From 3581cfad073f5ab41d2eca53a793d5a75b846570 Mon Sep 17 00:00:00 2001 From: Chris Eggert Date: Mon, 24 Jul 2023 13:29:32 -0700 Subject: [PATCH] Built-in Policy Release 49d507e3 (#1186) Co-authored-by: Azure Policy Bot --- ...S_GuardrailsCannotEditIndividualNodes.json | 152 +++++++++++ ...uardrailsMustHaveAntiAffinityRulesSet.json | 137 ++++++++++ .../AKS_GuardrailsNoAKSSpecificLabels.json | 166 +++++++++++ ...KS_GuardrailsReservedSystemPoolTaints.json | 144 ++++++++++ ...AzureMonitor_DCRA_VMSS_Windows_Deploy.json | 6 +- .../AzureMonitor_DCRA_VM_Windows_Deploy.json | 6 +- .../AzureMonitor_DCRA_Windows_Deploy.json | 6 +- .../Disks_DataAccessAuthMode_Modify.json | 59 ++++ ...reMonitor_Agent_Linux_VMSS_UAI_Deploy.json | 17 +- ...zureMonitor_Agent_Linux_VM_UAI_Deploy.json | 17 +- ...Monitor_Agent_Windows_VMSS_UAI_Deploy.json | 17 +- ...reMonitor_Agent_Windows_VM_UAI_Deploy.json | 17 +- ...AzureMonitor_DCRA_VMSS_Windows_Deploy.json | 6 +- .../AzureMonitor_DCRA_VM_Windows_Deploy.json | 6 +- .../AzureMonitor_DCRA_Windows_Deploy.json | 6 +- .../Kubernetes/AKS_Guardrails.json | 257 ++++++++++++++++++ 16 files changed, 989 insertions(+), 30 deletions(-) create mode 100644 built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsCannotEditIndividualNodes.json create mode 100644 built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsMustHaveAntiAffinityRulesSet.json create mode 100644 built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsNoAKSSpecificLabels.json create mode 100644 built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsReservedSystemPoolTaints.json create mode 100644 built-in-policies/policyDefinitions/Compute/Disks_DataAccessAuthMode_Modify.json create mode 100644 built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Guardrails.json diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsCannotEditIndividualNodes.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsCannotEditIndividualNodes.json new file mode 100644 index 000000000..c47597fa7 --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsCannotEditIndividualNodes.json @@ -0,0 +1,152 @@ +{ + "properties": { + "displayName": "[Preview]: [AKS Guardrails] Cannot Edit Individual Nodes", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "[AKS Guardrails] Effect", + "description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + }, + "namespaces": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "labelSelector": { + "type": "Object", + "metadata": { + "displayName": "[AKS Guardrails] Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + }, + "allowedUsers": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Allowed Users", + "description": "Users that are allowed by AKS Guardrails to modify node labels on individual nodes." + } + }, + "allowedGroups": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Allowed Groups", + "description": "Groups that are allowed by AKS Guardrails to modify node labels on individual nodes." + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "templateInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.azure.us/kubernetes/restricted-node-edits/v1/template.yaml" + }, + "apiGroups": [ + "" + ], + "kinds": [ + "Node" + ], + "namespaces": "[parameters('namespaces')]", + "excludedNamespaces": "[parameters('excludedNamespaces')]", + "labelSelector": "[parameters('labelSelector')]", + "values": { + "allowedUsers": "[parameters('allowedUsers')]", + "allowedGroups": "[parameters('allowedGroups')]" + } + } + } + } + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/53a4a537-990c-495a-92e0-7c21a465442c", + "name": "53a4a537-990c-495a-92e0-7c21a465442c" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsMustHaveAntiAffinityRulesSet.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsMustHaveAntiAffinityRulesSet.json new file mode 100644 index 000000000..40b6bcf5d --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsMustHaveAntiAffinityRulesSet.json @@ -0,0 +1,137 @@ +{ + "properties": { + "displayName": "[Preview]: [AKS Guardrails] Must Have Anty Affinity Rules Set", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Requires affinity rules to be set.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "[AKS Guardrails] Effect", + "description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + }, + "namespaces": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "labelSelector": { + "type": "Object", + "metadata": { + "displayName": "[AKS Guardrails] Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "templateInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.azure.us/kubernetes/pod-enforce-antiaffinity/v1/template.yaml" + }, + "apiGroups": [ + "apps" + ], + "kinds": [ + "Deployment", + "StatefulSet", + "ReplicationController", + "ReplicaSet" + ], + "namespaces": "[parameters('namespaces')]", + "excludedNamespaces": "[parameters('excludedNamespaces')]", + "labelSelector": "[parameters('labelSelector')]" + } + } + } + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/34c88cd4-5d72-4dbb-bf77-12c3cafe8791", + "name": "34c88cd4-5d72-4dbb-bf77-12c3cafe8791" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsNoAKSSpecificLabels.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsNoAKSSpecificLabels.json new file mode 100644 index 000000000..b60a3d509 --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsNoAKSSpecificLabels.json @@ -0,0 +1,166 @@ +{ + "properties": { + "displayName": "[Preview]: [AKS Guardrails] No AKS Specific Labels", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Prevents customers from applying AKS specific labels", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "[AKS Guardrails] Effect", + "description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + }, + "namespaces": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "labelSelector": { + "type": "Object", + "metadata": { + "displayName": "[AKS Guardrails] Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + }, + "labels": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] AKS Specific Labels", + "description": "Labels specific to AKS." + } + }, + "allowedUsers": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Allowed Users", + "description": "Users that are allowed to use AKS specific labels." + } + }, + "allowedGroups": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Allowed Groups", + "description": "Groups that are allowed to use AKS specific labels." + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "templateInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.azure.us/kubernetes/restricted-labels/v1/template.yaml" + }, + "apiGroups": [ + "", + "apps" + ], + "kinds": [ + "Pod", + "Node", + "Service", + "Deployment", + "StatefulSet", + "ReplicaSet" + ], + "namespaces": "[parameters('namespaces')]", + "excludedNamespaces": "[parameters('excludedNamespaces')]", + "labelSelector": "[parameters('labelSelector')]", + "values": { + "labels": "[parameters('labels')]", + "allowedUsers": "[parameters('allowedUsers')]", + "allowedGroups": "[parameters('allowedGroups')]" + } + } + } + } + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/a22123bd-b9da-4c86-9424-24903e91fd55", + "name": "a22123bd-b9da-4c86-9424-24903e91fd55" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsReservedSystemPoolTaints.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsReservedSystemPoolTaints.json new file mode 100644 index 000000000..0d542ea33 --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsReservedSystemPoolTaints.json @@ -0,0 +1,144 @@ +{ + "properties": { + "displayName": "[Preview]: [AKS Guardrails] Reserved System Pool Taints", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Restricts the CriticalAddonsOnly taint to just the system pool", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "[AKS Guardrails] Effect", + "description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + }, + "namespaces": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "labelSelector": { + "type": "Object", + "metadata": { + "displayName": "[AKS Guardrails] Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + }, + "reservedTaints": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Reserved Taints", + "description": "Reserved taints." + } + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "templateInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.azure.us/kubernetes/restricted-taints/v1/template.yaml" + }, + "apiGroups": [ + "" + ], + "kinds": [ + "Node" + ], + "namespaces": "[parameters('namespaces')]", + "excludedNamespaces": "[parameters('excludedNamespaces')]", + "labelSelector": "[parameters('labelSelector')]", + "values": { + "reservedTaints": "[parameters('reservedTaints')]" + } + } + } + } + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/48940d92-ff05-449e-9111-e742d9280451", + "name": "48940d92-ff05-449e-9111-e742d9280451" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_VMSS_Windows_Deploy.json b/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_VMSS_Windows_Deploy.json index 04e50c527..39a75d436 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_VMSS_Windows_Deploy.json +++ b/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_VMSS_Windows_Deploy.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Monitoring" }, - "version": "2.0.0", + "version": "2.1.0", "parameters": { "effect": { "type": "String", @@ -246,7 +246,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "Windows-10" + "like": "Windows-1*" } ] } diff --git a/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_VM_Windows_Deploy.json b/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_VM_Windows_Deploy.json index f8b15dc30..8b31eb99b 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_VM_Windows_Deploy.json +++ b/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_VM_Windows_Deploy.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Monitoring" }, - "version": "2.0.0", + "version": "2.1.0", "parameters": { "effect": { "type": "String", @@ -246,7 +246,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "Windows-10" + "like": "Windows-1*" } ] } diff --git a/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_Windows_Deploy.json b/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_Windows_Deploy.json index 8d4e775cb..61ad26885 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_Windows_Deploy.json +++ b/built-in-policies/policyDefinitions/Azure Government/Monitoring/AzureMonitor_DCRA_Windows_Deploy.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Monitoring" }, - "version": "2.0.0", + "version": "2.1.0", "parameters": { "effect": { "type": "String", @@ -270,7 +270,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "Windows-10" + "like": "Windows-1*" } ] } diff --git a/built-in-policies/policyDefinitions/Compute/Disks_DataAccessAuthMode_Modify.json b/built-in-policies/policyDefinitions/Compute/Disks_DataAccessAuthMode_Modify.json new file mode 100644 index 000000000..6116d09f5 --- /dev/null +++ b/built-in-policies/policyDefinitions/Compute/Disks_DataAccessAuthMode_Modify.json @@ -0,0 +1,59 @@ +{ + "properties": { + "displayName": "Protect your data with authentication requirements when exporting or uploading to a disk or snapshot.", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "When export/upload URL is used, the system checks if the user has an identity in Azure Active Directory and has necessary permissions to export/upload the data. Please refer to aka.ms/DisksAzureADAuth.", + "metadata": { + "version": "1.0.0", + "category": "Compute" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/disks" + }, + { + "field": "Microsoft.Compute/disks/dataAccessAuthMode", + "notEquals": "AzureActiveDirectory" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "conflictEffect": "audit", + "operations": [ + { + "operation": "addOrReplace", + "field": "Microsoft.Compute/disks/dataAccessAuthMode", + "value": "AzureActiveDirectory" + } + ] + } + } + } + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/c3921d55-b741-4d16-8d56-7f16e99e6892", + "name": "c3921d55-b741-4d16-8d56-7f16e99e6892" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_UAI_Deploy.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_UAI_Deploy.json index e7d34e021..2b568625b 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_UAI_Deploy.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VMSS_UAI_Deploy.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Monitoring" }, - "version": "3.1.0", + "version": "3.2.0", "parameters": { "effect": { "type": "String", @@ -118,7 +118,18 @@ "westindia", "westus", "westus2", - "westus3" + "westus3", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" ] }, { diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_UAI_Deploy.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_UAI_Deploy.json index e1fde0017..2fe80122e 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_UAI_Deploy.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Linux_VM_UAI_Deploy.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Monitoring" }, - "version": "3.1.0", + "version": "3.2.0", "parameters": { "effect": { "type": "String", @@ -118,7 +118,18 @@ "westindia", "westus", "westus2", - "westus3" + "westus3", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" ] }, { diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_UAI_Deploy.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_UAI_Deploy.json index b31fea7d9..94d0125e6 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_UAI_Deploy.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VMSS_UAI_Deploy.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.", "metadata": { - "version": "1.3.0", + "version": "1.4.0", "category": "Monitoring" }, - "version": "1.3.0", + "version": "1.4.0", "parameters": { "effect": { "type": "String", @@ -114,7 +114,18 @@ "westeurope", "westindia", "westus", - "westus2" + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" ] }, { diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_UAI_Deploy.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_UAI_Deploy.json index 1d68f616a..8c1ca61df 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_UAI_Deploy.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_Agent_Windows_VM_UAI_Deploy.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview.", "metadata": { - "version": "1.3.0", + "version": "1.4.0", "category": "Monitoring" }, - "version": "1.3.0", + "version": "1.4.0", "parameters": { "effect": { "type": "String", @@ -114,7 +114,18 @@ "westeurope", "westindia", "westus", - "westus2" + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" ] }, { diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Windows_Deploy.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Windows_Deploy.json index d878a56be..3a074ba39 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Windows_Deploy.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VMSS_Windows_Deploy.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.", "metadata": { - "version": "3.0.0", + "version": "3.1.0", "category": "Monitoring" }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "String", @@ -270,7 +270,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "Windows-10" + "like": "Windows-1*" } ] } diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Windows_Deploy.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Windows_Deploy.json index ec5590eec..a051eaa9b 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Windows_Deploy.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_VM_Windows_Deploy.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.", "metadata": { - "version": "3.0.0", + "version": "3.1.0", "category": "Monitoring" }, - "version": "3.0.0", + "version": "3.1.0", "parameters": { "effect": { "type": "String", @@ -270,7 +270,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "Windows-10" + "like": "Windows-1*" } ] } diff --git a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_Deploy.json b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_Deploy.json index 4927b1503..38fccb7c9 100644 --- a/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_Deploy.json +++ b/built-in-policies/policyDefinitions/Monitoring/AzureMonitor_DCRA_Windows_Deploy.json @@ -5,10 +5,10 @@ "mode": "Indexed", "description": "Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased.", "metadata": { - "version": "4.1.0", + "version": "4.2.0", "category": "Monitoring" }, - "version": "4.1.0", + "version": "4.2.0", "parameters": { "effect": { "type": "String", @@ -296,7 +296,7 @@ }, { "field": "Microsoft.Compute/imageOffer", - "equals": "Windows-10" + "like": "Windows-1*" } ] } diff --git a/built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Guardrails.json b/built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Guardrails.json new file mode 100644 index 000000000..bc5456d2a --- /dev/null +++ b/built-in-policies/policySetDefinitions/Azure Government/Kubernetes/AKS_Guardrails.json @@ -0,0 +1,257 @@ +{ + "properties": { + "displayName": "[Preview]: AKS Guardrails should help guide developers towards AKS recommended best practices", + "policyType": "BuiltIn", + "description": "A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service", + "metadata": { + "version": "1.1.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.1.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "[AKS Guardrails] Effect", + "description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + }, + "allowedUsers": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Allowed Users", + "description": "Users that are allowed by AKS Guardrails to make changes on kubernetes object." + } + }, + "allowedGroups": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Allowed Groups", + "description": "Groups that are allowed by AKS Guardrails to make changes on kubernetes object." + } + }, + "cpuLimit": { + "type": "String", + "metadata": { + "displayName": "[AKS Guardrails] Max allowed CPU units", + "description": "The maximum CPU units allowed for a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits" + } + }, + "memoryLimit": { + "type": "String", + "metadata": { + "displayName": "[AKS Guardrails] Max allowed memory bytes", + "description": "The maximum memory bytes allowed for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits" + } + }, + "excludedContainers": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Containers exclusions", + "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." + }, + "defaultValue": [] + }, + "excludedImages": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Image exclusions", + "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository." + }, + "defaultValue": [] + }, + "labels": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] AKS Specific Labels", + "description": "Reserved labels specific to AKS." + } + }, + "allowedContainerImagesRegex": { + "type": "String", + "metadata": { + "displayName": "[AKS Guardrails] Allowed registry or registries regex", + "description": "The RegEx rule used to match allowed container image field in a Kubernetes cluster. For example, to allow any Azure Container Registry image by matching partial path: ^[^\\/]+\\.azurecr\\.io\\/.+$ and for multiple registries: ^([^\\/]+\\.azurecr\\.io|registry\\.io)\\/.+$" + } + }, + "reservedTaints": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Reserved Taints", + "description": "Reserved taints specific to AKS" + } + }, + "requiredProbes": { + "type": "Array", + "metadata": { + "displayName": "[AKS Guardrails] Required probes list", + "description": "The list of probes that are required to be defined on a container. Kubernetes currently supports 'livenessProbe', 'readinessProbe', and 'startupProbe'.", + "portalReview": true + }, + "defaultValue": [ + "readinessProbe", + "livenessProbe" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "restrictedNodeEditsInKubernetesCluster", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53a4a537-990c-495a-92e0-7c21a465442c", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "allowedUsers": { + "value": "[parameters('allowedUsers')]" + }, + "allowedGroups": { + "value": "[parameters('allowedGroups')]" + } + } + }, + { + "policyDefinitionReferenceId": "memoryAndCPULimitsInKubernetesCluster", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164", + "definitionVersion": "10.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "cpuLimit": { + "value": "[parameters('cpuLimit')]" + }, + "memoryLimit": { + "value": "[parameters('memoryLimit')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + } + }, + { + "policyDefinitionReferenceId": "podEnforceAntiaffinityInKubernetesCluster", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c88cd4-5d72-4dbb-bf77-12c3cafe8791", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + } + } + }, + { + "policyDefinitionReferenceId": "restrictedLabelsInKubernetesCluster", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a22123bd-b9da-4c86-9424-24903e91fd55", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "allowedUsers": { + "value": "[parameters('allowedUsers')]" + }, + "allowedGroups": { + "value": "[parameters('allowedGroups')]" + }, + "labels": { + "value": "[parameters('labels')]" + } + } + }, + { + "policyDefinitionReferenceId": "ensureAllowedContainerImagesInKubernetesCluster", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469", + "definitionVersion": "10.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "allowedContainerImagesRegex": { + "value": "[parameters('allowedContainerImagesRegex')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + } + } + }, + { + "policyDefinitionReferenceId": "restrictedTaintsInKubernetesCluster", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48940d92-ff05-449e-9111-e742d9280451", + "definitionVersion": "1.*.*-preview", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "reservedTaints": { + "value": "[parameters('reservedTaints')]" + } + } + }, + { + "policyDefinitionReferenceId": "ensureProbesConfiguredInKubernetesCluster", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915", + "definitionVersion": "4.*.*", + "parameters": { + "effect": { + "value": "[parameters('effect')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces')]" + }, + "requiredProbes": { + "value": "[parameters('requiredProbes')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages')]" + } + } + } + ] + }, + "id": "/providers/Microsoft.Authorization/policySetDefinitions/c047ea8e-9c78-49b2-958b-37e56d291a44", + "name": "c047ea8e-9c78-49b2-958b-37e56d291a44" +} \ No newline at end of file