Lock Deployment Configuration

Introduction

The Deployment Template might contain certain configurations (e.g., ingress) that are critical to the stability and security of the applications. To prevent unauthorized or accidental changes to such configurations, Devtron allows super admins to restrict (lock) such critical configurations from modification or deletion.

Figure 1: Preventing Changes to Locked Keys

These restrictions can be applied for deployment templates in both the:

• Base configuration

• Environment-level configuration

How is this different from the 'Protect Configuration' feature?

The 'protect configuration' feature is meant to verify the edits by introducing an approval flow for any changes made to the configuration files, i.e., Deployment template, ConfigMaps, and Secrets. Refer Approval Policy.

Whereas, the 'lock deployment configuration' feature goes one step further. It is meant to prevent any edits to specific keys by non-super-admins. This applies only to deployment templates and is performed at the global level.

---

Locking Deployment Configurations

Who Can Perform This Action?

Users need to have super-admin permission to lock deployment keys.

To lock deployment configurations, you must first create a profile and apply it to the specific deployment templates.

What is a Lock Deployment Profile?

A lock deployment configuration profile is a template that specifies which configurations (keys) in the deployment template cannot be edited or deleted by non-super admin users. By using lock deployment configuration profiles, super-admins can manage edit access at different levels, such as global, cluster, environment, application, or a combination of application and environment.

This allows for better control by making sure critical deployment template configurations are locked in sensitive environments (production), while giving flexibility to change deployment template configurations in other less critical environments (QA, Staging, etc.).

Creating Profile

To create a profile, follow the steps below:

1. Go to Global Configurations → Lock Deployment Configuration. Click + Create Profile; a new Create Profile page will open.

   

   Figure 2: Creating Profile
2. Enter the Name (Required) and a Description (Optional) for the profile.

3. (Optional) Click Refer Values.YAML to check which keys you wish to lock.

   • Select the relevant Chart type and its version to reference the keys.

   

   Figure 3: Values.YAML File
4. Enter the keys inside the editor on the left-hand side, e.g., autoscaling.MaxReplicas. Use JSONpath expressions to enter specific keys, lists, or objects to lock.

   

   Figure 4: Referring Values.YAML File for Locking Keys

Locking Keys Outside Refer Values

You can lock custom configurations (keys) defined in your deployment template, even if they are not listed in the Refer Values.yaml section. As long as the key matches your lock rule, it will be locked.

1. Click Save Changes.

   

   Figure 5: Saving Locked Keys
2. Profile will be created, and available under the Profiles tab.

   

   Figure 6: Confirmation Dialog

Handling Locked Index Ranges

If you have locked a range of configurations using JSONPath (e.g., ingressInternal.hosts[1:3].paths), the specified index positions are protected.

If you want to add a new configuration entry (e.g., a new host), it should be added after the locked range i.e., in case of ingressInternal.hosts[1:3].paths, new host configuration entry should be added at the index 4.

Adding an entry within the locked range may shift the indices and result in validation errors or unintended modifications of locked values.

Applying Profile

After creating a profile, the next step is to apply the profile to the specific deployment templates according to your use case. To apply a profile, follow the steps below:

1. Go to Global Configurations → Lock Deployment Configuration. Click Apply Profile; a new Apply Profile page will open.

   

   Figure 7: Clicking 'Apply Profile'
2. Select the profiles that you want to apply from the dropdown under Select profiles to apply.

   • You can select multiple Profiles.

   

   Figure 8: Selecting Lock Deployment Configuration Profile
3. Select how you want to apply the profiles under Apply selected profiles to deployment templates of.

   There are three options you can choose from:

   1. Specific deployment templates: This option allows you to apply the lock deployment configuration profile to the deployment template of a specific application within a particular environment.

      

      Figure 9: Applying Profile to Specific Deployment Templates
   2. By match criteria: This option allows you to use a combination of filters to create criteria. Lock deployment configuration profile will only apply to the deployment templates of the applications fulfilling your criteria (including existing and future ones).

      Let's understand how to use By match criteria with the below example:

      Suppose you want to apply a lock deployment configuration profile to all applications in a particular project. You can achieve this by selecting that project as the match criteria.

      

      Figure 10: Applying Profile By Match Criteria - Use Case 1
   3. Global (All deployment templates): This option allows you to apply the lock deployment configuration profile to all the existing and future deployment templates across all the applications.

      

      Figure 11: Applying Profile for all the Deployment Templates
4. Click Save Changes, and the selected profiles will apply to the required deployment templates and be visible under the Applied Profiles tab.

---

Effect of Lock Configuration Profiles on Deployment Templates

Only super admins can edit the locked configurations directly once the lock deployment configuration profile is applied to the deployment templates. Non-super admin users cannot edit the locked keys for those deployment templates.

Let's look at a scenario where a user (non-super-admin) tries to edit the same in an unprotected base deployment template.

Viewing Locked Configurations

• User can hide/unhide the locked configurations as shown below.

  

  Figure 12: Hiding Locked Keys

  {% hint style="info" %} If you select 'Basic' mode instead of 'Advanced (YAML)', all the keys meant for basic mode will be displayed in the GUI, even if some are locked. While users can modify these keys, they cannot save the changes made to the locked keys. {% endhint %}

Editing Locked Configurations

• Let's assume the user edits one of the locked keys...

  

  Figure 13: Editing Locked Keys

  ...and saves the changes.

  

  Figure 14: Saving Edits to Locked Keys
• A modal window highlighting the non-eligible edits will appear on the right.

  

  Figure 15: Eligible and Non-eligible Changes

Editing Unlocked Keys

• Let's assume the user edits a key that is not locked or adds a new key.

  

  Figure 16: Editing Allowed Keys
• The modal window will highlight the eligible edits. However, it will not let the user save those eligible edits unless the user clicks the checkbox: Save changes which are eligible for update.

  

  Figure 17: Saving Eligible Changes

Who Can Perform This Action?

Only a super-admin, manager, or application admin can edit the configuration values.

• Once the user clicks the Save Changes button, the permissible changes will reflect in the deployment template.

  

  Figure 18: Updating Deployment Config

  However, if it's a protected template, the user will require the approval of a configuration approver as shown below.

  

  Figure 19: Proposing Changes to Protected Config

The same result can be seen if the user tries to edit environment-specific deployment templates.

---

Updating an Applied Profile

To update an existing applied profile, follow the steps below:

1. Go to Global Configurations → Lock Deployment Configuration.

2. Click the Applied Profiles tab and click the ⋮ button next to the preferred applied profile.

3. Click Manage Policy to add or remove the profiles. If you have applied the profile using match criteria, then you can also click Edit match criteria to edit the match criteria.

4. Click Save Changes.

Figure 20a: Editing Applied Profiles

Figure 20b: Editing Match Criteria

---

Removing an Applied Profile

To remove an applied profile, follow the steps below:

1. Go to Global Configurations → Lock Deployment Configuration.

2. Click the Applied Profiles tab and click the ⋮ button next to the preferred applied profile.

3. Click Delete and the applied profile will be removed.

Figure 21: Removing an Applied Profile

Note

Removing an applied profile does not delete the lock deployment configuration profile. It only removes the associated restrictions from the deployment templates where the profile was applied.

---

Updating Profile

To update a lock deployment configuration file, follow the steps below:

1. Go to Global Configurations → Lock Deployment Configuration.

2. Click the Profiles tab and then click the edit button next to the preferred profile.

3. Edit the profile.

4. Click Save Changes.

Figure 22: Updating Lock Deployment Configuration File

---

Deleting Profile

To delete a lock deployment configuration file, follow the steps below:

1. Go to Global Configurations → Lock Deployment Configuration.

2. Click the Profiles tab and then click the delete button next to the preferred profile.

3. A pop-up window will appear, prompting you to enter the profile name for confirmation.

4. Enter the name of the profile and click Delete.

Figure 23: Deleting Lock Deployment Configuration File

Note

Deleting a profile will automatically remove it from the Applied Profiles tab and remove its restrictions from all deployment templates where it was previously applied.

Use Cases

Locking Resources

Managing resources configurations (CPU & Memory) is critical for application stability (specifically in production environments).

To prevent accidental or unauthorized changes to resource configurations (CPU & Memory), you can create a lock deployment configuration profile which locks resource configurations, and then you can apply it to the relevant deployment templates.

Lock Deployment Configuration Profile

resources.limits.cpu
resources.limits.memory
resources.requests.cpu
resources.requests.memory

This ensures that only super admins can modify critical resource configurations (increasing CPU or reducing memory) especially in sensitive environments like production.

Locking Autoscaling

Autoscaling configurations controls how your application scales based on traffic or resource usage. If not managed properly, accidental or unauthorized changes to autoscaling configurations can cause resource overuse resulting in high cost or application instability.

To prevent accidental or unauthorized changes to autoscaling configurations, you can create a lock deployment configuration profile which locks autoscaling configurations, and then you can apply it to the relevant deployment templates.

Lock Deployment Configuration Profile

autoscaling.MaxReplicas
autoscaling.MinReplicas
autoscaling.TargetCPUUtilizationPercentage
autoscaling.TargetMemoryUtilizationPercentage
autoscaling.annotations
autoscaling.behavior
autoscaling.containerResource.TargetCPUUtilizationPercentage
autoscaling.containerResource.TargetMemoryUtilizationPercentage
autoscaling.containerResource.enabled
autoscaling.enabled
autoscaling.extraMetrics
autoscaling.labels

Locking Ingress

Ingress configuration defines how external traffic is routed to your application. Unauthorized or accidental changes to ingress rules (hostnames or paths), can lead to incorrect routing, broken endpoints, or access to unintended environments.

To prevent accidental or unauthorized changes to ingress configurations, you can create a lock deployment configuration profile which locks ingress configurations, and then you can apply it to the relevant deployment templates.

Lock Deployment Configuration Profile

ingress
ingressinternal.hosts
ingressInternal.hosts[*].pathType