Policy and Approvals
Complete guide to approval policy templates, policy bindings, approval workflows, quorum rules, and governance decisions.
Approval policies define rules that require human approval before high-risk operations can proceed. They provide governance guardrails across the entire deployment lifecycle — from release deployments and promotions to cluster operations and infrastructure changes. Policies ensure that sensitive actions are reviewed by the right people before execution.
Key Concept
Approval policies separate intent from execution. When a user requests a protected action, the system pauses execution, notifies eligible approvers, and waits for the required quorum before proceeding. Every step is audited.
Approval Workflow
The following diagram shows the complete lifecycle of an approval-gated action:
Approval Policy Templates
Policy templates are reusable policy definitions managed at /approval-policies. They define the rules, approvers, and conditions without being bound to specific resources.
Template Structure
| Field | Description | Example |
|---|---|---|
| Name | Descriptive policy name | Production Deploy Approval |
| Description | What this policy protects and why | Requires SRE approval before production deployments |
| Scope | Where this policy can be bound | project, cluster, environment, organization |
| Required Approvers | Who can approve | Users, teams, org roles |
| Quorum Rules | How many approvals are needed | 2 approvals from SRE team |
| Conditions | When this policy applies | environment == production |
| requesterCanApprove | Whether the requester can approve their own request | false (default) |
Managing Templates
Create Template
Navigate to Approval Policies and click Create Policy. Define the name, description, and scope.
Define Approvers
Specify who can approve requests matching this policy. Options include specific users, teams, or organization roles.
Set Quorum Rules
Configure how many approvals are required and the quorum calculation method.
Add Conditions
Optionally restrict when this policy applies (e.g., only for production, only outside business hours).
Save and Bind
Save the template and bind it to specific resources (projects, clusters, environments).
Policy Bindings
Policy bindings attach templates to specific resources. A single template can be bound to multiple resources, and a single resource can have multiple policies bound to it.
Binding Levels
| Level | Applies To | Example |
|---|---|---|
| Organization | All projects and clusters in the org | Require approval for any production deploy |
| Project | All actions within a specific project | Require approval for api-platform deploys |
| Cluster | All operations on a specific cluster | Require approval for production cluster commands |
| Environment | Actions targeting a specific environment | Require approval for production environment changes |
Binding Resolution
When an action is initiated, the system evaluates all bindings that match:
Policy Stacking
When multiple policies apply to the same action, all policies must be satisfied. For example, if an org-level policy requires 1 approval and a project-level policy requires 2 approvals from SRE, the action needs both conditions met before proceeding.
Quorum Rules
Quorum rules determine how many approvals are required for a policy to pass. The quorum model uses the AccessApprovalQuorum structure:
| Quorum Field | Description | Example |
|---|---|---|
| minApprovals | Minimum number of approvals required | 2 |
| minDistinctTeams | Approvals must come from at least N different teams | 2 (requires cross-team review) |
| requiredUserIds | Specific users who must approve regardless of count | ["user-uuid-1", "user-uuid-2"] |
| requiredTeamIds | At least one approval from each listed team is required | ["sre-team-uuid"] |
| requiredOrgRoles | At least one approval from a user holding each listed org role | ["tech-lead"] |
All quorum fields are combined with AND logic. There is no percentage-based, unanimous, or time-limited quorum mode as separate types.
Example: A production deployment policy might require:
- At least 2 approvals total (
minApprovals: 2) - Approvals from at least 2 different teams (
minDistinctTeams: 2) - At least 1 approval from the
SREteam (requiredTeamIds) - At least 1 approval from a user with the
tech-leadrole (requiredOrgRoles) - The requester cannot be one of the approvers (
requesterCanApprove: false)
Condition Constraints
Policies can include conditions that control when the policy applies:
The real AccessApprovalPolicyConditions model supports these fields:
| Condition Field | Description | Example |
|---|---|---|
| environments | Apply only when targeting specific environments | ["production", "staging"] |
| weekdays | Apply only on specific days of the week | ["saturday", "sunday"] |
| startHour | Start of the active time window (24h format) | 18 (6 PM) |
| endHour | End of the active time window (24h format) | 9 (9 AM) |
| timezone | Timezone for the time window | Europe/Istanbul |
| requireReason | Require a justification from the requester | true |
Always-On Policy
A policy that applies to every deployment regardless of timing or context:
Name: Production Deploy Gate
Scope: Environment (production)
Conditions: None (always applies)
Quorum: minApprovals 2, requiredTeamIds [SRE]
requesterCanApprove: falseOff-Hours Policy
Additional approval required for changes made outside business hours:
Name: Off-Hours Change Gate
Scope: Organization
Conditions:
startHour: 18, endHour: 9
weekdays: [saturday, sunday]
timezone: Europe/Istanbul
requireReason: true
Quorum: minApprovals 1Production-Only Policy
Applies only to production deployments, not to staging or development:
Name: Production Release Approval
Scope: Project
Conditions:
environments: [production]
Quorum: minApprovals 2, requiredTeamIds [security]
requesterCanApprove: falseProtected High-Risk Actions
The following actions can be gated behind approval policies:
Project Actions
| Action | Description | Risk Level |
|---|---|---|
| Release Deploy | Deploying a release to an environment | High |
| Promotion Execute | Promoting changes between environments | High |
| Rollback Execute | Rolling back a deployment | High |
| Project Delete | Permanently deleting a project | Critical |
| Environment Freeze | Freezing an environment to block changes | Medium |
| Environment Unfreeze | Unfreezing an environment | Medium |
| Environment Policy Update | Changing environment policies | Medium |
Cluster Actions
| Action | Description | Risk Level |
|---|---|---|
| Cluster Sync | Forcing ArgoCD sync on a cluster | Medium |
| Cluster Rollback | Rolling back ArgoCD application state | High |
| Cluster Restart | Rolling restart of deployments | High |
| Cluster Scale | Changing replica counts | Medium |
| Manifest Apply | Applying raw manifests to a cluster | High |
| Command Execution | Running arbitrary commands on cluster | Critical |
| Resource Delete | Deleting resources from a cluster | Critical |
| Token Issue | Issuing cluster access tokens | Critical |
Security Actions
| Action | Description | Risk Level |
|---|---|---|
| Break-Glass Initiate | Starting a break-glass override session | Critical |
Approvals Inbox
The approvals inbox at /approvals provides a unified queue for all pending approval requests.
Inbox Features
| Feature | Description |
|---|---|
| Unified Queue | All pending approvals across projects and clusters in one view |
| Filters | Filter by type (cluster, project, release, promotion, rollback) |
| Can-Approve Indicator | Shows whether you are eligible to approve each request |
| Request Details | View requester, action, resource, justification, and diffs |
| Approve / Reject | Take action with optional comments |
| Progress Tracking | See how many approvals have been received vs. required |
Approval Request Details
Each approval request shows:
| Field | Description |
|---|---|
| Requester | Who initiated the action |
| Action | The specific action being requested |
| Resource | The target resource (project, cluster, environment, release) |
| Justification | Reason provided by the requester |
| Diff / Payload | What will change if approved (manifests, configuration diffs) |
| Policies | Which policies triggered this approval gate |
| Progress | Current approval count vs. required quorum |
| Timeline | Chronological list of all decisions and events |
Request Lifecycle
Self-Approval Prevention
By default, the person who initiated an action cannot approve their own request. This enforces separation of duties (SoD).
| Configuration | Behavior |
|---|---|
requesterCanApprove: false (default) | Requester is excluded from eligible approvers |
requesterCanApprove: true | Requester can approve their own request (use with caution) |
Separation of Duties
Disabling self-approval prevention is strongly discouraged for production environments. It is provided for development and testing scenarios where strict governance is not required.
Break-Glass Override
In emergencies, a break-glass session can bypass approval requirements. Break-glass is designed for incidents where the normal approval process would cause unacceptable delay.
Break-Glass Flow
Initiate Break-Glass Session
An authorized user starts a break-glass session with a mandatory reason/justification and an action scope.
Time-Limited Override
The session is active for a limited duration (configurable, e.g., 30 minutes to 4 hours). During this window, actions matching the session scope bypass approval policies.
Execute Protected Actions
Perform the emergency operations. Each action is executed immediately without waiting for approvals.
Session Closure
The session ends automatically when the time limit expires, or the user explicitly revokes it. All actions performed during the session are prominently logged.
Break-Glass Audit Trail
Every break-glass action creates enhanced audit entries:
- Session ID: Links all actions to the break-glass session
- Justification: The reason provided when initiating the session
- Bypassed Policies: Which approval policies were overridden
- Actor: The user who performed each action
- Duration: Total time the session was active
- Prominent Flag: Break-glass events are visually highlighted in the audit log
Audit Visibility
Break-glass events are always logged — they cannot be suppressed or hidden. They appear prominently in the audit log and trigger notifications to security-focused team members.
Troubleshooting
| Error | Meaning | Resolution |
|---|---|---|
422 policy violations | Action blocked by governance checks during delivery or promotion | Review the violation details and satisfy the policy requirements |
403 you are not an eligible approver for this request | You are not listed as an eligible approver for this policy | A different eligible user must approve |
409 already reviewed | You already approved/rejected this request | No action needed — your decision is recorded |
404 request not found | The approval request no longer exists | It may have been cancelled |
Best Practices
- Start lightweight, increase strictness over time — Begin with simple approval requirements and add complexity as your governance needs evolve
- Always require production approvals — Production deployments should never be un-gated
- Monitor approval latency — Track how long approvals take and optimize escalation paths to reduce deployment delays
- Use conditions to avoid over-gating — Don't require approval for every action in every environment; focus on production and critical operations
- Enable self-approval prevention — Separation of duties is a fundamental governance principle
- Review break-glass events — Every break-glass session should be followed up with a review to understand why normal processes were insufficient
- Review stale requests regularly — Approval requests that sit indefinitely create confusion; cancel and resubmit if circumstances have changed
- Document policies clearly — Use descriptive names and descriptions so approvers understand what they are approving and why
- Test policies in staging first — Validate that your policies work as expected before applying them to production
- Combine with notifications — Ensure approvers receive timely notifications via Slack, email, or other channels to minimize delays