Azure Policy built-in definitions for Azure Arc-enabled Kubernetes
This page is an index of Azure Policy built-in policy definitions for Azure Arc-enabled Kubernetes. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Azure Arc-enabled Kubernetes
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | AuditIfNotExists, Disabled | 6.0.0-preview |
[Preview]: Azure Backup Extension should be installed in AKS clusters | Ensure protection installation of backup extension in your AKS Clusters to leverage Azure Backup. Azure Backup for AKS is a secure and cloud native data protection solution for AKS clusters | AuditIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension | Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc. | DeployIfNotExists, Disabled | 7.3.0-preview |
[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag. | Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters containing a given tag. Doing this can help you manage Backup of AKS Clusters at scale. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag. | Installing the Azure Backup Extension is a pre-requisite for protecting your AKS Clusters. Enforce installation of backup extension on all AKS clusters without a particular tag value. Doing this can help you manage Backup of AKS Clusters at scale. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.0.0-preview |
[Preview]: Kubernetes clusters should restrict creation of given resource type | Given Kubernetes resource type should not be deployed in certain namespace. | Audit, Deny, Disabled | 2.3.0-preview |
Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed | The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | AuditIfNotExists, Disabled | 1.1.0 |
Azure Arc-enabled kubernetes clusters should be configured with an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Audit, Deny, Disabled | 1.0.0 |
Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed | Open Service Mesh extension provides all standard service mesh capabilities for security, traffic management and observability of application services. Learn more here: https://aka.ms/arc-osm-doc | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed | Strimzi Kafka extension provides the operators to install Kafka for building real-time data pipelines and streaming applications with security and observability capabilities. Learn more here: https://aka.ms/arc-strimzikafka-doc. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | Deploy Azure Policy's extension for Azure Arc to provide at-scale enforcements and safeguard your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at https://aka.ms/akspolicydoc. | DeployIfNotExists, Disabled | 1.1.0 |
Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping Azure Arc-enabled servers to an Azure Arc Private Link Scope that is configured with a private endpoint, data leakage risks are reduced. Learn more about private links at: https://aka.ms/arc/privatelink. | Modify, Disabled | 1.0.0 |
Configure installation of Flux extension on Kubernetes cluster | Install Flux extension on Kubernetes cluster to enable deployment of 'fluxconfigurations' in the cluster | DeployIfNotExists, Disabled | 1.0.0 |
Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires a Bucket SecretKey stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS CA Certificate. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a HTTPS key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires a SSH private key secret stored in Key Vault. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Kubernetes clusters with Flux v2 configuration using public Git repository | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Git repository. This definition requires no secrets. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets | Deploy a 'fluxConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined Bucket. This definition requires local authentication secrets stored in the Kubernetes cluster. For instructions, visit https://aka.ms/GitOpsFlux2Policy. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 1.1.0 |
Configure Kubernetes clusters with specified GitOps configuration using no secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 1.1.0 |
Configure Kubernetes clusters with specified GitOps configuration using SSH secrets | Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy. | auditIfNotExists, AuditIfNotExists, deployIfNotExists, DeployIfNotExists, disabled, Disabled | 1.1.0 |
Ensure cluster containers have readiness or liveness probes configured | This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. | Audit, Deny, Disabled | 3.3.0 |
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits | Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.3.0 |
Kubernetes cluster containers should not share host process ID or host IPC namespace | Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.2.0 |
Kubernetes cluster containers should not use forbidden sysctl interfaces | Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.2.0 |
Kubernetes cluster containers should only use allowed AppArmor profiles | Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
Kubernetes cluster containers should only use allowed capabilities | Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
Kubernetes cluster containers should only use allowed images | Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.3.0 |
Kubernetes cluster containers should only use allowed ProcMountType | Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 8.2.0 |
Kubernetes cluster containers should only use allowed pull policy | Restrict containers' pull policy to enforce containers to use only allowed images on deployments | Audit, Deny, Disabled | 3.2.0 |
Kubernetes cluster containers should only use allowed seccomp profiles | Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.2.0 |
Kubernetes cluster containers should run with a read only root file system | Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.3.0 |
Kubernetes cluster pod FlexVolume volumes should only use allowed drivers | Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.2.0 |
Kubernetes cluster pod hostPath volumes should only use allowed host paths | Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
Kubernetes cluster pods and containers should only run with approved user and group IDs | Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
Kubernetes cluster pods and containers should only use allowed SELinux options | Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.2.0 |
Kubernetes cluster pods should only use allowed volume types | Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.2.0 |
Kubernetes cluster pods should only use approved host network and port range | Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 6.2.0 |
Kubernetes cluster pods should use specified labels | Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.2.0 |
Kubernetes cluster services should listen only on allowed ports | Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 8.2.0 |
Kubernetes cluster services should only use allowed external IPs | Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.2.0 |
Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 9.2.0 |
Kubernetes cluster should not use naked pods | Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs | Audit, Deny, Disabled | 2.3.0 |
Kubernetes cluster Windows containers should not overcommit cpu and memory | Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory | Audit, Deny, Disabled | 2.2.0 |
Kubernetes cluster Windows containers should not run as ContainerAdministrator | Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . | Audit, Deny, Disabled | 1.2.0 |
Kubernetes cluster Windows containers should only run with approved user and domain user group | Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments. | Audit, Deny, Disabled | 2.2.0 |
Kubernetes cluster Windows pods should not run HostProcess containers | Prevent prviledged access to the windows node. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ . | Audit, Deny, Disabled | 1.0.0 |
Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | audit, Audit, deny, Deny, disabled, Disabled | 8.2.0 |
Kubernetes clusters should disable automounting API credentials | Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 4.2.0 |
Kubernetes clusters should not allow container privilege escalation | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 7.2.0 |
Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit | ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Audit, Disabled | 3.2.0 |
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities | To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.1.0 |
Kubernetes clusters should not use specific security capabilities | Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 5.2.0 |
Kubernetes clusters should not use the default namespace | Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc. | audit, Audit, deny, Deny, disabled, Disabled | 4.2.0 |
Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver | Audit, Deny, Disabled | 2.3.0 |
Kubernetes resources should have required annotations | Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | Audit, Deny, Disabled | 3.2.0 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Understand Azure Policy definitions effects.