last sync: 2020-Aug-05 13:05:28 UTC

Azure Policy Initiative

[Preview]: Kubernetes cluster pod security restricted standards for Linux-based workloads

Initiative DisplayName [Preview]: Kubernetes cluster pod security restricted standards for Linux-based workloads
Initiative Id 42b8ef37-b724-4e24-bbc8-7a7708edfe00
Initiative Category Kubernetes
Initiative Description This initiative includes the policies for the Kubernetes cluster pod security restricted standards. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.
Initiative Type BuiltIn
Initiative Changes
Date/Time (UTC ymd) (i) Change(s)
2020-07-14 15:28:17 add Policy [Preview]: Kubernetes cluster containers should only use allowed seccomp profiles (975ce327-682c-4f2e-aa46-b9598289b86c)
2020-07-08 14:28:36 add Initiative 42b8ef37-b724-4e24-bbc8-7a7708edfe00
Initiative Policies count Total Policies: 8
Builtin Policies: 8/8
Static Policies: 0/8
Initiative Policies
Policy DisplayName Policy Id
[Preview]: Kubernetes cluster pods should only use allowed volume types 16697877-1118-4fb1-9b65-9898ec2509ec
[Preview]: Kubernetes cluster containers should only use allowed capabilities c26596ff-4d70-4e6a-9a30-c2506bd2f80c
[Preview]: Do not allow privileged containers in Kubernetes cluster 95edb821-ddaf-4404-9732-666045e056b4
[Preview]: Kubernetes cluster containers should not share host process ID or host IPC namespace 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8
[Preview]: Kubernetes cluster pods and containers should only run with approved user and group IDs f06ddb64-5fa3-4b77-b166-acb36f7f6042
[Preview]: Kubernetes clusters should not allow container privilege escalation 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99
[Preview]: Kubernetes cluster containers should only use allowed seccomp profiles 975ce327-682c-4f2e-aa46-b9598289b86c
[Preview]: Kubernetes cluster pods should only use approved host network and port range 82985f06-dc18-4a48-bc1c-b9f4f0098cfe
Initiative Rule
{
  "properties": {
  "displayName": "[Preview]: Kubernetes cluster pod security restricted standards for Linux-based workloads",
    "policyType": "BuiltIn",
    "description": "This initiative includes the policies for the Kubernetes cluster pod security restricted standards. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Kubernetes",
      "preview": true
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
        "displayName": "[Preview]: Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "NoPrivilegedContainers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "NoPrivilegeEscalation",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "BlockUsingHostNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "allowHostNetwork": {
            "value": false
          },
          "minPort": {
            "value": 0
          },
          "maxPort": {
            "value": 0
          }
        }
      },
      {
        "policyDefinitionReferenceId": "BlockUsingHostProcessIDAndIPC",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "ContainerCapabilities",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "allowedCapabilities": {
            "value": [
              "CHOWN",
              "DAC_OVERRIDE",
              "FSETID",
              "FOWNER",
              "MKNOD",
              "NET_RAW",
              "SETGID",
              "SETUID",
              "SETFCAP",
              "SETPCAP",
              "NET_BIND_SERVICE",
              "SYS_CHROOT",
              "KILL",
              "AUDIT_WRITE"
            ]
          },
          "requiredDropCapabilities": {
            "value": [
              
            ]
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AllowedVolumeTypes",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/16697877-1118-4fb1-9b65-9898ec2509ec",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "allowedVolumeTypes": {
            "value": [
              "configMap",
              "emptyDir",
              "projected",
              "secret",
              "downwardAPI",
              "persistentVolumeClaim"
            ]
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AllowedUsersGroups",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f06ddb64-5fa3-4b77-b166-acb36f7f6042",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "runAsUserRule": {
            "value": "MustRunAsNonRoot"
          },
          "runAsUserRanges": {
            "value": {
              "ranges": [
                
              ]
            }
          },
          "runAsGroupRule": {
            "value": "MustRunAs"
          },
          "runAsGroupRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          },
          "supplementalGroupsRule": {
            "value": "MustRunAs"
          },
          "supplementalGroupsRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          },
          "fsGroupRule": {
            "value": "MustRunAs"
          },
          "fsGroupRanges": {
            "value": {
              "ranges": [
                {
                  "min": 1,
                  "max": 65535
                }
              ]
            }
          }
        }
      },
      {
        "policyDefinitionReferenceId": "AllowedSeccompProfiles",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/975ce327-682c-4f2e-aa46-b9598289b86c",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "allowedProfiles": {
            "value": [
              "runtime/default",
              "docker/default"
            ]
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "42b8ef37-b724-4e24-bbc8-7a7708edfe00"
}