last sync: 2021-Jul-23 16:37:57 UTC

Azure Policy definition

Configure Kubernetes clusters with specified GitOps configuration using no secrets

Name Configure Kubernetes clusters with specified GitOps configuration using no secrets
Azure Portal
Id 1d61c4d2-aef2-432b-87fc-7f96b019b7e1
Version 1.0.0
details on versioning
Category Kubernetes
Microsoft docs
Description Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Used RBAC Role
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-03-09 14:37:41 change Version remains equal, old suffix: preview (1.0.0-preview > 1.0.0)
2020-06-09 16:25:53 add 1d61c4d2-aef2-432b-87fc-7f96b019b7e1
Used in Initiatives none
JSON Changes

JSON
{
  "properties": {
    "displayName": "Configure Kubernetes clusters with specified GitOps configuration using no secrets",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires no secrets. For instructions, visit https://aka.ms/K8sGitOpsPolicy.",
    "metadata": {
      "version": "1.0.0",
      "category": "Kubernetes"
    },
    "parameters": {
      "configurationResourceName": {
        "type": "String",
        "metadata": {
          "displayName": "Configuration resource name",
          "description": "The name for the sourceControlConfiguration.  Learn more about setting up GitOps configuration: https://aka.ms/AzureArcK8sUsingGitOps."
        }
      },
      "operatorInstanceName": {
        "type": "String",
        "metadata": {
          "displayName": "Operator instance name",
          "description": "Name used in the operator instances. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
        }
      },
      "operatorNamespace": {
        "type": "String",
        "metadata": {
          "displayName": "Operator namespace",
          "description": "Namespace within which the operators will be installed. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
        }
      },
      "operatorScope": {
        "type": "String",
        "metadata": {
          "displayName": "Operator scope",
          "description": "The permission scope for the operator. Possible values are 'cluster' (full access) or 'namespace' (restricted access)."
        },
        "allowedValues": [
          "cluster",
          "namespace"
        ],
        "defaultValue": "namespace"
      },
      "operatorType": {
        "type": "String",
        "metadata": {
          "displayName": "Operator type",
          "description": "The type of operator to install. Currently, 'Flux' is supported."
        },
        "allowedValues": [
          "Flux"
        ],
        "defaultValue": "Flux"
      },
      "operatorParams": {
        "type": "String",
        "metadata": {
          "displayName": "Operator parameters",
          "description": "Parameters to set on the Flux operator, separated by spaces.  For example, --git-readonly --sync-garbage-collection.  Learn more: http://aka.ms/AzureArcK8sFluxOperatorParams."
        },
        "defaultValue": ""
      },
      "repositoryUrl": {
        "type": "String",
        "metadata": {
          "displayName": "Repository Url",
          "description": "The URL for the source control repository. Learn more about URL formats: https://aka.ms/GitOpsRepoUrlParameters"
        }
      },
      "enableHelmOperator": {
        "type": "String",
        "metadata": {
          "displayName": "Enable Helm",
          "description": "Indicate whether to enable Helm for this instance of Flux. Learn more: http://aka.ms/AzureArcK8sGitOpsWithHelm."
        },
        "allowedValues": [
          "true",
          "false"
        ],
        "defaultValue": "true"
      },
      "chartVersion": {
        "type": "String",
        "metadata": {
          "displayName": "Helm chart version for installing Flux Helm",
          "description": "The version of the Helm chart for installing Flux Helm. For example, 1.2.0"
        },
        "defaultValue": "1.2.0"
      },
      "chartValues": {
        "type": "String",
        "metadata": {
          "displayName": "Helm chart parameters for installing Flux Helm",
          "description": "Parameters for the Helm chart for installing Flux Helm, separated by spaces. For example, --set helm.versions=v3"
        },
        "defaultValue": ""
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "deployIfNotExists",
          "auditIfNotExists",
          "disabled"
        ],
        "defaultValue": "deployIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.KubernetesConfiguration/sourceControlConfigurations",
        "name": "[parameters('configurationResourceName')]",
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deploymentScope": "ResourceGroup",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams",
                "in": [
                "[parameters('operatorParams')]",
                "[concat('--git-readonly ',parameters('operatorParams'))]"
                ]
              },
              {
                "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl",
              "equals": "[parameters('repositoryUrl')]"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
                    "equals": "false"
                  },
                  {
                    "allOf": [
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
                        "equals": "true"
                      },
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion",
                      "equals": "[parameters('chartVersion')]"
                      },
                      {
                        "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues",
                      "equals": "[parameters('chartValues')]"
                      }
                    ]
                  }
                ]
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "configurationResourceName": {
                    "type": "string"
                  },
                  "clusterLocation": {
                    "type": "string"
                  },
                  "clusterName": {
                    "type": "string"
                  },
                  "operatorInstanceName": {
                    "type": "string"
                  },
                  "operatorNamespace": {
                    "type": "string"
                  },
                  "operatorScope": {
                    "type": "string"
                  },
                  "operatorType": {
                    "type": "string"
                  },
                  "operatorParams": {
                    "type": "string"
                  },
                  "repositoryUrl": {
                    "type": "string"
                  },
                  "enableHelmOperator": {
                    "type": "string"
                  },
                  "chartVersion": {
                    "type": "string"
                  },
                  "chartValues": {
                    "type": "string"
                  },
                  "clusterResourceType": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                  "condition": "[contains(toLower(parameters('clusterResourceType')), toLower('connectedclusters'))]",
                    "type": "Microsoft.Kubernetes/connectedClusters/providers/sourceControlConfigurations",
                  "name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
                    "apiVersion": "2021-03-01",
                    "properties": {
                    "operatorInstanceName": "[parameters('operatorInstanceName')]",
                    "operatorNamespace": "[parameters('operatorNamespace')]",
                    "operatorScope": "[parameters('operatorScope')]",
                    "operatorType": "[parameters('operatorType')]",
                    "operatorParams": "[parameters('operatorParams')]",
                    "repositoryUrl": "[parameters('repositoryUrl')]",
                    "enableHelmOperator": "[parameters('enableHelmOperator')]",
                      "helmOperatorProperties": {
                      "chartVersion": "[parameters('chartVersion')]",
                      "chartValues": "[parameters('chartValues')]"
                      }
                    }
                  },
                  {
                  "condition": "[contains(toLower(parameters('clusterResourceType')), toLower('managedclusters'))]",
                    "type": "Microsoft.ContainerService/managedClusters/providers/sourceControlConfigurations",
                  "name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
                    "apiVersion": "2021-03-01",
                    "properties": {
                    "operatorInstanceName": "[parameters('operatorInstanceName')]",
                    "operatorNamespace": "[parameters('operatorNamespace')]",
                    "operatorScope": "[parameters('operatorScope')]",
                    "operatorType": "[parameters('operatorType')]",
                    "operatorParams": "[parameters('operatorParams')]",
                    "repositoryUrl": "[parameters('repositoryUrl')]",
                    "enableHelmOperator": "[parameters('enableHelmOperator')]",
                      "helmOperatorProperties": {
                      "chartVersion": "[parameters('chartVersion')]",
                      "chartValues": "[parameters('chartValues')]"
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "clusterLocation": {
                "value": "[field('location')]"
                },
                "clusterName": {
                "value": "[field('name')]"
                },
                "configurationResourceName": {
                "value": "[parameters('configurationResourceName')]"
                },
                "operatorInstanceName": {
                "value": "[parameters('operatorInstanceName')]"
                },
                "operatorNamespace": {
                "value": "[parameters('operatorNamespace')]"
                },
                "operatorScope": {
                "value": "[parameters('operatorScope')]"
                },
                "operatorType": {
                "value": "[parameters('operatorType')]"
                },
                "operatorParams": {
                "value": "[parameters('operatorParams')]"
                },
                "repositoryUrl": {
                "value": "[parameters('repositoryUrl')]"
                },
                "enableHelmOperator": {
                "value": "[parameters('enableHelmOperator')]"
                },
                "chartVersion": {
                "value": "[parameters('chartVersion')]"
                },
                "chartValues": {
                "value": "[parameters('chartValues')]"
                },
                "clusterResourceType": {
                "value": "[field('type')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/1d61c4d2-aef2-432b-87fc-7f96b019b7e1",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "1d61c4d2-aef2-432b-87fc-7f96b019b7e1"
}