Policies
Policies define when a version is allowed to deploy. They are the rules that govern how releases progress through your environments — controlling deployment timing through approvals, verification gates, progression requirements, deployment windows, and more.Building Confidence Through Policies
While deployments define what and how and environments define where, policies answer the critical question of when: is this version ready to deploy? Has it passed through the right gates? Policies help you deploy with confidence by ensuring that each stage meets your quality standards before progressing to the next.- Start simple, grow complex - Begin with basic health checks in QA, add integration tests in staging, require approvals and verification in production
- Catch issues early - Run smoke tests in QA to catch problems before they reach production
- Automate quality gates - Let verification results automatically determine if a release can proceed
- Reduce deployment anxiety - Know that every production deployment has passed through proven checks
- Customize per environment - Apply stricter rules where they matter most
Policy Structure
A policy consists of:- Name & Description - Identify and document the policy’s purpose
- Selector - A CEL expression defining which release targets the policy applies to
- Rules - One or more rules specifying behavior or requirements
- Priority - Higher priority policies are evaluated first
- Metadata - Arbitrary key-value pairs for organization
- Terraform
- API
Policy Selectors
Theselector field is a CEL expression that determines which release targets
a policy applies to. Policies only affect releases that match the selector.
Environment Selector
Target releases going to specific environments:Resource Selector
Target releases for specific resources:Deployment Selector
Target releases for specific deployments:Combined Selectors
Combine conditions with&& (AND) and || (OR):
Policy Rules
Rules define what the policy enforces. A single policy can contain multiple rules across different types. Each rule in therules array contains exactly
one rule type.
Approval Rule
Require manual approval before deployment:
See Approval for details.
Environment Progression Rule
Require successful deployment to a prerequisite environment:
See Environment Progression for details.
Gradual Rollout Rule
Control the pace of deployments across multiple targets:
See Gradual Rollouts for details.
Deployment Dependency Rule
Require upstream deployments to succeed first:
See Deployment Dependency for details.
Deployment Window Rule
Control when deployments are allowed using time-based schedules:
See Deployment Window for details.
Version Cooldown Rule
Batch frequent releases by enforcing a minimum time between deployments:
See Version Cooldown for details.
Retry Rule
Configure automatic retry behavior for failed jobs:
See Retry for details.
Version Selector Rule
Filter which versions can deploy to specific targets:
See Version Selector for details.
Verification Rule
Run automated checks after deployment: See Verification for detailed configuration options.Plan Validation Rule
Run OPA/Rego policies against a deployment plan to preview proposed changes. This rule is non-blocking — it reports violations but does not gate deployments.
See Plan Validation for details.
Terraform Provider Reference
The Terraform provider supports the following policy blocks:retry and version_selector are not yet available in the Terraform
provider. Use the REST API for these rule types.REST API Reference
Create a policy:rules array is an object with exactly one rule-type key
(e.g., anyApproval, gradualRollout, deploymentWindow).
Policy Evaluation
When a release is created, Ctrlplane:- Finds matching policies - Evaluates the
selectorCEL expression against each release target - Merges rules - Combines rules from all matching policies
- Applies rules - Enforces each rule type
Rule Interactions
- Approval + Gradual Rollout: The rollout start time is determined by when the approval was satisfied
- Environment Progression + Gradual Rollout: The rollout waits until progression criteria are met
- Deployment Window + Gradual Rollout: Allow windows push the rollout start to the window opening; deny windows pause the rollout
- Version Cooldown + Deployment Window: Both must be satisfied — cooldown determines which version, window determines when
Common Patterns
Environment Progression
Different requirements per environment:- Terraform
- API
Critical Service Protection
Extra protection for critical services:Best Practices
Policy Organization
- ✅ Use descriptive policy names
- ✅ Document policy purpose in description
- ✅ Start with permissive policies and tighten over time
- ✅ Test policies in lower environments first
- ✅ Use
priorityto control evaluation order for overlapping policies
Selector Design
- ✅ Be specific with selectors to avoid unexpected matches
- ✅ Use environment selectors for environment-specific rules
- ✅ Use metadata for cross-cutting concerns (team, tier, etc.)
- ✅ Test selector expressions before applying
Rule Configuration
- ✅ Set reasonable timeouts and failure limits
- ✅ Use verification to catch issues before they impact users
- ✅ Require approvals for high-risk deployments
- ✅ Use gradual rollouts for large-scale deployments
- ✅ Combine complementary rules (e.g., approval + gradual rollout)
Next Steps
- Approval - Require manual sign-off before deployment
- Deployment Dependency - Create service dependencies
- Deployment Window - Control when deployments can occur
- Environment Progression - Enforce deployment order
- Gradual Rollouts - Control deployment pace
- Retry - Configure automatic retry behavior
- Version Cooldown - Batch frequent releases
- Version Selector - Filter deployable versions