AzInitiativeAdvertizer

last sync: 2025-Oct-30 18:22:48 UTC

Enforce recommended guardrails for Kubernetes

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Enforce-Guardrails-Kubernetes
Display nameEnforce recommended guardrails for Kubernetes
IdEnforce-Guardrails-Kubernetes
Version1.2.0
Details on versioning
CategoryKubernetes
DescriptionThis policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.
Cloud environments AzureChinaCloud
AzureCloud
AzureUSGovernment
TypeCustom Azure Landing Zones (ALZ)
DeprecatedFalse
PreviewFalse
Policy-used summary
Policy types Policy states Policy categories
Total Policies: 16
Builtin Policies: 16
Static Policies: 0
ALZ Policies: 0
GA: 16
1 categories:
Kubernetes: 16
Policy-used
Policy DisplayName Policy Id Category Effect Roles# Roles State Type policy in AzUSGov
Azure Kubernetes Clusters should enable Key Management Service (KMS) dbbdc317-9734-4dd8-9074-993b29c69008 Kubernetes Default
Audit
Allowed
Audit, Disabled		 0 GA BuiltIn true
Azure Kubernetes Clusters should use Azure CNI 46238e2f-3f6f-4589-9f3f-77bed4116e67 Kubernetes Default
Audit
Allowed
Audit, Disabled		 0 GA BuiltIn unknown
Azure Kubernetes Service Clusters should have local authentication methods disabled 993c2fcd-2b29-49d2-9eb0-df2c3a730c32 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn unknown
Azure Kubernetes Service Private Clusters should be enabled 040732e8-d947-40b8-95d6-854c95024bf8 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters a8eff44f-8c92-45c3-a3fb-9880802d67a7 Kubernetes Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 2 Azure Kubernetes Service Contributor Role, Azure Kubernetes Service Policy Add-on Deployment GA BuiltIn true
Disable Command Invoke on Azure Kubernetes Service clusters 1b708b0a-3380-40e9-8b79-821f9fa224cc Kubernetes Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 2 Azure Kubernetes Service Contributor Role, Azure Kubernetes Service Policy Add-on Deployment GA BuiltIn unknown
Ensure cluster containers have readiness or liveness probes configured b1a9997f-2883-4f12-bdff-2280f99b5915 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Kubernetes cluster containers should not share host namespaces 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Kubernetes cluster containers should only use allowed capabilities c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA BuiltIn true
Kubernetes cluster should not allow privileged containers 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA BuiltIn true
Kubernetes cluster should not use naked pods 65280eef-c8b4-425e-9aec-af55e55bf581 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Kubernetes cluster Windows containers should not run as ContainerAdministrator 5485eac0-7e8f-4964-998b-a44f4f0c1e75 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Kubernetes clusters should not allow container privilege escalation 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Kubernetes clusters should not use the default namespace 9f061a12-e40d-4183-a00e-171812443373 Kubernetes Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA BuiltIn true
Kubernetes clusters should use internal load balancers 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e Kubernetes Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA BuiltIn true
Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host 41425d9f-d1a5-499a-9932-f8ed8453932c Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Roles used
History none
JSON compare n/a
JSON
EPAC