last sync: 2020-Oct-30 14:31:57 UTC

Azure Policy definition

[Deprecated]: Ensure containers listen only on allowed ports in AKS

Name [Deprecated]: Ensure containers listen only on allowed ports in AKS
Azure Portal
Id 0f636243-1b1c-4d50-880f-310f6199f2cb
Version 1.0.1-deprecated
details on versioning
Category Kubernetes service
Microsoft docs
Description This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.
Mode Microsoft.ContainerService.Data
Type BuiltIn
Preview FALSE
Deprecated True
Effect Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-06-01 18:36:18 change Previous DisplayName: [Limited Preview]: [AKS] Ensure containers listen only on allowed ports in AKS
2019-11-12 19:11:12 change Previous DisplayName: [Limited Preview]: Ensure containers listen only on allowed ports in AKS
Used in Initiatives none
Json
{
  "properties": {
  "displayName": "[Deprecated]: Ensure containers listen only on allowed ports in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy enforces containers to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "allowedContainerPortsRegex": {
        "type": "String",
        "metadata": {
        "displayName": "[Deprecated]: Allowed container ports regex",
          "description": "Regex representing container ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
        "displayName": "[Deprecated]: Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "policyId": "ContainerAllowedPorts",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego",
          "policyParameters": {
          "allowedContainerPortsRegex": "[parameters('allowedContainerPortsRegex')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0f636243-1b1c-4d50-880f-310f6199f2cb"
}