last sync: 2020-Oct-20 13:29:34 UTC

Azure Policy Initiative

Kubernetes cluster pod security baseline standards for Linux-based workloads

NameKubernetes cluster pod security baseline standards for Linux-based workloads
Ida8640138-9b0a-4a28-b8cb-1666c838647d
Version1.0.1
details on versioning
CategoryKubernetes
DescriptionThis initiative includes the policies for the Kubernetes cluster pod security baseline standards. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.
TypeBuiltIn
History
Date/Time (UTC ymd) (i) Changes
2020-10-13 13:23:38 Description change: 'This initiative includes the policies for the Kubernetes cluster pod security baseline standards. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.' to 'This initiative includes the policies for the Kubernetes cluster pod security baseline standards. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.'
2020-09-15 14:06:41 Name change: '[Preview]: Kubernetes cluster pod security baseline standards for Linux-based workloads' to 'Kubernetes cluster pod security baseline standards for Linux-based workloads'
2020-07-08 14:28:36 add Initiative a8640138-9b0a-4a28-b8cb-1666c838647d
Policy count Total Policies: 5
Builtin Policies: 5
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect
Do not allow privileged containers in Kubernetes cluster 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes Default: deny
Allowed: (audit,deny,disabled)
Kubernetes cluster containers should not share host process ID or host IPC namespace 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes Default: audit
Allowed: (audit,deny,disabled)
Kubernetes cluster containers should only use allowed capabilities c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes Default: audit
Allowed: (audit,deny,disabled)
Kubernetes cluster pod hostPath volumes should only use allowed host paths 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes Default: audit
Allowed: (audit,deny,disabled)
Kubernetes cluster pods should only use approved host network and port range 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes Default: audit
Allowed: (audit,deny,disabled)
Json
{
  "properties": {
    "displayName": "Kubernetes cluster pod security baseline standards for Linux-based workloads",
    "policyType": "BuiltIn",
    "description": "This initiative includes the policies for the Kubernetes cluster pod security baseline standards. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
    "metadata": {
      "version": "1.0.1",
      "category": "Kubernetes"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      },
      "excludedNamespaces": {
        "type": "Array",
        "metadata": {
          "displayName": "Namespace exclusions",
          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
        },
        "defaultValue": [
          "kube-system",
          "gatekeeper-system",
          "azure-arc"
        ]
      }
    },
    "policyDefinitions": [
      {
        "policyDefinitionReferenceId": "NoPrivilegedContainers",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "BlockUsingHostNetwork",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "allowHostNetwork": {
            "value": false
          },
          "minPort": {
            "value": 0
          },
          "maxPort": {
            "value": 0
          }
        }
      },
      {
        "policyDefinitionReferenceId": "BlockUsingHostProcessIDAndIPC",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          }
        }
      },
      {
        "policyDefinitionReferenceId": "ContainerCapabilities",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "allowedCapabilities": {
            "value": [
              "CHOWN",
              "DAC_OVERRIDE",
              "FSETID",
              "FOWNER",
              "MKNOD",
              "NET_RAW",
              "SETGID",
              "SETUID",
              "SETFCAP",
              "SETPCAP",
              "NET_BIND_SERVICE",
              "SYS_CHROOT",
              "KILL",
              "AUDIT_WRITE"
            ]
          },
          "requiredDropCapabilities": {
            "value": [
              
            ]
          }
        }
      },
      {
        "policyDefinitionReferenceId": "NoHostPathVolume",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
        "parameters": {
          "effect": {
          "value": "[parameters('effect')]"
          },
          "excludedNamespaces": {
          "value": "[parameters('excludedNamespaces')]"
          },
          "allowedHostPaths": {
            "value": {
              "paths": [
                
              ]
            }
          }
        }
      }
    ]
  },
  "id": "/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d",
  "type": "Microsoft.Authorization/policySetDefinitions",
  "name": "a8640138-9b0a-4a28-b8cb-1666c838647d"
}