Azure Policy built-in definitions for Azure Kubernetes Service
This page is an index of Azure Policy built-in policy definitions for Azure Kubernetes Service. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Initiatives
| Name | Description | Policies | Version |
|---|---|---|---|
| Kubernetes cluster pod security baseline standards for Linux-based workloads | This initiative includes the policies for the Kubernetes cluster pod security baseline standards. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | 5 | 1.2.1 |
| Kubernetes cluster pod security restricted standards for Linux-based workloads | This initiative includes the policies for the Kubernetes cluster pod security restricted standards. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | 8 | 2.3.1 |
Policy definitions
Microsoft.ContainerService
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: [Preview]: Kubernetes clusters should gate deployment of vulnerable images | Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. | Audit, Deny, Disabled | 2.0.1-preview |
| [Preview]: [Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Audit, Deny, Disabled | 2.1.1-preview |
| Authorized IP ranges should be defined on Kubernetes Services | Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. | Audit, Disabled | 2.0.1 |
| Azure Kubernetes Clusters should enable Container Storage Interface(CSI) | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Azure Kubernetes Service. To learn more, https://aka.ms/aks-csi-driver | Audit, Disabled | 1.0.0 |
| Azure Kubernetes Clusters should enable Key Management Service (KMS) | Use Key Management Service (KMS) to encrypt secret data at rest in etcd for Kubernetes cluster security. Learn more at: https://aka.ms/aks/kmsetcdencryption. | Audit, Disabled | 1.0.0 |
| Azure Kubernetes Clusters should use Azure CNI | Azure CNI is a prerequisite for some Azure Kubernetes Service features, including Azure network policies, Windows node pools and virtual nodes add-on. Learn more at: https://aka.ms/aks-azure-cni | Audit, Disabled | 1.0.1 |
| Azure Kubernetes Service Clusters should disable Command Invoke | Disabling command invoke can enhance the security by avoiding bypass of restricted network access or Kubernetes role-based access control | Audit, Disabled | 1.0.1 |
| Azure Kubernetes Service Clusters should enable Azure Active Directory integration | AKS-managed Azure Active Directory integration can manage the access to the clusters by configuring Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Learn more at: https://aka.ms/aks-managed-aad. | Audit, Disabled | 1.0.1 |
| Azure Kubernetes Service clusters should have Defender profile enabled | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks | Audit, Disabled | 2.0.0 |
| Azure Kubernetes Service Clusters should have local authentication methods disabled | Disabling local authentication methods improves security by ensuring that Azure Kubernetes Service Clusters should exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/aks-disable-local-accounts. | Audit, Deny, Disabled | 1.0.1 |
| Azure Kubernetes Service Clusters should use managed identities | Use managed identities to wrap around service principals, simplify cluster management and avoid the complexity required to managed service principals. Learn more at: https://aka.ms/aks-update-managed-identities | Audit, Disabled | 1.0.1 |
| Azure Kubernetes Service Private Clusters should be enabled | Enable the private cluster feature for your Azure Kubernetes Service cluster to ensure network traffic between your API server and your node pools remains on the private network only. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
| Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters | Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | Audit, Disabled | 1.0.2 |
| Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys | Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
| Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access | Ensure to improve cluster security by centrally govern Administrator access to Azure Active Directory integrated AKS clusters. | DeployIfNotExists, Disabled | 2.0.1 |
| Configure Azure Kubernetes Service clusters to enable Defender profile | Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers: https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks. | DeployIfNotExists, Disabled | 4.0.0 |
| Configure installation of Flux extension on Kubernetes cluster | Install Flux extension on Kubernetes cluster to enable deployment of 'fluxconfigurations' in the cluster | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires a Bucket SecretKey stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS CA Certificate. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.1 |
| Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a SSH private key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Kubernetes clusters with Flux v2 configuration using public Git repository | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires no secrets. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 1.1.0 |
| Configure Kubernetes clusters with specified GitOps configuration using no secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 1.1.0 |
| Configure Kubernetes clusters with specified GitOps configuration using SSH secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 1.1.0 |
| Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Deploys the diagnostic settings for Azure Kubernetes Service to stream resource logs to a Log Analytics workspace. | DeployIfNotExists, Disabled | 3.0.0 |
| Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. | DeployIfNotExists, Disabled | 4.0.0 |
| Disable Command Invoke on Azure Kubernetes Service clusters | Disabling command invoke can enhance the security by rejecting invoke-command access to the cluster | DeployIfNotExists, Disabled | 1.0.1 |
| Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Audit, Deny, Disabled | 3.0.1 |
| Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.0.1 |
| Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.0.1 |
| Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.0.1 |
| Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.0.1 |
| Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.0.1 |
| Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.0.1 |
| Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 8.0.1 |
| Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Audit, Deny, Disabled | 3.0.1 |
| Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.0.1 |
| Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.0.1 |
| Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.0.1 |
| Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.0.1 |
| Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.0.1 |
| Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.0.1 |
| Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.0.1 |
| Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.0.1 |
| Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.0.1 |
| Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 8.0.1 |
| Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.0.1 |
| Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.0.1 |
| Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Audit, Deny, Disabled | 2.0.1 |
| Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Audit, Deny, Disabled | 2.0.1 |
| Kubernetes cluster Windows containers should not run as ContainerAdministrator | Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . | Audit, Deny, Disabled | 1.0.0 |
| Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Audit, Deny, Disabled | 2.0.1 |
| Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | audit, Audit, deny, Deny, disabled, Disabled | 8.0.1 |
| Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 4.0.1 |
| Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.0.1 |
| Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Audit, Disabled | 3.0.1 |
| Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.0.1 |
| Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.0.1 |
| Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 4.0.1 |
| Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Audit, Deny, Disabled | 2.0.1 |
| Kubernetes clusters should use internal load balancers | Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 8.0.1 |
| Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Audit, Deny, Disabled | 3.0.1 |
| Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version | Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ | Audit, Disabled | 1.0.2 |
| Resource logs in Azure Kubernetes Service should be enabled | Azure Kubernetes Service's resource logs can help recreate activity trails when investigating security incidents. Enable it to make sure the logs will exist when needed | AuditIfNotExists, Disabled | 1.0.0 |
| Role-Based Access Control (RBAC) should be used on Kubernetes Services | To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. | Audit, Disabled | 1.0.2 |
| Running container images should have vulnerability findings resolved | Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. | AuditIfNotExists, Disabled | 1.0.1 |
| Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host | To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards. | Audit, Deny, Disabled | 1.0.1 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.
Feedback
Submit and view feedback for