docs/content/en/concepts/logical/policies/index.md
Policies offer an evaluation algorithm to ensure desired behavior enforcement. Policies can be applied to components and relationships, defining rules and actions based on predefined conditions.
The relationships are a powerful way to design your infrastructure and each of them are backed by one or more policies. Policies evaluate the designs for potential relationships and the decide whether to create/delete/update the relationships.
Meshery Server has a built-in policy engine implemented natively in Go (ported from the Open Policy Agent (OPA) Rego engine). Currently, Meshery Server is the only place where the policy evaluations occur. Policy evaluation is invoked each time a design is updated, and each time a design is imported. By default, policies evaluate for all registered relationships.
Each evaluation cycle visits every registered policy and applies it to the current design in three phases:
namespace: production to the Namespace/production declaration in the same design.Built-in policies
Each policy is responsible for a specific relationship, matched by its kind / type / subType:
hierarchical / parent / inventory) connects components that nest naturally (Namespace owning Deployments, Deployment owning Pods).hierarchical / parent / alias) declares an alias node that resolves to a path inside another component (a container port, for example).hierarchical / parent / inventory) auto-adds parent declarations when a child references a parent that is not yet present in the design.sibling) groups components that share the same value at a configured field path (typically labels).edge / non-binding) is a logical reference between two components, with no configuration mutation.edge / binding) is a 3-party relationship (from, binding, to) that patches both endpoints through the binding component.The same Go codebase is built for two targets: the native server binary that ships with Meshery Server, and a js/wasm WebAssembly module that runs the identical evaluation logic in the browser, enabling client-side relationship evaluation in the Meshery UI without a server round trip.
In any given Meshery deployment, you can reference and search the full set of registered policies (in Meshery's internal registry) in using either of Meshery's client interfaces.
{{% alert color="info" title="Viewing All Registered Relationships" %}} You can view all registered relationships using either Meshery UI or Meshery CLI.
mesheryctl policy list
{{% /alert %}}In the event of a conflict or tie, Meshery relies on Open Policy Agent's reconciliation behavior for conflict resolution.
{{% alert color="warning" title="Conflict Resolution" %}} It may happen that certain eval decisions contain results such that two different components create a conflicting relationship with same component. While this is semantically correct, the visual representation of the relationship in such cases may be undesirable, and you may see relationships and components being redrawn depending upon how the client / Meshery UI visualizes the relationships. {{% /alert %}}
For an in-depth review, watch this meeting recording.
<iframe width="560" height="315" src="https://www.youtube.com/embed/XrLpBVsm6nk?si=j-igwtd_gQ0N61vV&start=453" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>{{% alert color="dark" title="Future Feature" %}} Policy evaluation in WASM runtime is on roadmap for Meshery v0.8.3. {{% /alert %}}