Last week we announced new enterprise features in Chainguard Enforce. One of the capabilities we’re excited about is the new policy versions. Policy versions allow users to gradually test and roll out policy changes to their cluster over time, without losing historical context of how the policy has changed. Versions give users more visibility into when and by whom policies were updated, as well as the comfort of being able to quickly rollback to stable versions of a policy in the event of the inevitable typo or unintended consequence discovered too late.
Managing versions for new policies in chainctl
To see versions in action, start by creating a new policy:
If you were already a Chainguard Enforce User, you’ll notice legacy policies are missing some of this metadata. Don’t worry! Legacy policies are still fully supported and can be versioned just like newly applied policies. These data will be populated as policies are updated.
Managing versions for existing policies
Listing the versions of this policy shows the newly created version, recognizing the policy has moved from warn mode into enforced.
Managing versions in the Chainguard Enforce Console
This will take you to the policy details page, where you will see the policy document in full. Below the document, you will also see a series of tabs, including a Versions tab. Clicking on this tab will display a table with the versions of your policy. It will indicate which version is active, while also allowing you to activate a particular version of the policy by clicking on Apply version in that row:
To create a new version of the policy, click the Edit button located below the policy document. Clicking on this button will open the policy editor, where you can make changes to the policy document:
Once you have finished making edits to the document, click on the Create version button, and a new version of the policy will be created.
You can also make edits to the description field in the policy editor, but remember: this will not create a new policy. It will edit the description of the currently active policy.
Mistakes happen, and a good tool will help protect against the worst effects of those mistakes. Policy versions allow you to adapt to the changing requirements of your system, correct unintended consequences with easy rollbacks, and ensure that your clusters remain secure.