last sync: 2020-Oct-30 14:31:57 UTC

Azure Policy definition

[Deprecated]: Ensure services listen only on allowed ports in AKS

Name [Deprecated]: Ensure services listen only on allowed ports in AKS
Azure Portal
Id 25dee3db-6ce0-4c02-ab5d-245887b24077
Version 1.0.1-deprecated
details on versioning
Category Kubernetes service
Microsoft docs
Description This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.
Mode Microsoft.ContainerService.Data
Type BuiltIn
Preview FALSE
Deprecated True
Effect Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-06-01 18:36:18 change Previous DisplayName: [Limited Preview]: [AKS] Ensure services listen only on allowed ports in AKS
2019-11-12 19:11:12 change Previous DisplayName: [Limited Preview]: Ensure services listen only on allowed ports in AKS
Used in Initiatives none
Json
{
  "properties": {
  "displayName": "[Deprecated]: Ensure services listen only on allowed ports in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy enforces services to listen only on allowed ports in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "allowedServicePortsRegex": {
        "type": "String",
        "metadata": {
        "displayName": "[Deprecated]: Allowed service ports regex",
          "description": "Regex representing service ports allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
        "displayName": "[Deprecated]: Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "policyId": "ServiceAllowedPorts",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/service-allowed-ports/limited-preview/gatekeeperpolicy.rego",
          "policyParameters": {
          "allowedServicePortsRegex": "[parameters('allowedServicePortsRegex')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/25dee3db-6ce0-4c02-ab5d-245887b24077",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "25dee3db-6ce0-4c02-ab5d-245887b24077"
}