Policy as Code

aqua >= v1.24.0

#1306

See also.

• Guides > Policy as Code
• Why is Policy needed?
• Git Repository root's policy file and policy commands

Change Logs

• v2.3.0: Support Git Repository root's policy file and policy commands
• v2.1.0: Support AQUA_DISABLE_POLICY
• v2.0.0: aqua allows only Standard Registry by default
• v1.24.0: Introduce Policy

Disable Policy

aqua >= v2.1.0 #1790

caution

We don't recommend this feature basically because Policy is important in terms of security. This feature is introduced to enable users using non Standard Registries to upgrade aqua to v2 easily. You shouldn't use this feature in CI.

If AQUA_DISABLE_POLICY is true, Policy is disabled and every Registry and Package are available.

Policy Types

There are two types of Policies

1. Git Repository root's policy file
2. AQUA_POLICY_CONFIG

We recommend Git Repository root's policy file instead of AQUA_POLICY_CONFIG. Git Repository root's policy file was introduced to solve the issue of AQUA_POLICY_CONFIG. Please see Why is Git Repository root's policy file needed.

AQUA_POLICY_CONFIG

You can specify Policy file paths by the environment variable AQUA_POLICY_CONFIG.

e.g.

export AQUA_POLICY_CONFIG=$PWD/aqua-policy.yaml:$AQUA_POLICY_CONFIG

Unlike Git Repository root's policy file, you don't have to run aqua policy allow command to allow Policy files.