last sync: 2021-Jan-15 16:07:21 UTC

Azure Policy definition

[Preview]: Kubernetes clusters should not use specific security capabilities

Name [Preview]: Kubernetes clusters should not use specific security capabilities
Azure Portal
Id a27c700f-8a22-44ec-961c-41625264370b
Version 1.0.0-preview
details on versioning
Category Kubernetes
Microsoft docs
Description Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc.
Mode Microsoft.Kubernetes.Data
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default: audit
Allowed: (audit, deny, disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-12-11 15:42:52 add a27c700f-8a22-44ec-961c-41625264370b
Used in Initiatives none
Json
{
  "properties": {
  "displayName": "[Preview]: Kubernetes clusters should not use specific security capabilities",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Kubernetes",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
        "displayName": "[Preview]: Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "namespaces": {
        "type": "Array",
        "metadata": {
        "displayName": "[Preview]: Namespace inclusions",
          "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
        },
        "defaultValue": [
          
        ]
      },
      "disallowedCapabilities": {
        "type": "Array",
        "metadata": {
        "displayName": "[Preview]: Blocked capabilities",
          "description": "List of capabilities that containers are not able to use"
        },
        "defaultValue": [
          
        ]
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-disallowed-capabilities/template.yaml",
          "constraint": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-disallowed-capabilities/constraint.yaml",
        "excludedNamespaces": "[parameters('excludedNamespaces')]",
        "namespaces": "[parameters('namespaces')]",
          "values": {
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "disallowedCapabilities": "[parameters('disallowedCapabilities')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/a27c700f-8a22-44ec-961c-41625264370b",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "a27c700f-8a22-44ec-961c-41625264370b"
}