Instruire
Modul
Azure Kubernetes Services Governance with Azure Policy - Training
In this module, we discuss how to use Azure Policy for Kubernetes to enforce rules and detect noncompliance in AKS clusters.
Azure Policy definitions audit effect
The audit effect is used to create a warning event in the activity log when evaluating a non-compliant resource, but it doesn't stop the request.
Audit is the last effect checked by Azure Policy during the creation or update of a resource. For a Resource Manager mode, Azure Policy then sends the resource to the Resource Provider. When evaluating a create or update request for a resource, Azure Policy adds a Microsoft.Authorization/policies/audit/action operation to the activity log and marks the resource as non-compliant. During a standard compliance evaluation cycle, only the compliance status on the resource is updated.
For a Resource Manager mode, the audit effect doesn't have any other properties for use in the then condition of the policy definition.
For a Resource Provider mode of Microsoft.Kubernetes.Data, the audit effect has the following subproperties of details. Use of templateInfo is required for new or updated policy definitions as constraintTemplate is deprecated.
templateInfo(required)- Can't be used with
constraintTemplate. sourceType(required)Defines the type of source for the constraint template. Allowed values:
PublicURLorBase64Encoded.If
PublicURL, paired with propertyurlto provide location of the constraint template. The location must be publicly accessible.Avertisment
Don't use SAS URIs, URL tokens, or anything else that could expose secrets in plain text.
If
Base64Encoded, paired with propertycontentto provide the base 64 encoded constraint template. See Create policy definition from constraint template to create a custom definition from an existing Open Policy Agent (OPA) Gatekeeper v3 constraint template.
- Can't be used with
constraint(deprecated)- Can't be used with
templateInfo. - The CRD implementation of the Constraint template. Uses parameters passed via
valuesas{{ .Values.<valuename> }}. In example 2 below, these values are{{ .Values.excludedNamespaces }}and{{ .Values.allowedContainerImagesRegex }}.
- Can't be used with
constraintTemplate(deprecated)- Can't be used with
templateInfo. - Must be replaced with
templateInfowhen creating or updating a policy definition. - The Constraint template CustomResourceDefinition (CRD) that defines new Constraints. The template defines the Rego logic, the Constraint schema, and the Constraint parameters that are passed via
valuesfrom Azure Policy. For more information, go to Gatekeeper constraints.
- Can't be used with
constraintInfo(optional)- Can't be used with
constraint,constraintTemplate,apiGroups,kinds,scope,namespaces,excludedNamespaces, orlabelSelector. - If
constraintInfoisn't provided, the constraint can be generated fromtemplateInfoand policy. sourceType(required)Defines the type of source for the constraint. Allowed values:
PublicURLorBase64Encoded.If
PublicURL, paired with propertyurlto provide location of the constraint. The location must be publicly accessible.Avertisment
Don't use SAS URIs or tokens in
urlor anything else that could expose a secret.
- Can't be used with
namespaces(optional)- An array of Kubernetes namespaces to limit policy evaluation to.
- An empty or missing value causes policy evaluation to include all namespaces not defined in excludedNamespaces.
excludedNamespaces(optional)- An array of Kubernetes namespaces to exclude from policy evaluation.
labelSelector(optional)- An object that includes matchLabels (object) and matchExpression (array) properties to allow specifying which Kubernetes resources to include for policy evaluation that matched the provided labels and selectors.
- An empty or missing value causes policy evaluation to include all labels and selectors, except namespaces defined in excludedNamespaces.
scope(optional)- A string that includes the scope property to allow specifying if cluster-scoped or namespaced-scoped resources are matched.
apiGroups(required when using templateInfo)- An array that includes the API groups to match. An empty array (
[""]) is the core API group. - Defining
["*"]for apiGroups is disallowed.
- An array that includes the API groups to match. An empty array (
kinds(required when using templateInfo)- An array that includes the kind of Kubernetes object to limit evaluation to.
- Defining
["*"]for kinds is disallowed.
values(optional)- Defines any parameters and values to pass to the Constraint. Each value must exist and match a property in the validation
openAPIV3Schemasection of the Constraint template CRD.
- Defines any parameters and values to pass to the Constraint. Each value must exist and match a property in the validation
Example 1: Using the audit effect for Resource Manager modes.
JSON
"then": {
"effect": "audit"
}
Example 2: Using the audit effect for a Resource Provider mode of Microsoft.Kubernetes.Data. The additional information in details.templateInfo declares use of PublicURL and sets url to the location of the Constraint template to use in Kubernetes to limit the allowed container images.
JSON
"then": {
"effect": "audit",
"details": {
"templateInfo": {
"sourceType": "PublicURL",
"url": "https://store.policy.core.windows.net/kubernetes/container-allowed-images/v1/template.yaml",
},
"values": {
"imageRegex": "[parameters('allowedContainerImagesRegex')]"
},
"apiGroups": [
""
],
"kinds": [
"Pod"
]
}
}
- Review examples at Azure Policy samples.
- Review the Azure Policy definition structure.
- Understand how to programmatically create policies.
- Learn how to get compliance data.
- Learn how to remediate non-compliant resources.
- Review Azure management groups.