This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 45%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWB%3C/text%3E%3C/svg%3E)
According to this doc there possible to use custom policies with Rego in AKS: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#:~:text=Only%20built%2Din%20policy%20definitions%20are%20supported.%20Custom%20policy%20definitions%20are%20a%20public%20preview%20feature.
Tutorial only shows how to export existing built-in policy into GitHub
@wlodzimierz.borkowski@dnvgl.com , thank you for your question.
You can check out this blog article which has step-by-step guidelines for AKS custom policy feature.
----
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.
@SRIJIT-BOSE-MSFT great, that I was looking for. One more question - I would like to use replicated data like here , so I'm not sure the config is overwritten in AKS
The default content is like:
apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
annotations:
config-installed-by: azure-policy-addon
creationTimestamp: "2021-10-22T11:17:02Z"
generation: 3
name: config
namespace: gatekeeper-system
resourceVersion: "39824081"
selfLink: /apis/config.gatekeeper.sh/v1alpha1/namespaces/gatekeeper-system/configs/config
uid: 2df54ce7-f008-4d44-9133-08338252927a
spec:
match:
- excludedNamespaces:
- kube-system
- gatekeeper-system
- aks-periscope
processes:
- audit
- excludedNamespaces:
- kube-system
- gatekeeper-system
- aks-periscope
processes:
- webhook
so can I edit it and add sync field there ?
@wlodzimierz.borkowski@dnvgl.com , at the time of writing, if you do a kubectl describe config config -n gatekeeper-system, you will see:
...
Metadata:
...
Manager: azurepolicyaddon
...
Any manual changes will be overwritten and the config will be reconciled by the azure-policy. If you perform a kubectl describe deploy azure-policy -n kube-system you can see:
Labels: addonmanager.kubernetes.io/mode=Reconcile
Now, addons with label addonmanager.kubernetes.io/mode=Reconcile will be periodically reconciled. Direct manipulation to these addons through apiserver is discouraged because addon-manager will bring them back to the original state. In particular:
$ADDON_PATH. The $ADDON_PATH by default is set to /etc/kubernetes/addons/ on the control plane node(s).
For more information please check this document.
Since AKS is a managed Kubernetes Service you will not be able to access $ADDON_PATH.
In summary, currently you can't edit the gatekeeper config. We have shared a feedback on this with our internal teams. In the meanwhile, you can also share an idea here.
ok @SRIJIT-BOSE-MSFT , so is it possible to read k8s data with AKS managed gatekeeper version and reference them in Rego rules (things like list of pods with particular labels etc...) ?