last sync: 2020-Sep-24 14:01:32 UTC

Azure Policy

[Preview]: Pod Security Policies should be defined on Kubernetes Services

Policy DisplayName [Preview]: Pod Security Policies should be defined on Kubernetes Services
Policy Id 3abeb944-26af-43ee-b83d-32aaf060fb94
Policy Category Security Center
Policy Description Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.
Policy Mode All
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated True
Policy Effect Default: Disabled
Allowed: (Audit,Disabled)
Roles used none
Policy Changes no changes
Used in Policy Initiative(s) none
Policy Rule
{
  "properties": {
  "displayName": "[Preview]: Pod Security Policies should be defined on Kubernetes Services",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Define Pod Security Policies to reduce the attack vector by removing unnecessary application privileges. It is recommended to configure Pod Security Policies to only allow pods to access the resources which they have permissions to access.",
    "metadata": {
      "version": "1.0.0-deprecated",
      "category": "Security Center",
      "deprecated": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
        "displayName": "[Deprecated]: Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Disabled"
        ],
        "defaultValue": "Disabled"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.ContainerService/managedClusters"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy",
                "exists": "false"
              },
              {
                "field": "Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy",
                "equals": "false"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "3abeb944-26af-43ee-b83d-32aaf060fb94"
}