About Enterprise Contract Policy

The Enterprise Contract Policy defines the configuration for the enforcement of the Enterprise Contract by specifying the rules needed for a container image to be compliant with an organization’s software release policy requirements.

The Enterprise Contract Policy is passed in the form of a configuration to the EC CLI to parameterize its execution in the enforcement of the set policy.

How to create Enterprise Contract Policy

When creating Enterprise Contract Policy first make note of what rule sources to include, any authorization approval requirements and the public key needed to validate the image and attestation image signatures.

As a JSON file

The resulting data is placed in a JSON document with the following structure:

  "description": "ACME & co policy",
  "sources": [
      "name": "simple",
      "policy": [
      "data": [
  "configuration": {
    "exclude": [

Consult the the EnterpriseContractPolicySpec reference documentation for details on the structure of this document.

The policy in JSON format can be passed in directly to the ec command line using the -p/--policy option, for example in the validate image command.

As a Kubernetes Custom Resource

It is more common to create the Enterprise Contract Policy as a Kubernetes Custom Resource and pass the reference to the namespace and the name of the Custom Resource to the -p/--policy option. This has the advantage that the policy is centraly defined and served from the Kubernetes API server with the additional benefit of applying role based access control.

apiVersion: appstudio.redhat.com/v1alpha1
kind: EnterpriseContractPolicy
  creationTimestamp: null
  name: ec-policy
  namespace: acme
    - friday_policy
    - room_temperature
  description: ACME & co policy
  - data:
    - git::https://github.com/acme/ec-policy.git//data?ref=prod
    name: simple
    - git::https://github.com/acme/ec-policy.git//policy?ref=prod
status: {}
Create Enterprise Contract Policy using kubectl
kubectl apply -f policy.yaml