last sync: 2020-Oct-20 13:29:33 UTC

Azure Policy

Kubernetes cluster pods and containers should only run with approved user and group IDs

Name Kubernetes cluster pods and containers should only run with approved user and group IDs
Id f06ddb64-5fa3-4b77-b166-acb36f7f6042
Version 1.0.1
details on versioning
Category Kubernetes
Description This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.
Mode Microsoft.Kubernetes.Data
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: audit
Allowed: (audit,deny,disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-09-15 14:06:41 change Previous DisplayName: [Preview]: Kubernetes cluster pods and containers should only run with approved user and group IDs
2020-07-08 14:28:08 add f06ddb64-5fa3-4b77-b166-acb36f7f6042
Used in Initiatives
Initiative DisplayName Initiative Id
Enable Monitoring in Azure Security Center 1f3afdf9-d0c9-4c3d-847f-89da613e70a8
Kubernetes cluster pod security restricted standards for Linux-based workloads 42b8ef37-b724-4e24-bbc8-7a7708edfe00
Json
{
  "properties": {
    "displayName": "Kubernetes cluster pods and containers should only run with approved user and group IDs",
    "policyType": "BuiltIn",
    "mode": "Microsoft.Kubernetes.Data",
    "description": "This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "1.0.1",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      },
      "runAsUserRule": {
        "type": "String",
        "metadata": {
          "displayName": "Run as user rule",
          "description": "The 'RunAsUser' rule that containers are allowed to run with."
        },
        "allowedValues": [
          "MustRunAs",
          "MustRunAsNonRoot",
          "RunAsAny"
        ],
        "defaultValue": "MustRunAsNonRoot"
      },
      "runAsUserRanges": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed user ID ranges",
          "description": "The user ID ranges that are allowed for containers to use.",
          "schema": {
            "type": "object",
            "properties": {
              "ranges": {
                "type": "array",
                "items": {
                  "type": "object",
                  "properties": {
                    "min": {
                      "type": "integer"
                    },
                    "max": {
                      "type": "integer"
                    }
                  },
                  "required": [
                    "min",
                    "max"
                  ],
                  "additionalProperties": false
                }
              }
            },
            "required": [
              "ranges"
            ],
            "additionalProperties": false
          }
        },
        "defaultValue": {
          "ranges": [
            
          ]
        }
      },
      "runAsGroupRule": {
        "type": "String",
        "metadata": {
          "displayName": "Run as group rule",
          "description": "The 'RunAsGroup' rule that containers are allowed to run with."
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "runAsGroupRanges": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed group ID ranges",
          "description": "The group ID ranges that are allowed for containers to use.",
          "schema": {
            "type": "object",
            "properties": {
              "ranges": {
                "type": "array",
                "items": {
                  "type": "object",
                  "properties": {
                    "min": {
                      "type": "integer"
                    },
                    "max": {
                      "type": "integer"
                    }
                  },
                  "required": [
                    "min",
                    "max"
                  ],
                  "additionalProperties": false
                }
              }
            },
            "required": [
              "ranges"
            ],
            "additionalProperties": false
          }
        },
        "defaultValue": {
          "ranges": [
            
          ]
        }
      },
      "supplementalGroupsRule": {
        "type": "String",
        "metadata": {
          "displayName": "Supplemental group rule",
          "description": "The 'SupplementalGroups' rule that containers are allowed to run with."
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "supplementalGroupsRanges": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed supplemental group ID ranges",
          "description": "The supplemental group ID ranges that are allowed for containers to use.",
          "schema": {
            "type": "object",
            "properties": {
              "ranges": {
                "type": "array",
                "items": {
                  "type": "object",
                  "properties": {
                    "min": {
                      "type": "integer"
                    },
                    "max": {
                      "type": "integer"
                    }
                  },
                  "required": [
                    "min",
                    "max"
                  ],
                  "additionalProperties": false
                }
              }
            },
            "required": [
              "ranges"
            ],
            "additionalProperties": false
          }
        },
        "defaultValue": {
          "ranges": [
            
          ]
        }
      },
      "fsGroupRule": {
        "type": "String",
        "metadata": {
          "displayName": "File system group rule",
          "description": "The 'FSGroup' rule that containers are allowed to run with."
        },
        "allowedValues": [
          "MustRunAs",
          "MayRunAs",
          "RunAsAny"
        ],
        "defaultValue": "RunAsAny"
      },
      "fsGroupRanges": {
        "type": "Object",
        "metadata": {
          "displayName": "Allowed file system group ID ranges",
          "description": "The file system group ranges that are allowed for pods to use.",
          "schema": {
            "type": "object",
            "properties": {
              "ranges": {
                "type": "array",
                "items": {
                  "type": "object",
                  "properties": {
                    "min": {
                      "type": "integer"
                    },
                    "max": {
                      "type": "integer"
                    }
                  },
                  "required": [
                    "min",
                    "max"
                  ],
                  "additionalProperties": false
                }
              }
            },
            "required": [
              "ranges"
            ],
            "additionalProperties": false
          }
        },
        "defaultValue": {
          "ranges": [
            
          ]
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "AKS Engine",
          "Microsoft.Kubernetes/connectedClusters",
          "Microsoft.ContainerService/managedClusters"
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "constraintTemplate": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/allowed-users-groups/template.yaml",
          "constraint": "https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/allowed-users-groups/constraint.yaml",
          "values": {
            "runAsUser": {
            "rule": "[parameters('runAsUserRule')]",
            "ranges": "[parameters('runAsUserRanges').ranges]"
            },
            "runAsGroup": {
            "rule": "[parameters('runAsGroupRule')]",
            "ranges": "[parameters('runAsGroupRanges').ranges]"
            },
            "supplementalGroups": {
            "rule": "[parameters('supplementalGroupsRule')]",
            "ranges": "[parameters('supplementalGroupsRanges').ranges]"
            },
            "fsGroup": {
            "rule": "[parameters('fsGroupRule')]",
            "ranges": "[parameters('fsGroupRanges').ranges]"
            },
          "excludedNamespaces": "[parameters('excludedNamespaces')]"
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "f06ddb64-5fa3-4b77-b166-acb36f7f6042"
}