Policies on machine type cancel out?

[Jackbennett]

🏷️ Discussion Type

Question

Body

https://docs.github.com/en/codespaces/managing-codespaces-for-your-organization/restricting-access-to-machine-types

As an organization owner, you may want to configure constraints on the types of machine that are available. For example, if the work in your organization doesn't require significant compute power or storage space, you can remove the highly resourced machines from the list of options that people can choose from.

When you create a policy you choose whether it applies to all repositories in your organization, or only to specified repositories. If you set an organization-wide policy then any policies you set for individual repositories must fall within the restriction set at the organization level. Adding policies makes the choice of machine more, not less, restrictive.

So no you can't? Set 2 & 4 core restriction for all repositories and 8 & 16 for 1 repo, Nothing can get 8 & 16 cores. The behaviour you want is inverted.

Worse, if you set 2 & 4 cores for 1 repo, and 8 & 16 + for example, shorten idle timeout to 10min for that same repo. Those two cancel out and nothing at all is available.

I can't have that right, but I've just done that in the UI and that's what happens. To make 2-4 cores everywhere but limit 8-16, I'll have to keep the 2-4 policy "selected repo" list constantly up to date, exclusive of the 8-16 selected repo list, and not use any "all repos" at all?

[Mayank-cyber-cell]

Yeah, your understanding seems correct from how the policy system currently works. The policies are combined together instead of one overriding another.

So if you create an organization wide policy that only allows 2 and 4 core machines, then a repository specific policy cannot later allow 8 and 16 core machines for a certain repo. Repository policies can only make things more restrictive, not less restrictive.

The same thing explains why your second setup results in no machines being available at all. If one policy allows only 2 and 4 core machines, while another policy for the same repo allows only 8 and 16 core machines with a different timeout, there is no overlap between the two policies. Since nothing satisfies both conditions, Codespaces ends up with no valid machine types.

So unfortunately, if you want most repositories to use 2 and 4 core machines, but a few repositories to have access to 8 and 16 core machines, it looks like you cannot do that using a single organization wide restriction. You would instead need to manage separate repository scoped policies and keep those repo lists maintained manually.

It definitely feels counterintuitive because many policy systems support exceptions or priority order, but this implementation seems to work as an intersection of restrictions only.