Azure Policy for AKS Security - "validated Regex" does not lead to a Policy-compliant AKS Cluster

Question

I have a built-in Policy applied to an AKS Cluster that is primarly used for testing purposes (to check functionalities before they go to Prod clusters and potentially break something). The Policy in question is built-in:

https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469

The Regex that I applied basically should allow pulling images from major public registries and a private ACR only:

^([^/]+examplehub.azurecr.io|docker.io|hub.docker.com|quay.io|registry.k8s.io)/.+$

which also complies/extends to the example viewable in Azure Portal:

^([^/]+.azurecr.io|registry.io)/.+$

However, even after continued manual assertion from az cli with:

az policy state trigger-scan -g myresourcegroup

the Compliance state does not switch to "compliant". I extracted the exact container image pull path from the cluster using kubectl, and checked this against the Regex (with regexr.com) and it says its compliant, it would be matching. This is why I think my Regex is compliant.

Maybe someone can give me a hint?

Answer 1

Hi Tom Treffke,

Thank you for your question.

For the registries you mentioned, the regex should look like ^(examplehub\.azurecr\.io|docker\.io|hub\.docker\.com|quay\.io|registry\.k8s\.io)/.+$

The regex used is .NET. You can test the pattern using https://regex101.com/

hope this helps.

Please Accept the answer if the information helped you. This will help us and others in the community as well.