Skip to main content
Approval rules require manual approval from authorized users before a deployment can proceed. This adds a human checkpoint to your deployment pipeline for high-risk changes.

Overview

Why Use Approval Rules?

Approval rules help you:
  • Add human oversight - Require sign-off for production deployments
  • Enforce compliance - Meet regulatory requirements for change management
  • Coordinate releases - Ensure stakeholders are aware before deployment
  • Reduce risk - Catch issues that automated checks might miss

Configuration

Add an approval rule to your policy: 
policies:
  - name: production-approval
    selectors:
      - environment: environment.name == "production"
    rules:
      - approval:
          required: 1

Properties

PropertyTypeRequiredDescription
requiredintegerYesMinimum number of approvals

Common Patterns

Single Approval for Production

Basic approval gate for production deployments: 
policies:
  - name: production-gate
    selectors:
      - environment: environment.name == "production"
    rules:
      - approval:
          required: 1

Multiple Approvals for Critical Services

Require multiple sign-offs for high-risk deployments: 
policies:
  - name: critical-service-approval
    selectors:
      - deployment: deployment.metadata.tier == "critical"
      - environment: environment.name == "production"
    rules:
      - approval:
          required: 2

Approval with Verification

Combine approval with post-deployment verification: 
policies:
  - name: production-full-gates
    selectors:
      - environment: environment.name == "production"
    rules:
      - approval:
          required: 1
      - verification:
          metrics:
            - name: health-check
              interval: 30s
              count: 5
              provider:
                type: http
                url: "http://{{.resource.name}}/health"
              successCondition: result.ok

Approval with Gradual Rollout

Approve once, then roll out gradually: 
policies:
  - name: controlled-production-release
    selectors:
      - environment: environment.name == "production"
    rules:
      - approval:
          required: 1
      - gradualRollout:
          rolloutType: linear
          timeScaleInterval: 300

Approval Workflow

1. Release Created

When a new release is created that matches an approval policy, it enters an “awaiting approval” state.

2. Approval Requested

Users with appropriate permissions can view pending approvals in the Ctrlplane UI or via API.

3. Approval Granted

Authorized users approve (or reject) the release. Each approval is recorded with the user and timestamp.

4. Deployment Proceeds

Once the required number of approvals is met, the deployment continues through any remaining policy rules.

Best Practices

Environment-Based Approvals

EnvironmentApprovalsNotes
Development0No approval needed
QA0Automated testing sufficient
Staging0-1Optional for visibility
Production1-2Always require approval

Recommendations

  • ✅ Require approvals for production environments
  • ✅ Use multiple approvals for critical services
  • ✅ Combine with verification for defense in depth
  • ✅ Document approval requirements in runbooks
  • ✅ Set up notifications for pending approvals

Next Steps