last sync: 2020-Jul-10 14:05:01 UTC

Azure Policy

[Deprecated]: Ensure services listen only on allowed ports in AKS

Policy DisplayName [Deprecated]: Ensure services listen only on allowed ports in AKS
Policy Id 25dee3db-6ce0-4c02-ab5d-245887b24077
Policy Category Kubernetes service
Policy Description This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.
Policy Mode Microsoft.ContainerService.Data
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated True
Policy Effect Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy,Disabled)
Roles used none
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2019-11-12 19:11:12 change: DisplayName previous DisplayName: [Limited Preview]: Ensure services listen only on allowed ports in AKS
2020-06-01 18:36:18 change: DisplayName previous DisplayName: [Limited Preview]: [AKS] Ensure services listen only on allowed ports in AKS
Used in Policy Initiative(s) none
Policy Rule
{
  "properties": {
  "displayName": "[Deprecated]: Ensure services listen only on allowed ports in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "allowedServicePortsRegex": {
        "type": "String",
        "metadata": {
        "displayName": "[Deprecated]: Allowed service ports regex",
          "description": "Regex representing service ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
        "displayName": "[Deprecated]: Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "policyId": "ServiceAllowedPorts",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/service-allowed-ports/limited-preview/gatekeeperpolicy.rego",
          "policyParameters": {
          "allowedServicePortsRegex": "[parameters('allowedServicePortsRegex')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/25dee3db-6ce0-4c02-ab5d-245887b24077",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "25dee3db-6ce0-4c02-ab5d-245887b24077"
}