Skip to main content

Policy Schema Reference

Complete reference for Garnet policy YAML format.

Top-Level Fields

name: string (required)
type: "allow" | "block" (required)
scope: ScopeObject | "global" (optional, default: "global")
rules: array<RuleObject> (required)
enabled: boolean (optional, default: true)
description: string (optional)
metadata: object (optional)

Example: Complete Policy

name: "Production egress policy"
type: allow
scope:
  platform: kubernetes
  cluster: "production"
  namespace: "backend"
rules:
  - pattern: "api.stripe.com"
    comment: "Payment processing"
  - pattern: "*.internal.corp"
    comment: "Internal services"
enabled: true
description: "Allowlist for production backend services"
metadata:
  owner: "platform-team"
  last_reviewed: "2024-03-15"

Field Reference

name

Type: string (required) Description: Human-readable name for the policy. Example: 
name: "Corporate allowlist"

type

Type: enum (required) Values:
  • allow: Domains/IPs in rules will never trigger Issues
  • block: Domains/IPs in rules will always be blocked
Example: 
type: allow

scope

Type: ScopeObject | "global" (optional, default: "global") Description: Defines where the policy applies.

Global Scope

scope: global
Applies to all agents (GitHub Actions and Kubernetes).

Platform Scope

scope:
  platform: github_actions  # or "kubernetes"

GitHub Actions Scope

scope:
  platform: github_actions
  workflow: "CI"              # Optional: specific workflow name
  job: "build"                # Optional: specific job name
  repository: "org/repo"      # Optional: specific repo

Kubernetes Scope

scope:
  platform: kubernetes
  cluster: "production"       # Optional: specific cluster name
  namespace: "backend"        # Optional: specific namespace (coming soon)
  node: "gke-node-123"        # Optional: specific node hostname

rules

Type: array<RuleObject> (required) Description: List of domain/IP patterns to allow or block.

Rule Object

rules:
  - pattern: string (required)
    comment: string (optional)
    priority: integer (optional, default: 0)

Examples

rules:
  # Exact domain
  - pattern: "example.com"
    comment: "Main domain"

  # Subdomain wildcard
  - pattern: "*.example.com"
    comment: "All subdomains"

  # Recursive subdomain wildcard
  - pattern: "**.example.com"
    comment: "All nested subdomains"

  # CIDR range
  - pattern: "192.0.2.0/24"
    comment: "Internal network"

  # IP wildcard
  - pattern: "10.0.*"
    comment: "Private network range"

enabled

Type: boolean (optional, default: true) Description: Whether the policy is active. Example: 
enabled: false  # Temporarily disable without deleting

description

Type: string (optional) Description: Long-form description of the policy’s purpose. Example: 
description: |
  Allowlist for production backend services.
  Includes payment processing, internal APIs, and monitoring.
  Reviewed quarterly by platform team.

metadata

Type: object (optional) Description: Custom metadata for tracking and auditing. Example: 
metadata:
  owner: "platform-team"
  contact: "platform@example.com"
  last_reviewed: "2024-03-15"
  next_review: "2024-06-15"
  jira_ticket: "PLAT-1234"

Pattern Matching Reference

PatternMatchesExample Matches
example.comExact domain onlyexample.com
*.example.comDirect subdomainsapi.example.com, www.example.com
**.example.comAll nested subdomainsapi.v2.example.com, deep.nested.example.com
192.0.2.0/24CIDR range192.0.2.1 - 192.0.2.254
192.0.2.*IP wildcard192.0.2.1 - 192.0.2.255
10.*.1.1IP pattern10.0.1.1, 10.255.1.1

Complete Example: Multi-Scope

# Policy 1: Global block list
name: "Global blocklist"
type: block
scope: global
rules:
  - pattern: "*.malicious.com"
    comment: "Known malware distribution"
  - pattern: "cryptopool.example.com"
    comment: "Crypto mining pool"
enabled: true

---

# Policy 2: GitHub Actions allowlist
name: "CI/CD package registries"
type: allow
scope:
  platform: github_actions
rules:
  - pattern: "registry.npmjs.org"
  - pattern: "pypi.org"
  - pattern: "repo.maven.apache.org"
enabled: true

---

# Policy 3: Kubernetes production allowlist
name: "Production k8s allowlist"
type: allow
scope:
  platform: kubernetes
  cluster: "production"
rules:
  - pattern: "*.internal.corp"
    comment: "Internal services"
  - pattern: "api.stripe.com"
    comment: "Payment processing"
  - pattern: "*.amazonaws.com"
    comment: "AWS services"
enabled: true
metadata:
  owner: "sre-team"
  reviewed: "2024-03-01"

API: Create Policy

curl -X POST https://api.garnet.ai/v1/policies \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/yaml" \
  --data-binary @policy.yaml

API: Update Policy

curl -X PUT https://api.garnet.ai/v1/policies/POLICY_ID \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/yaml" \
  --data-binary @policy.yaml

API: Delete Policy

curl -X DELETE https://api.garnet.ai/v1/policies/POLICY_ID \
  -H "Authorization: Bearer YOUR_API_TOKEN"

API: List Policies

curl https://api.garnet.ai/v1/policies \
  -H "Authorization: Bearer YOUR_API_TOKEN"

Validation

Before applying, validate your policy YAML: 
curl -X POST https://api.garnet.ai/v1/policies/validate \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/yaml" \
  --data-binary @policy.yaml
Response: 
{
  "valid": true,
  "warnings": [],
  "errors": []
}
Or if invalid: 
{
  "valid": false,
  "errors": [
    "Line 5: 'pattern' is required for all rules",
    "Line 8: Invalid CIDR range '192.0.2.0/99'"
  ]
}

Next Steps

Policy Examples

See common policy configurations