D
Dawn pink Parakeet
Problem Statement:
Currently, OPA policies cannot resolve expressions and variables during runtime evaluation. When a pipeline variable references a project-level variable (e.g., <+variable.cpu_limit>), the OPA policy receives the expression string itself rather than the resolved value. This prevents runtime governance of resource limits based on dynamically configured values.
Use Case:
We need to enforce CPU resource limits across all pipelines using OPA policies that evaluate at pipeline runtime. Teams should be able to configure their resource limits via project variables, but these limits must be capped by OPA policies (e.g., max 6 CPUs) during pipeline execution.
Current Limitation:
  • OPA policies work correctly on "save" when values are static
  • At runtime, expressions are not resolved, causing policies to fail validation
  • The PIPE_IS_PRE_STEP_OPA_POLICY_EVALUATION_ENABLED feature flag only works at step-level, requiring individual configuration per step. Also, there is no information at the step level inputs on Resource limits, so this is anyway not possible.
  • This doesn't scale for global enforcement across custom pipelines
Requested Enhancement:
Enable OPA policies to resolve all expressions and variables (including project/org/account variables) during runtime evaluation at the pipeline level. This would allow:
  • Global resource governance across all pipelines
  • Dynamic configuration through variables while maintaining policy controls
  • Runtime enforcement without requiring step-by-step policy configuration
Support Ticket: https://support.harness.io/hc/en-us/requests/101501