • Lock Deployment Configuration
    • Image Promotion Policy
    • Build Infra
  • Devtron Upgrade
    • Update Devtron from Devtron UI
    • Upgrade to 1.5.0
    • 0.6.x-0.7.x
    • 0.5.x-0.6.x
    • 0.4.x-0.5.x
    • 0.4.x-0.4.x
    • 0.3.x-0.4.x
    • 0.3.x-0.3.x
    • 0.2.x-0.3.x
  • Usage
    • Applications
      • Create a New Application
      • Clone an Existing Application
      • Deploy a Sample Application
      • App Configuration
        • Git Repository
        • Build Configuration
        • Base Deployment Template
          • Deployment
          • Rollout Deployment
          • Job and Cronjob
          • StatefulSets
        • GitOps Configuration
        • Workflow Editor
          • CI Pipeline
            • Pre-Build/Post-Build Stages
            • Override Build Configuration
          • CD Pipeline
        • ConfigMaps
        • Secrets
          • External Secret Operator (ESO)
            • AWS Secrets Manager
            • Google Secrets Manager
            • HashiCorp Vault
        • Environment Overrides
        • Deleting Application
      • Build and Deploy
        • Triggering CI
        • Triggering CD
        • Rollback Deployment
        • Applying Labels to Images
      • App Details
        • Debugging Deployment And Monitoring
        • Using Ephemeral Containers
        • Application Metrics
      • Application Overview
    • Jobs
      • Create a new job
      • Configurations
      • Workflow Editor
      • Trigger Job
      • Overview
    • Application Groups
    • Software Distribution Hub
      • Tenants
      • Release Hub
    • Resource Browser
    • Resource Watcher
    • Charts
      • Charts Overview
      • Deploy & Observe
      • Examples
        • Deploying Mysql Helm Chart
        • Deploying MongoDB Helm Chart
      • Chart Group
    • Security
      • Security Scans
      • Security Policies
    • Bulk Edit
    • Integrations
      • Build and Deploy (CI/CD)
      • GitOps (Argo CD)
      • Vulnerability Scanning (Clair)
      • Notifications
      • Monitoring (Grafana)
    • Pipeline Plugins
      • Create Your Plugin
      • Our Plugins
        • Ansible Runner
        • Bitbucket Runner Trigger
        • Codacy
        • Code-Scan
        • Copacetic
        • Container Image Exporter
        • Copy Container Image
        • Cosign
        • CraneCopy
        • Dependency track - Maven & Gradle
        • Dependency track - NodeJS
        • Dependency track - Python
        • Devtron CD Trigger
        • Devtron CI Trigger
        • Devtron Job Trigger
        • DockerSlim
        • EKS Create Cluster
        • GCS Create Bucket
        • GitHub Pull Request Updater
        • GKE Provisioner
        • GoLang-migrate
        • Jenkins
        • Jira Issue Validator
        • Jira Issue Updater
        • K6 Load Testing
        • Pull images from container repository
        • Semgrep
        • SonarQube
        • SonarQube v1.1.0
        • Terraform CLI
        • Vulnerability Scanning
  • Resources
    • Glossary
    • Troubleshooting
    • Use Cases
      • Devtron Generic Helm Chart To Run CronJob Or One Time Job
      • Connect SpringBoot with Mysql Database
      • Connect Expressjs With Mongodb Database
      • Connect Django With Mysql Database
      • Pull Helm Charts from OCI Registry
    • Telemetry Overview
    • Devtron on Graviton
    • Release Notes
Powered by GitBook
On this page
  • Introduction
  • Create an Approval Policy
  • Apply an Approval Policy
  • Apply Multiple Policies
  • Apply More Policies to a Scope
  • Apply More Policies in Bulk
  • Remove Applied Policies
  • Remove Policies Applied to a Scope
  • Remove Applied Policies in Bulk
  • Delete Applied Policies
  • Delete an Approval Policy
  • Results
  • Approving Deployment Request
  • Approving Configuration Change Request

Was this helpful?

Export as PDF
  1. Global Configurations

Approval Policy

PreviousDeployment WindowNextExternal Links

Last updated 2 months ago

Was this helpful?

Introduction

When it comes to critical environments (let's say, production), you as a superadmin might want to introduce an approval flow for application deployment or changes made to the configuration files. Enforcing such restrictions will prevent unwanted deployments and direct modifications to sensitive configurations.

The Approval Policy feature in Devtron lets you introduce an approval mechanism whenever your users perform the following actions:

  • Deploying an Application to an Environment

  • Changes in Deployment Template

  • Changes in ConfigMap

  • Changes in Secret

Figure 1a: Approval for Deployment

Create an Approval Policy

Who Can Perform This Action?

Users need to have super-admin permissions to create an approval policy.

  1. Go to Global Configurations → Approval Policy.

  2. Click + Create Profile.

  3. Give a name to the policy, e.g., banking-prod-approval, and add a description (optional) preferably explaining what it does.

  4. Additionally, you can decide who can grant approval from the following 3 options:

    • Option 1: Choose Any Approver if you want to allow any user with Image Approver permissions and/or Configuration Approver permissions to approve 'Deployment' request and 'Configuration Change' respectively. Choose the number of approvals your users must get to proceed with their changes. The permissible limit ranges from one approval (minimum) to six approvals (maximum).

    • Option 3: Choose Specific Approver → Specific Users (dropdown) to cherry-pick the names of the user(s) who can provide an approval. Here, there is no upper limit to the approvals (unlike the above options), so the user must obtain approvals from all the specific members you add to the policy.

How do approvals of User Groups work?

If a user belongs to multiple groups (see Option 2 above), their approval is considered and counted for each group. For example, if you mandate 2 approvals: 1 from DevOps group and 1 from Compliance group; an approval from a common user (belonging to both groups) will count as 2 approvals.

However, once a group's required approvals are met, extra approvals won’t count. For example, if a request needs 2 Security and 3 QA approvals and already has 2 Security and 2 QA approvals, an approval from a user in both teams will count only for QA. The user appears in both lists but doesn’t add to Security’s count.

Can super-admins approve the requests?

Yes, apart from the users having approver access, super-admins can also approve the requests (provided the requests are not their own).

What happens if a specific user mentioned in the policy gets deleted from Devtron or has their permissions revoked?

Even if the user mentioned in the policy no longer exists, the approval conditions will remain unchanged. Therefore, to prevent unfulfilled approval conditions because of an absent user, it's best to remove that specific user from the policy.

  1. Click Save Changes.


Apply an Approval Policy

Who Can Perform This Action?

Users need to have super-admin permissions to apply an approval policy.

  1. After you create an approval policy, you can apply it. Click Apply Profile on the same screen.

  2. From the Select profiles to apply dropdown, choose the policy you wish to apply. You also have the option to select more than one policy (if they exist) using the checkbox.

  3. Choose the scope from the dropdown given next to Use selected policy for approval of. Here you can decide whether your policy is for:

    • Approval of Deployment - Select 'Deployments' from the dropdown.

    • Approval of Configuration Change - Select 'Configuration change' from the dropdown. You can further select: Deployment template, ConfigMaps, Secrets. Select the ones to which your policy should apply so that any change to your chosen configurations will require an approval.

  4. Under Apply to, you get the following options to choose from:

    • Specific Criteria - Select this option to apply your policy to specific environment(s) of specific applications.

      Example: In case of Deployment

      Example: In case of Configuration Change

    • By match criteria - Select this option to use a combination of filters to create criteria. Your policy will only apply to target pipelines/configurations fulfilling your criteria (including existing and future ones). (Optional) You may also write a note for your other team members to understand the intent and context of your policy.

      Example: In case of Deployment

      Example: In case of Configuration Change

    • Global - Select this option to apply your chosen policies to every deployment pipeline or configurations (existing and future) of all applications in all clusters.

      Example: In case of Deployment

      Example: In case of Configuration Change

  5. Click Save Changes.


Apply Multiple Policies

Who Can Perform This Action?

Users need to have super-admin permissions to apply more policies to a scope.

Apply More Policies to a Scope

  1. Go to Applied Profiles tab.

  2. Use the filters to find the applied profile and scope (e.g., Global, Cluster, Application).

  3. Click the context menu.

  4. Click Manage policy.

  5. Use the Select profiles to apply dropdown and tick the policy/policies you wish to apply.

  6. Click Save Changes.

Apply More Policies in Bulk

  1. Use the checkboxes to select the relevant scopes (e.g., Global, Cluster, Application).

  2. Click the Manage Profiles button on the floating widget.

  3. Click Add.

  4. Use the Select profile to apply dropdown and tick the policy/policies you wish to apply in bulk.

  5. Review the changes if needed, and click Save Changes.

How do multiple policies work if applied together?

If you apply multiple policies together, the user has to meet the approval conditions of all the applied policies. Example 1: if 'Policy A' demands 3 approvals specifically from John, Jane, and Jessy; and if 'Policy B' requires 1 approval from 'Product User Group', the user will have to get 4 approvals. Example 2: if 'Policy A' demands 3 approvals specifically from John, Jane, and Jessy; and if 'Policy B' requires 2 approvals from anyone, the user will still have to get 3 approvals from John, Jane, and Jessy. In short, the stricter conditions from the policies are enforced first and they have to be fulfilled.


Remove Applied Policies

Who Can Perform This Action?

Users need to have super-admin permissions to remove an applied approval policy.

If you have already applied policies and wish to remove some of them from a scope, follow the steps below. The approval conditions of the removed policy will no longer apply to the given scope, and the conditions of other policies (if applied to the same scope) will remain.

Remove Policies Applied to a Scope

  1. Go to Applied Profiles tab.

  2. Use the filters to find the applied profile and scope (e.g., Global, Cluster, Application).

  3. Click the context menu.

  4. Click Manage policy.

  5. In the Select profiles to apply dropdown, click 'x' next to the policy/policies you wish to remove.

  6. Click Save Changes.

Remove Applied Policies in Bulk

  1. Use the checkboxes to select the relevant scopes (e.g., Global, Cluster, Application)..

  2. Click the Manage Profiles button on the widget.

  3. Click Remove.

  4. In the Remove Approval Policy dropdown, click 'x' next to the policy/policies you wish to remove.

  5. Review the changes if needed, and click Save Changes.

Note


Delete Applied Policies

Who Can Perform This Action?

Users need to have super-admin permissions to delete an applied policy.

  1. Go to Applied Profiles tab.

  2. Use the filters to find the applied profile(s).

  3. Click the Delete option in the context menu or use the checkboxes to select multiple scopes for deletion.


Delete an Approval Policy

Who Can Perform This Action?

Users need to have super-admin permissions to delete an approval policy.

If you no longer require a given approval policy, you may delete it. This action will automatically remove its rules enforced earlier for both, deployments and configuration change.

  1. Go to Profiles tab.

  2. Click the delete icon next to the profile you wish to delete.


Results

Approving Deployment Request

Assume you created a policy (shown below) that blocks the deployment of a banking application to an environment unless there are two approvals. No user can trigger the deployment unless the images are approved.

  1. The user first requests approval of the intended image. Only those with the necessary permissions will show up in the approver list. Moreover, the user can also opt to notify all users apart from the approvers.

  2. Only those with Image Approver permissions can then approve the request.

  3. The user can then proceed with deploying the approved image.

Approving Configuration Change Request

Assume you created a policy (shown below) that prevents direct changes to the configuration files (Deployment Template, ConfigMaps, Secrets) of a banking application unless there is one approval.

  1. The user first requests approval for pushing a configuration change in Deployment Template/ConfigMap/Secret.

  2. Only those with Configuration Approver permissions can then approve the request.

Figure 1b: Approval for Configuration Change
Figure 2: Approval Policy
Figure 3: 'Create Profile' Button
Figure 4: Entering Policy Details
Figure 5: Allowing Any Approver

Option 2: Choose Specific Approver → User Group → Add Criteria to choose one or more who can provide the requisite number of approvals. The permissible limit is [1 to 6] for each user group you add. From the selected group(s), only the users having Image Approver and/or Configuration Approver permissions can approve.

Figure 6: Allowing Approvers from a User Group
Figure 7: Allowing Specific Users
Figure 8: Apply Profile Button
Figure 9: Selecting Profiles
Figure 10: Choosing Scope
Figure 11a: Specific Criteria for 'Deployment' Approval
Figure 11b: Specific Criteria for 'Configuration Change' Approval
Figure 12a: Match Criteria for 'Deployment' Approval
Figure 12b: Match Criteria for 'Configuration Change' Approval
Figure 13a: Global Scope for 'Deployment' Approval
Figure 13b: Global Scope for 'Configuration Change' Approval

As shown in step 2 of , you can choose multiple policies and apply them to a scope (e.g., Global, Cluster, Application, Environment, Base Configuration). However, if you have already applied and now you wish to apply more policies to the same scope, you may do so by following either of the below steps:

Figure 14: Applying More Policy
Figure 15: Applying More Policy in Bulk

Figure 16: Remove Applied Policy from a Scope
Figure 17: Removing Policies in Bulk

At least one policy must remain applied to a scope, so you cannot remove all the policies from a scope. You may use the instead.

If you have already applied policies to a scope (e.g., Global, Cluster, Application) and wish to delete all of them from that given scope, follow the steps below. Note: This will not you originally created. Moreover, deployment pipelines may still continue inheriting profiles from higher scopes (e.g., Global, Cluster, Application).

Figure 18: Deleting Applied Policies (One-by-one or Bulk)
Figure 19: Deleting Approval Policy
Figure 20: Example
Figure 21: Request Approval for Deployment
Figure 22: User with 'Image Approver' Permissions granting approval

If is configured in Devtron, the approver gets notified via email. This enables the approver to take an action directly from the mail, such as View Request and Approve Request.

Figure 23: Approval via Email
Figure 24: Deployment of Approved Image
Figure 25: Example
Figure 26: Request Approval for Configuration Change
Figure 27: User with 'Configuration Approver' permissions granting approval

If is configured in Devtron, the approver gets notified via email. Therefore, the approver can take an action directly from the mail as shown below.

Figure 28: Config Approval via Email
SES/SMTP
SES/SMTP
Apply an Approval Policy
Apply More Policies to a Scope
Apply More Policies in Bulk
Remove Policies Applied to a Scope
Remove Applied Policies in Bulk
delete procedure
delete the approval policy
user groups