Skip to content

Commit

Permalink
Built-in Policy Release 42252151
Browse files Browse the repository at this point in the history
  • Loading branch information
Azure Policy Bot committed Apr 11, 2024
1 parent d3008ba commit 76c4df1
Show file tree
Hide file tree
Showing 62 changed files with 954 additions and 495 deletions.
12 changes: 7 additions & 5 deletions built-in-policies/policyDefinitions/Cognitive Services/DisablePublicNetworkAccess_Audit.json
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,19 @@
{
"properties": {
"displayName": "Cognitive Services accounts should disable public network access",
"displayName": "[Deprecated]: Cognitive Services accounts should disable public network access",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "To improve the security of Cognitive Services accounts, ensure that it isn't exposed to the public internet and can only be accessed from a private endpoint. Disable the public network access property as described in https://go.microsoft.com/fwlink/?linkid=2129800. This option disables access from any public address space outside the Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. This reduces data leakage risks.",
"metadata": {
"version": "3.0.1",
"category": "Cognitive Services"
"version": "3.1.0-deprecated",
"category": "Cognitive Services",
"deprecated": true
},
"version": "3.0.1",
"version": "3.1.0",
"parameters": {
"effect": {
"type": "string",
"defaultValue": "Audit",
"defaultValue": "Disabled",
"allowedValues": [
"Audit",
"Deny",
Expand Down Expand Up @@ -42,6 +43,7 @@
}
},
"versions": [
"3.1.0",
"3.0.1"
]
},
Expand Down
153 changes: 153 additions & 0 deletions built-in-policies/policyDefinitions/Kubernetes/ContainerEnforcePreStopHook.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
{
"properties": {
"displayName": "[Preview]: Kubernetes cluster container images must include the preStop hook",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"description": "Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns.",
"metadata": {
"version": "1.0.0-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.0-preview",
"parameters": {
"warn": {
"type": "Boolean",
"metadata": {
"displayName": "Warn",
"description": "Whether or not to return warnings back to the user in the kubectl cli"
},
"allowedValues": [
true,
false
],
"defaultValue": false
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"namespaces": {
"type": "Array",
"metadata": {
"displayName": "Namespace inclusions",
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
"defaultValue": []
},
"labelSelector": {
"type": "Object",
"metadata": {
"displayName": "Kubernetes label selector",
"description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
"defaultValue": {},
"schema": {
"description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
"type": "object",
"properties": {
"matchLabels": {
"description": "matchLabels is a map of {key,value} pairs.",
"type": "object",
"additionalProperties": {
"type": "string"
},
"minProperties": 1
},
"matchExpressions": {
"description": "matchExpressions is a list of values, a key, and an operator.",
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"description": "key is the label key that the selector applies to.",
"type": "string"
},
"operator": {
"description": "operator represents a key's relationship to a set of values.",
"type": "string",
"enum": [
"In",
"NotIn",
"Exists",
"DoesNotExist"
]
},
"values": {
"description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"key",
"operator"
],
"additionalProperties": false
},
"minItems": 1
}
},
"additionalProperties": false
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"warn": "[parameters('warn')]",
"templateInfo": {
"sourceType": "PublicURL",
"url": "https://store.policy.core.windows.net/kubernetes/container-enforce-pre-stop-hook/v1/template.yaml"
},
"apiGroups": [
"apps"
],
"kinds": [
"Deployment",
"StatefulSet",
"ReplicationController",
"ReplicaSet"
],
"namespaces": "[parameters('namespaces')]",
"excludedNamespaces": "[parameters('excludedNamespaces')]",
"labelSelector": "[parameters('labelSelector')]"
}
}
},
"versions": [
"1.0.0-PREVIEW"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/1a3b9003-eac6-4d39-a184-4a567ace7645",
"name": "1a3b9003-eac6-4d39-a184-4a567ace7645"
}
153 changes: 153 additions & 0 deletions built-in-policies/policyDefinitions/Kubernetes/ImagesDoNotUseLatest.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
{
"properties": {
"displayName": "[Preview]: Kubernetes cluster container images should not include latest image tag",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"description": "Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images.",
"metadata": {
"version": "1.0.0-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.0-preview",
"parameters": {
"warn": {
"type": "Boolean",
"metadata": {
"displayName": "Warn",
"description": "Whether or not to return warnings back to the user in the kubectl cli"
},
"allowedValues": [
true,
false
],
"defaultValue": false
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc"
]
},
"namespaces": {
"type": "Array",
"metadata": {
"displayName": "Namespace inclusions",
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
"defaultValue": []
},
"labelSelector": {
"type": "Object",
"metadata": {
"displayName": "Kubernetes label selector",
"description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
"defaultValue": {},
"schema": {
"description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
"type": "object",
"properties": {
"matchLabels": {
"description": "matchLabels is a map of {key,value} pairs.",
"type": "object",
"additionalProperties": {
"type": "string"
},
"minProperties": 1
},
"matchExpressions": {
"description": "matchExpressions is a list of values, a key, and an operator.",
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"description": "key is the label key that the selector applies to.",
"type": "string"
},
"operator": {
"description": "operator represents a key's relationship to a set of values.",
"type": "string",
"enum": [
"In",
"NotIn",
"Exists",
"DoesNotExist"
]
},
"values": {
"description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"key",
"operator"
],
"additionalProperties": false
},
"minItems": 1
}
},
"additionalProperties": false
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"warn": "[parameters('warn')]",
"templateInfo": {
"sourceType": "PublicURL",
"url": "https://store.policy.core.windows.net/kubernetes/container-no-latest-image/v1/template.yaml"
},
"apiGroups": [
"apps"
],
"kinds": [
"Deployment",
"StatefulSet",
"ReplicationController",
"ReplicaSet"
],
"namespaces": "[parameters('namespaces')]",
"excludedNamespaces": "[parameters('excludedNamespaces')]",
"labelSelector": "[parameters('labelSelector')]"
}
}
},
"versions": [
"1.0.0-PREVIEW"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/021f8078-41a0-40e6-81b6-c6597da9f3ee",
"name": "021f8078-41a0-40e6-81b6-c6597da9f3ee"
}
49 changes: 49 additions & 0 deletions built-in-policies/policyDefinitions/Kubernetes/MutateMaxUnavailablePods.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
{
"properties": {
"displayName": "[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"description": "Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption",
"metadata": {
"version": "1.0.0-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.0-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "'Mutate' modifies a non-compliant resource be compliant when creating or updating. 'Disabled' turns off the policy.",
"portalReview": true
},
"allowedValues": [
"Mutate",
"Disabled"
],
"defaultValue": "Mutate"
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"mutationInfo": {
"sourceType": "PublicURL",
"url": "https://store.policy.core.windows.net/kubernetes/mutate-max-unavailable-pods/v1/mutation.yaml"
}
}
}
},
"versions": [
"1.0.0-PREVIEW"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/d77f191e-2338-45d0-b6d4-4ee1c586a192",
"name": "d77f191e-2338-45d0-b6d4-4ee1c586a192"
}

0 comments on commit 76c4df1

Please sign in to comment.