Skip to content

Commit

Permalink
Built-in Policy Release 49d507e3 (Azure#1186)
Browse files Browse the repository at this point in the history 
Co-authored-by: Azure Policy Bot <[email protected]>
  • Loading branch information
@pilor
pilor and Azure Policy Bot authored Jul 24, 2023
1 parent f7a38ae commit 3581cfa
Show file tree
Hide file tree
Showing 16 changed files with 989 additions and 30 deletions.
152 changes: 152 additions & 0 deletions ...olicyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsCannotEditIndividualNodes.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
{
"properties": {
"displayName": "[Preview]: [AKS Guardrails] Cannot Edit Individual Nodes",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools.",
"metadata": {
"version": "1.0.0-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.0-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "[AKS Guardrails] Effect",
"description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"namespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace inclusions",
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
"defaultValue": []
},
"labelSelector": {
"type": "Object",
"metadata": {
"displayName": "[AKS Guardrails] Kubernetes label selector",
"description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
"defaultValue": {},
"schema": {
"description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
"type": "object",
"properties": {
"matchLabels": {
"description": "matchLabels is a map of {key,value} pairs.",
"type": "object",
"additionalProperties": {
"type": "string"
},
"minProperties": 1
},
"matchExpressions": {
"description": "matchExpressions is a list of values, a key, and an operator.",
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"description": "key is the label key that the selector applies to.",
"type": "string"
},
"operator": {
"description": "operator represents a key's relationship to a set of values.",
"type": "string",
"enum": [
"In",
"NotIn",
"Exists",
"DoesNotExist"
]
},
"values": {
"description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"key",
"operator"
],
"additionalProperties": false
},
"minItems": 1
}
},
"additionalProperties": false
}
},
"allowedUsers": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Allowed Users",
"description": "Users that are allowed by AKS Guardrails to modify node labels on individual nodes."
}
},
"allowedGroups": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Allowed Groups",
"description": "Groups that are allowed by AKS Guardrails to modify node labels on individual nodes."
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"templateInfo": {
"sourceType": "PublicURL",
"url": "https://store.policy.azure.us/kubernetes/restricted-node-edits/v1/template.yaml"
},
"apiGroups": [
""
],
"kinds": [
"Node"
],
"namespaces": "[parameters('namespaces')]",
"excludedNamespaces": "[parameters('excludedNamespaces')]",
"labelSelector": "[parameters('labelSelector')]",
"values": {
"allowedUsers": "[parameters('allowedUsers')]",
"allowedGroups": "[parameters('allowedGroups')]"
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/53a4a537-990c-495a-92e0-7c21a465442c",
"name": "53a4a537-990c-495a-92e0-7c21a465442c"
}
137 changes: 137 additions & 0 deletions ...cyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsMustHaveAntiAffinityRulesSet.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
{
"properties": {
"displayName": "[Preview]: [AKS Guardrails] Must Have Anty Affinity Rules Set",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"description": "Requires affinity rules to be set.",
"metadata": {
"version": "1.0.0-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.0-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "[AKS Guardrails] Effect",
"description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"namespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace inclusions",
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
"defaultValue": []
},
"labelSelector": {
"type": "Object",
"metadata": {
"displayName": "[AKS Guardrails] Kubernetes label selector",
"description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
"defaultValue": {},
"schema": {
"description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
"type": "object",
"properties": {
"matchLabels": {
"description": "matchLabels is a map of {key,value} pairs.",
"type": "object",
"additionalProperties": {
"type": "string"
},
"minProperties": 1
},
"matchExpressions": {
"description": "matchExpressions is a list of values, a key, and an operator.",
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"description": "key is the label key that the selector applies to.",
"type": "string"
},
"operator": {
"description": "operator represents a key's relationship to a set of values.",
"type": "string",
"enum": [
"In",
"NotIn",
"Exists",
"DoesNotExist"
]
},
"values": {
"description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"key",
"operator"
],
"additionalProperties": false
},
"minItems": 1
}
},
"additionalProperties": false
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"templateInfo": {
"sourceType": "PublicURL",
"url": "https://store.policy.azure.us/kubernetes/pod-enforce-antiaffinity/v1/template.yaml"
},
"apiGroups": [
"apps"
],
"kinds": [
"Deployment",
"StatefulSet",
"ReplicationController",
"ReplicaSet"
],
"namespaces": "[parameters('namespaces')]",
"excludedNamespaces": "[parameters('excludedNamespaces')]",
"labelSelector": "[parameters('labelSelector')]"
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/34c88cd4-5d72-4dbb-bf77-12c3cafe8791",
"name": "34c88cd4-5d72-4dbb-bf77-12c3cafe8791"
}
Loading

0 comments on commit 3581cfa

Please sign in to comment.