last sync: 2020-Oct-20 13:29:34 UTC

Azure Policy Initiative

Kubernetes cluster pod security restricted standards for Linux-based workloads

NameKubernetes cluster pod security restricted standards for Linux-based workloads
Id42b8ef37-b724-4e24-bbc8-7a7708edfe00
Version2.0.1
details on versioning
CategoryKubernetes
DescriptionThis initiative includes the policies for the Kubernetes cluster pod security restricted standards. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.
TypeBuiltIn
History
Date/Time (UTC ymd) (i) Changes
2020-10-13 13:23:38 Description change: 'This initiative includes the policies for the Kubernetes cluster pod security restricted standards. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.' to 'This initiative includes the policies for the Kubernetes cluster pod security restricted standards. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.'
2020-09-15 14:06:41 Name change: '[Preview]: Kubernetes cluster pod security restricted standards for Linux-based workloads' to 'Kubernetes cluster pod security restricted standards for Linux-based workloads'
2020-07-14 15:28:17 add Policy Kubernetes cluster containers should only use allowed seccomp profiles (975ce327-682c-4f2e-aa46-b9598289b86c)
2020-07-08 14:28:36 add Initiative 42b8ef37-b724-4e24-bbc8-7a7708edfe00
Policy count Total Policies: 8
Builtin Policies: 8
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect
Do not allow privileged containers in Kubernetes cluster 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes Default: deny
Allowed: (audit,deny,disabled)
Kubernetes cluster containers should not share host process ID or host IPC namespace 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes Default: audit
Allowed: (audit,deny,disabled)
Kubernetes cluster containers should only use allowed capabilities c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes Default: audit
Allowed: (audit,deny,disabled)
Kubernetes cluster containers should only use allowed seccomp profiles 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes Default: audit
Allowed: (audit,deny,disabled)
Kubernetes cluster pods and containers should only run with approved user and group IDs f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes Default: audit
Allowed: (audit,deny,disabled)
Kubernetes cluster pods should only use allowed volume types 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes Default: audit
Allowed: (audit,deny,disabled)
Kubernetes cluster pods should only use approved host network and port range 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes Default: audit
Allowed: (audit,deny,disabled)
Kubernetes clusters should not allow container privilege escalation 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes Default: audit
Allowed: (audit,deny,disabled)
Json
{
  "properties": {
    "displayName": "Kubernetes cluster pod security restricted standards for Linux-based workloads",
    "policyType": "BuiltIn",
    "description": "This initiative includes the policies for the Kubernetes cluster pod security restricted standards. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "2.0.1",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "NoPrivilegedContainers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "NoPrivilegeEscalation",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "BlockUsingHostNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "allowHostNetwork": {
            "value": false
          },
          "minPort": {
            "value": 0
          },
          "maxPort": {
            "value": 0
          }
        }
      },
      {
        "policyDefinitionReferenceId": "BlockUsingHostProcessIDAndIPC",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "ContainerCapabilities",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "allowedCapabilities": {
            "value": [
              "CHOWN",
              "DAC_OVERRIDE",
              "FSETID",
              "FOWNER",
              "MKNOD",
              "NET_RAW",
              "SETGID",
              "SETUID",
              "SETFCAP",
              "SETPCAP",
              "NET_BIND_SERVICE",
              "SYS_CHROOT",
              "KILL",
              "AUDIT_WRITE"
            ]
          },
          "requiredDropCapabilities": {
            "value": [
              
            ]
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AllowedVolumeTypes",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/16697877-1118-4fb1-9b65-9898ec2509ec",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "allowedVolumeTypes": {
            "value": [
              "configMap",
              "emptyDir",
              "projected",
              "secret",
              "downwardAPI",
              "persistentVolumeClaim"
            ]
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AllowedUsersGroups",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "runAsUserRule": {
            "value": "MustRunAsNonRoot"
          },
          "runAsUserRanges": {
            "value": {
              "ranges": [
                
              ]
            }
          },
          "runAsGroupRule": {
            "value": "MustRunAs"
          },
          "runAsGroupRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          },
          "supplementalGroupsRule": {
            "value": "MustRunAs"
          },
          "supplementalGroupsRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          },
          "fsGroupRule": {
            "value": "MustRunAs"
          },
          "fsGroupRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AllowedSeccompProfiles",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/975ce327-682c-4f2e-aa46-b9598289b86c",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "allowedProfiles": {
            "value": [
              "runtime/default",
              "docker/default"
            ]
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "42b8ef37-b724-4e24-bbc8-7a7708edfe00"
}