Enable OPA Policies to Resolve Pipeline Variables at Runtime Evaluation
pending feedback
D
Dawn pink Parakeet
Problem Statement:
Currently, OPA policies cannot resolve expressions and variables during runtime evaluation. When a pipeline variable references a project-level variable (e.g., <+variable.cpu_limit>), the OPA policy receives the expression string itself rather than the resolved value. This prevents runtime governance of resource limits based on dynamically configured values.
Use Case:
We need to enforce CPU resource limits across all pipelines using OPA policies that evaluate at pipeline runtime. Teams should be able to configure their resource limits via project variables, but these limits must be capped by OPA policies (e.g., max 6 CPUs) during pipeline execution.
Current Limitation:
- OPA policies work correctly on "save" when values are static
- At runtime, expressions are not resolved, causing policies to fail validation
- The PIPE_IS_PRE_STEP_OPA_POLICY_EVALUATION_ENABLED feature flag only works at step-level, requiring individual configuration per step. Also, there is no information at the step level inputs on Resource limits, so this is anyway not possible.
- This doesn't scale for global enforcement across custom pipelines
Requested Enhancement:
Enable OPA policies to resolve all expressions and variables (including project/org/account variables) during runtime evaluation at the pipeline level. This would allow:
- Global resource governance across all pipelines
- Dynamic configuration through variables while maintaining policy controls
- Runtime enforcement without requiring step-by-step policy configuration
Support Ticket: https://support.harness.io/hc/en-us/requests/101501
Log In
Tanvi Bobde
Samriddha from PayPal's Feedback -
I checked the approach, but this doesn't seem feasible. Please correct me if I am wrong, but from my understanding, what you're suggesting is to have a check for specific variable and block the pipeline based on that value. This will work for this usecase, but fails when we try to implement a global standard using OPA, as people can just use any variable name. So while the solution "works", I feel it is not a concrete one to resolve the issue here.
a
abhijit.pujare
@SDawn pink Parakeet: Can you elaborate on the global standard you are trying to implement?
The idea with the approach we have suggested should work for this use case or any use case where you want to have a global "limit" for a certain type of value (i.e. CPU resource limit). By creating an OPA policy on a variable and making sure that variable (or set of variables) are the only ones that are used for that value (e.g. during pipeline creation) will allow you to enforce a global limit.
a
abhijit.pujare
marked this post as
pending feedback
a
abhijit.pujare
Dawn pink Parakeet We got a chance to look into this further and we believe the following approach should work for your use case:
- Have a policy for a variable which operates on save. You can write this policy such that when someone is saving a variable with the name "cpu_limit", the value of that variable is less than or equal to some number.
To learn more about OPA policies on variables see this documentation:
- Then in the pipeline run policy you write, you can ensure that any step or stage that has the CPU limit as a field if there's a variable expression for it, then only the variable stated above (i.e. cpu_limit is used)
Let me know if that works.