last sync: 2020-Oct-30 14:31:57 UTC

Azure Policy definition

[Deprecated]: Ensure only allowed container images in AKS

Name [Deprecated]: Ensure only allowed container images in AKS
Azure Portal
Id 5f86cb6e-c4da-441b-807c-44bd0cc14e66
Version 1.0.1-deprecated
details on versioning
Category Kubernetes service
Microsoft docs
Description This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.
Mode Microsoft.ContainerService.Data
Type BuiltIn
Preview FALSE
Deprecated True
Effect Default: EnforceRegoPolicy
Allowed: (EnforceRegoPolicy, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-06-01 18:36:18 change Previous DisplayName: [Limited Preview]: [AKS] Ensure only allowed container images in AKS
2019-11-12 19:11:12 change Previous DisplayName: [Limited Preview]: Ensure only allowed container images in AKS
Used in Initiatives none
Json
{
  "properties": {
  "displayName": "[Deprecated]: Ensure only allowed container images in AKS",
    "policyType": "BuiltIn",
    "mode": "Microsoft.ContainerService.Data",
    "description": "This policy ensures only allowed container images are running in an Azure Kubernetes Service cluster. This policy is deprecated, please visit https://aka.ms/kubepolicydoc for instructions on using new Kubernetes policies.",
    "metadata": {
      "version": "1.0.1-deprecated",
      "category": "Kubernetes service",
      "deprecated": true
    },
    "parameters": {
      "allowedContainerImagesRegex": {
        "type": "String",
        "metadata": {
        "displayName": "[Deprecated]: Allowed container images regex",
          "description": "Regex representing container images allowed in Kubernetes cluster. E.g. Regex of azure container registry images is ^.+azurecr.io/.+$"
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
        "displayName": "[Deprecated]: Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "EnforceRegoPolicy",
          "Disabled"
        ],
        "defaultValue": "EnforceRegoPolicy"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.ContainerService/managedClusters"
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "policyId": "ContainerAllowedImages",
          "policy": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-images/limited-preview/gatekeeperpolicy.rego",
          "policyParameters": {
          "allowedContainerImagesRegex": "[parameters('allowedContainerImagesRegex')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/5f86cb6e-c4da-441b-807c-44bd0cc14e66",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "5f86cb6e-c4da-441b-807c-44bd0cc14e66"
}