last sync: 2020-Sep-24 14:01:32 UTC

Azure Policy

Authorized IP ranges should be defined on Kubernetes Services

Policy DisplayName Authorized IP ranges should be defined on Kubernetes Services
Policy Id 0e246bcf-5f6f-4f87-bc6f-775d4712c7ea
Policy Category Security Center
Policy Description Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.
Policy Mode All
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Default: Audit
Allowed: (Audit,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-08-19 13:49:29 change: DisplayName previous DisplayName: [Preview]: Authorized IP ranges should be defined on Kubernetes Services
Used in Policy Initiative(s)
Initiative DisplayName Initiative Id
Enable Monitoring in Azure Security Center 1f3afdf9-d0c9-4c3d-847f-89da613e70a8
[Preview]: Azure Security Benchmark 42a694ed-f65e-42b2-aa9e-8052e9740a92
Policy Rule
{
  "properties": {
    "displayName": "Authorized IP ranges should be defined on Kubernetes Services",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.",
    "metadata": {
      "version": "2.0.1",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges",
            "exists": "false"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster",
                "exists": "false"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"
}