Skip to content

Commit

Permalink
Built-in Policy Release 80586591 (Azure#1139)
Browse files Browse the repository at this point in the history 
Co-authored-by: Azure Policy Bot <[email protected]>
  • Loading branch information
@pilor
pilor and Azure Policy Bot authored May 15, 2023
1 parent 85961bc commit 0457191
Show file tree
Hide file tree
Showing 12 changed files with 821 additions and 25 deletions.
17 changes: 13 additions & 4 deletions ...s/policyDefinitions/Guest Configuration/GuestConfiguration_SetWindowsTimeZone_Deploy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,20 @@
"mode": "Indexed",
"description": "This policy creates a Guest Configuration assignment to set specified time zone on Windows virtual machines.",
"metadata": {
"version": "2.0.0",
"version": "2.1.0",
"category": "Guest Configuration",
"requiredProviders": [
"Microsoft.GuestConfiguration"
]
],
"guestConfiguration": {
"name": "SetWindowsTimeZone",
"version": "1.*",
"configurationParameter": {
"TimeZone": "[WindowsTimeZone]WindowsTimeZone1;TimeZone"
}
}
},
"version": "2.0.0",
"version": "2.1.0",
"parameters": {
"IncludeArcMachines": {
"type": "string",
Expand Down Expand Up @@ -46,6 +53,7 @@
"(UTC-07:00) Arizona",
"(UTC-07:00) Chihuahua, La Paz, Mazatlan",
"(UTC-07:00) Mountain Time (US & Canada)",
"(UTC-07:00) Yukon",
"(UTC-06:00) Central America",
"(UTC-06:00) Central Time (US & Canada)",
"(UTC-06:00) Easter Island",
Expand Down Expand Up @@ -98,6 +106,7 @@
"(UTC+02:00) Harare, Pretoria",
"(UTC+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius",
"(UTC+02:00) Jerusalem",
"(UTC+02:00) Juba",
"(UTC+02:00) Kaliningrad",
"(UTC+02:00) Khartoum",
"(UTC+02:00) Tripoli",
Expand Down Expand Up @@ -381,8 +390,8 @@
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/088ab73d-1256-47ae-bea9-9de8e7131f31"
],
"type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
"name": "SetWindowsTimeZone",
"type": "Microsoft.GuestConfiguration/guestConfigurationAssignments",
"existenceCondition": {
"allOf": [
{
Expand Down
152 changes: 152 additions & 0 deletions built-in-policies/policyDefinitions/Kubernetes/AKS_GuardrailsCannotEditIndividualNodes.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
{
"properties": {
"displayName": "[Preview]: [AKS Guardrails] Cannot Edit Individual Nodes",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools.",
"metadata": {
"version": "1.0.0-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.0-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "[AKS Guardrails] Effect",
"description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"namespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace inclusions",
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
"defaultValue": []
},
"labelSelector": {
"type": "Object",
"metadata": {
"displayName": "[AKS Guardrails] Kubernetes label selector",
"description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
"defaultValue": {},
"schema": {
"description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
"type": "object",
"properties": {
"matchLabels": {
"description": "matchLabels is a map of {key,value} pairs.",
"type": "object",
"additionalProperties": {
"type": "string"
},
"minProperties": 1
},
"matchExpressions": {
"description": "matchExpressions is a list of values, a key, and an operator.",
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"description": "key is the label key that the selector applies to.",
"type": "string"
},
"operator": {
"description": "operator represents a key's relationship to a set of values.",
"type": "string",
"enum": [
"In",
"NotIn",
"Exists",
"DoesNotExist"
]
},
"values": {
"description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"key",
"operator"
],
"additionalProperties": false
},
"minItems": 1
}
},
"additionalProperties": false
}
},
"allowedUsers": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Allowed Users",
"description": "Users that are allowed by AKS Guardrails to modify node labels on individual nodes."
}
},
"allowedGroups": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Allowed Groups",
"description": "Groups that are allowed by AKS Guardrails to modify node labels on individual nodes."
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"templateInfo": {
"sourceType": "PublicURL",
"url": "https://store.policy.core.windows.net/kubernetes/restricted-node-edits/v1/template.yaml"
},
"apiGroups": [
""
],
"kinds": [
"Node"
],
"namespaces": "[parameters('namespaces')]",
"excludedNamespaces": "[parameters('excludedNamespaces')]",
"labelSelector": "[parameters('labelSelector')]",
"values": {
"allowedUsers": "[parameters('allowedUsers')]",
"allowedGroups": "[parameters('allowedGroups')]"
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/53a4a537-990c-495a-92e0-7c21a465442c",
"name": "53a4a537-990c-495a-92e0-7c21a465442c"
}
137 changes: 137 additions & 0 deletions ...-in-policies/policyDefinitions/Kubernetes/AKS_GuardrailsMustHaveAntiAffinityRulesSet.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
{
"properties": {
"displayName": "[Preview]: [AKS Guardrails] Must Have Anty Affinity Rules Set",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"description": "Requires affinity rules to be set.",
"metadata": {
"version": "1.0.0-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.0-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "[AKS Guardrails] Effect",
"description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"namespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace inclusions",
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
"defaultValue": []
},
"labelSelector": {
"type": "Object",
"metadata": {
"displayName": "[AKS Guardrails] Kubernetes label selector",
"description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
"defaultValue": {},
"schema": {
"description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
"type": "object",
"properties": {
"matchLabels": {
"description": "matchLabels is a map of {key,value} pairs.",
"type": "object",
"additionalProperties": {
"type": "string"
},
"minProperties": 1
},
"matchExpressions": {
"description": "matchExpressions is a list of values, a key, and an operator.",
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"description": "key is the label key that the selector applies to.",
"type": "string"
},
"operator": {
"description": "operator represents a key's relationship to a set of values.",
"type": "string",
"enum": [
"In",
"NotIn",
"Exists",
"DoesNotExist"
]
},
"values": {
"description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"key",
"operator"
],
"additionalProperties": false
},
"minItems": 1
}
},
"additionalProperties": false
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"templateInfo": {
"sourceType": "PublicURL",
"url": "https://store.policy.core.windows.net/kubernetes/pod-enforce-antiaffinity/v1/template.yaml"
},
"apiGroups": [
"apps"
],
"kinds": [
"Deployment",
"StatefulSet",
"ReplicationController",
"ReplicaSet"
],
"namespaces": "[parameters('namespaces')]",
"excludedNamespaces": "[parameters('excludedNamespaces')]",
"labelSelector": "[parameters('labelSelector')]"
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/34c88cd4-5d72-4dbb-bf77-12c3cafe8791",
"name": "34c88cd4-5d72-4dbb-bf77-12c3cafe8791"
}
Loading

0 comments on commit 0457191

Please sign in to comment.