Approval Policy

Introduction

When it comes to critical environments (let's say, production), you as a super-admin might want to introduce an approval flow for application deployment or changes made to the configuration files. Enforcing such restrictions will prevent unwanted deployments and direct modifications to sensitive configurations.

The Approval Policy feature in Devtron lets you introduce an approval mechanism whenever your users perform the following actions:

  • Deploying an Application to an Environment

  • Changes in Deployment Template

  • Changes in ConfigMap

  • Changes in Secret

Figure 1a: Approval for Deployment
Figure 1b: Approval for Configuration Change

Create an Approval Policy

Who Can Perform This Action?

  1. Go to Global Configurations → Approval Policy.

    Figure 2: Approval Policy
  2. Click + Create Profile.

    Figure 3: 'Create Profile' Button
  3. Give a name to the policy, e.g., banking-prod-approval, and add a description (optional) preferably explaining what it does.

    Figure 4: Entering Policy Details
  4. Additionally, you can decide who can grant approval from the following 3 options:

    • Option 1: Choose Any Approver if you want to allow any user with Image Approver permissions and/or Configuration Approver permissions to approve 'Deployment' request and 'Configuration Change' respectively. Choose the number of approvals your users must get to proceed with their changes. The permissible limit ranges from one approval (minimum) to six approvals (maximum).

      Figure 5: Allowing Any Approver
    • Option 2: Choose Specific Approver → User Group → Add Criteria to choose one or more user groups who can provide the requisite number of approvals. The permissible limit is [1 to 6] for each user group you add. From the selected group(s), only the users having Image Approver and/or Configuration Approver permissions can approve.

      Figure 6: Allowing Approvers from a User Group
    • Option 3: Choose Specific Approver → Specific Users (dropdown) to cherry-pick the names of the user(s) who can provide an approval. Here, there is no upper limit to the approvals (unlike the above options), so the user must obtain approvals from all the specific members you add to the policy.

      Figure 7: Allowing Specific Users

Caution

How do approvals of User Groups work?

If a user belongs to multiple groups (see Option 2 above), their approval is considered and counted for each group. For example, if you mandate 2 approvals: 1 from DevOps group and 1 from Compliance group; an approval from a common user (belonging to both groups) will count as 2 approvals.

However, once a group's required approvals are met, extra approvals won’t count. For example, if a request needs 2 Security and 3 QA approvals and already has 2 Security and 2 QA approvals, an approval from a user in both teams will count only for QA. The user appears in both lists but doesn’t add to Security’s count.

Can super-admins approve the requests?

Yes, apart from the users having approver access, super-admins can also approve the requests (provided the requests are not their own).

What happens if a specific user mentioned in the policy gets deleted from Devtron or has their permissions revoked?

  1. Click Save Changes.


Apply an Approval Policy

Who Can Perform This Action?

  1. After you create an approval policy, you can apply it. Click Apply Profile on the same screen.

    Figure 8: Apply Profile Button
  2. From the Select profiles to apply dropdown, choose the policy you wish to apply. You also have the option to select more than one policy (if they exist) using the checkbox.

    Figure 9: Selecting Profiles
  3. Choose the scope from the dropdown given next to Use selected policy for approval of. Here you can decide whether your policy is for:

    • Approval of Deployment - Select 'Deployments' from the dropdown.

    • Approval of Configuration Change - Select 'Configuration change' from the dropdown. You can further select: Deployment template, ConfigMaps, Secrets. Select the ones to which your policy should apply so that any change to your chosen configurations will require an approval.

    Figure 10: Choosing Scope
  4. Under Apply to, you get the following options to choose from:

    • Specific Criteria - Select this option to apply your policy to specific environment(s) of specific applications.

      Example: In case of Deployment

      Figure 11a: Specific Criteria for 'Deployment' Approval

      Example: In case of Configuration Change

      Figure 11b: Specific Criteria for 'Configuration Change' Approval
    • By match criteria - Select this option to use a combination of filters to create criteria. Your policy will only apply to target pipelines/configurations fulfilling your criteria (including existing and future ones). (Optional) You may also write a note for your other team members to understand the intent and context of your policy.

      Example: In case of Deployment

      Figure 12a: Match Criteria for 'Deployment' Approval

      Example: In case of Configuration Change

      Figure 12b: Match Criteria for 'Configuration Change' Approval
    • Global - Select this option to apply your chosen policies to every deployment pipeline or configurations (existing and future) of all applications in all clusters.

      Example: In case of Deployment

      Figure 13a: Global Scope for 'Deployment' Approval

      Example: In case of Configuration Change

      Figure 13b: Global Scope for 'Configuration Change' Approval
  5. Click Save Changes.


Apply Multiple Policies

Who Can Perform This Action?

As shown in step 2 of Apply an Approval Policy, you can choose multiple policies and apply them to a scope (e.g., Global, Cluster, Application, Environment, Base Configuration). However, if you have already applied and now you wish to apply more policies to the same scope, you may do so by following either of the below steps:

Apply More Policies to a Scope

  1. Go to Applied Profiles tab.

  2. Use the filters to find the applied profile and scope (e.g., Global, Cluster, Application).

  3. Click the context menu.

  4. Click Manage policy.

  5. Use the Select profiles to apply dropdown and tick the policy/policies you wish to apply.

  6. Click Save Changes.

    Figure 14: Applying More Policy

Apply More Policies in Bulk

  1. Use the checkboxes to select the relevant scopes (e.g., Global, Cluster, Application).

  2. Click the Manage Profiles button on the floating widget.

  3. Click Add.

  4. Use the Select profile to apply dropdown and tick the policy/policies you wish to apply in bulk.

  5. Review the changes if needed, and click Save Changes.

    Figure 15: Applying More Policy in Bulk

How do multiple policies work if applied together?


Configuring Exceptions (Optional)

The Exceptions tab allows you to specify users or groups for whom the approval policies will not apply. This is useful in cases where certain teams, such as an operations team resolving production incidents, need to bypass approvals while the policies continues to apply to all other users.

You can choose to:

  • Exclude super-admins from approval permissions.

  • Whitelist specific users or user groups who should be exempt from approvals for deployments or configuration changes.

Excluding Super Admins

You can configure whether super-admins are required to follow approval policies or bypass them.

  1. Navigate to Approval Policy → Exceptions.

  2. Choose the scope, for which you want super admins to not require approval.The available scopes are:

    • Configuration Change: Exempts the super-admins to edit base configurations such as Deployment Templates, ConfigMaps, or Secrets without requiring approvals.

    • Deployment: Exempts the super-admins to deploy images to an environment without requiring approvals.

  3. Enable/Disable the toggle next to Super admins as per your requirement.

    • When enabled, super-admins can deploy images and edit base configurations without approvals.

    • When disabled, super-admins follow same approval policies as other users.

    Figure 16: Enabling Super Admins Exception

Note

Super-admins can approve requests even if the toggle is turned off.

Excluding Specific Users / User Groups / API Tokens

  1. Navigate to Approval Policy → Exceptions.

    Figure 17: Exceptions Tab
  2. Choose the scope for which specific users / user groups / API tokens do not require approval. The available scopes are:

    • Configuration Change: Exempts the selected users, user groups, and API tokens to edit base configurations such as Deployment Templates, ConfigMaps, or Secrets without requiring approvals.

    • Deployment: Exempts the selected users, user groups, and API tokens to deploy images to an environment without requiring approvals.

    Figure 18: Selecting Scope

Note

The list of users is fetched from User Permissions, and the list of API tokens is sourced from API Tokens.

You cannot enter a new email ID or token directly.

  1. Click the Add/Edit button next to Specific Users / User Groups. A pop-up modal window will appear.

    Figure 19: Clicking 'Add/Edit'
  2. You can do either of the following:

    1. You can select specific Users or API Tokens from Add Users dropdown.

      Figure 20a: Selecting Specific Users
      Figure 20b: Selecting Specific API Tokens
    2. You can select specific Users Groups from Add user groups dropdown.

      Figure 21: Selecting Specific User Groups

Caution

  1. Click Save. The selected users or user groups will no longer require approvals for the selected scope.

    Figure 22: Clicking 'Save'

Caution

After configuring exceptions, super-admins and specific users / user groups can make configuration changes and trigger deployments without requiring any approval.

Triggering Deployments

Do exceptions bypass blackout or maintenance windows?

Note

An exception user can still follow the normal flow of requesting an image approval and getting it approved, and also has the option to deploy images without approvals.

Figure 23a: Deploying an Image without an Approval
Figure 23b: Email Notification
Figure 23c: Deployment History

Editing Base Configurations

Note

  • An exception user can still follow the normal flow of submitting a configuration change draft for approval, and getting it approved.

  • Any existing draft is discarded once the exception user updates the configuration using express edit.

Figure 24a: Editing Deployment Template without an Approval
Figure 24b: Creating/Editing ConfigMap without an Approval
Figure 24c: Creating/Editing Secret without an Approval

Remove Applied Policies

Who Can Perform This Action?

If you have already applied policies and wish to remove some of them from a scope, follow the steps below. The approval conditions of the removed policy will no longer apply to the given scope, and the conditions of other policies (if applied to the same scope) will remain.

Remove Policies Applied to a Scope

  1. Go to Applied Profiles tab.

  2. Use the filters to find the applied profile and scope (e.g., Global, Cluster, Application).

  3. Click the context menu.

  4. Click Manage policy.

  5. In the Select profiles to apply dropdown, click 'x' next to the policy/policies you wish to remove.

  6. Click Save Changes.

    Figure 25: Remove Applied Policy from a Scope

Remove Applied Policies in Bulk

  1. Use the checkboxes to select the relevant scopes (e.g., Global, Cluster, Application)..

  2. Click the Manage Profiles button on the widget.

  3. Click Remove.

  4. In the Remove Approval Policy dropdown, click 'x' next to the policy/policies you wish to remove.

  5. Review the changes if needed, and click Save Changes.

    Figure 26: Removing Policies in Bulk

Note


Delete Applied Policies

Who Can Perform This Action?

If you have already applied policies to a scope (e.g., Global, Cluster, Application) and wish to delete all of them from that given scope, follow the steps below. Note: This will not delete the approval policy you originally created. Moreover, deployment pipelines may still continue inheriting profiles from higher scopes (e.g., Global, Cluster, Application).

  1. Go to Applied Profiles tab.

  2. Use the filters to find the applied profile(s).

  3. Click the Delete option in the context menu or use the checkboxes to select multiple scopes for deletion.

    Figure 27: Deleting Applied Policies (One-by-one or Bulk)

Delete an Approval Policy

Who Can Perform This Action?

If you no longer require a given approval policy, you may delete it. This action will automatically remove its rules enforced earlier for both, deployments and configuration change.

  1. Go to Profiles tab.

  2. Click the delete icon next to the profile you wish to delete.

    Figure 28: Deleting Approval Policy

Results

Approving Deployment Request

Assume you created a policy (shown below) that blocks the deployment of a banking application to an environment unless there are two approvals. No user can trigger the deployment unless the images are approved.

Figure 29: Example
  1. The user first requests approval of the intended image. Only those with the necessary permissions will show up in the approver list. Moreover, the user can also opt to notify all users apart from the approvers.

    Figure 30: Request Approval for Deployment
  2. Only those with Image Approver permissions can then approve the request.

    Figure 31: User with 'Image Approver' Permissions granting approval

    If SES/SMTP is configured in Devtron, the approver gets notified via email. This enables the approver to take an action directly from the mail, such as View Request and Approve Request.

    Figure 32: Approval via Email
  3. The user can then proceed with deploying the approved image.

    Figure 33: Deployment of Approved Image

Approving Configuration Change Request

Assume you created a policy (shown below) that prevents direct changes to the configuration files (Deployment Template, ConfigMaps, Secrets) of a banking application unless there is one approval.

Figure 34: Example
  1. The user first requests approval for pushing a configuration change in Deployment Template/ConfigMap/Secret.

    Figure 35: Request Approval for Configuration Change
  2. Only those with Configuration Approver permissions can then approve the request.

    Figure 36: User with 'Configuration Approver' permissions granting approval

    If SES/SMTP is configured in Devtron, the approver gets notified via email. Therefore, the approver can take an action directly from the mail as shown below.

    Figure 37: Config Approval via Email

Last updated

Was this helpful?