AzInitiativeAdvertizer

last sync: 2025-May-23 18:26:59 UTC

[Preview]: Deployment safeguards should help guide developers towards AKS recommended best practices

Azure BuiltIn Policy Initiative (PolicySet)

Source Azure Portal
Display name[Preview]: Deployment safeguards should help guide developers towards AKS recommended best practices
Idc047ea8e-9c78-49b2-958b-37e56d291a44
Version1.9.0-preview
Details on versioning
Versioning Versions supported for Versioning: 9
1.9.0-preview
1.8.0-preview
1.7.0-preview
1.6.0-preview
1.5.0-preview
1.4.1-preview
1.4.0-preview
1.3.3-preview
1.3.2-preview
Built-in Versioning [Preview]
CategoryKubernetes
Microsoft Learn
DescriptionA collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/deployment-safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc
Cloud environmentsAzureCloud = true
AzureChinaCloud = unknown
AzureUSGovernment = true
Available in AzUSGovThe PolicySet is available in AzureUSGovernment cloud. Version: '1.6.0-preview'
Repository: Azure-Policy c047ea8e-9c78-49b2-958b-37e56d291a44
TypeBuiltIn
DeprecatedFalse
PreviewTrue
Policy-used summary
Policy types Policy states Policy categories
Total Policies: 20
Builtin Policies: 20
Static Policies: 0
GA: 4
Preview: 16
1 categories:
Kubernetes: 20
Policy-used
Policy DisplayName Policy Id Category Version Versioning Effect Roles# Roles State policy in AzUSGov
[Preview]: Cannot Edit Individual Nodes 53a4a537-990c-495a-92e0-7c21a465442c Kubernetes 1.3.0-preview 5x
1.3.0-preview, 1.2.0-preview, 1.1.1-preview, 1.1.0-preview, 1.0.3-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 Preview true
[Preview]: Kubernetes cluster container images must include the preStop hook 1a3b9003-eac6-4d39-a184-4a567ace7645 Kubernetes 1.1.0-preview 2x
1.1.0-preview, 1.0.0-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 Preview true
[Preview]: Kubernetes cluster container images should not include latest image tag 021f8078-41a0-40e6-81b6-c6597da9f3ee Kubernetes 2.0.0-preview 3x
2.0.0-preview, 1.1.0-preview, 1.0.0-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 Preview true
[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 Kubernetes 1.3.0-preview 4x
1.3.0-preview, 1.2.0-preview, 1.1.0-preview, 1.0.0-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 Preview true
[Preview]: Kubernetes cluster services should use unique selectors b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 Kubernetes 1.2.0-preview 4x
1.2.0-preview, 1.1.1-preview, 1.1.0-preview, 1.0.0-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 Preview true
[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d Kubernetes 1.3.0-preview 5x
1.3.0-preview, 1.2.0-preview, 1.1.1-preview, 1.1.0-preview, 1.0.0-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 Preview true
[Preview]: Must Have Anti Affinity Rules Set 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 Kubernetes 1.2.0-preview 4x
1.2.0-preview, 1.1.1-preview, 1.1.0-preview, 1.0.1-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 Preview true
[Preview]: No AKS Specific Labels a22123bd-b9da-4c86-9424-24903e91fd55 Kubernetes 1.2.0-preview 4x
1.2.0-preview, 1.1.1-preview, 1.1.0-preview, 1.0.1-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 Preview true
[Preview]: Prints a message if a mutation is applied e24df237-32cb-4a6c-a2f6-85b499cda9f2 Kubernetes 1.2.0-preview 3x
1.2.0-preview, 1.1.0-preview, 1.0.0-preview		 Default
Audit
Allowed
Audit, Disabled		 0 Preview true
[Preview]: Reserved System Pool Taints 48940d92-ff05-449e-9111-e742d9280451 Kubernetes 1.2.0-preview 4x
1.2.0-preview, 1.1.1-preview, 1.1.0-preview, 1.0.1-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 Preview true
[Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. e16d171b-bfe5-4d79-a525-19736b396e92 Kubernetes 1.3.0-preview 4x
1.3.0-preview, 1.2.0-preview, 1.1.0-preview, 1.0.0-preview		 Default
Mutate
Allowed
Mutate, Disabled		 0 Preview true
[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 Kubernetes 1.3.0-preview 5x
1.3.0-preview, 1.2.0-preview, 1.1.1-preview, 1.1.0-preview, 1.0.0-preview		 Default
Mutate
Allowed
Mutate, Disabled		 0 Preview true
[Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf Kubernetes 1.3.0-preview 5x
1.3.0-preview, 1.2.0-preview, 1.1.1-preview, 1.1.0-preview, 1.0.0-preview		 Default
Mutate
Allowed
Mutate, Disabled		 0 Preview true
[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources d77f191e-2338-45d0-b6d4-4ee1c586a192 Kubernetes 1.3.0-preview 4x
1.3.0-preview, 1.2.0-preview, 1.1.0-preview, 1.0.0-preview		 Default
Mutate
Allowed
Mutate, Disabled		 0 Preview true
[Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 Kubernetes 1.3.0-preview 4x
1.3.0-preview, 1.2.0-preview, 1.1.0-preview, 1.0.0-preview		 Default
Mutate
Allowed
Mutate, Disabled		 0 Preview true
[Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. 8e875f96-2c56-40ca-86db-b9f6a0be7347 Kubernetes 1.3.0-preview 4x
1.3.0-preview, 1.2.0-preview, 1.1.0-preview, 1.0.0-preview		 Default
Mutate
Allowed
Mutate, Disabled		 0 Preview true
Ensure cluster containers have readiness or liveness probes configured b1a9997f-2883-4f12-bdff-2280f99b5915 Kubernetes 3.3.0 3x
3.3.0, 3.2.0, 3.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes 9.3.0 3x
9.3.0, 9.2.0, 9.1.0		 Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster containers should only use allowed images febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes 9.3.0 4x
9.3.0, 9.2.0, 9.1.1, 9.1.0		 Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes 2.3.0 3x
2.3.0, 2.2.0, 2.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Roles used No Roles used
History
Date/Time (UTC ymd) (i) Changes
2024-10-30 18:57:58 add Policy [Preview]: Prints a message if a mutation is applied (e24df237-32cb-4a6c-a2f6-85b499cda9f2)
Version change: '1.8.0-preview' to '1.9.0-preview'
2024-10-15 17:53:51 Version change: '1.7.0-preview' to '1.8.0-preview'
2024-04-17 17:45:34 Version change: '1.6.0-preview' to '1.7.0-preview'
2024-04-11 17:47:35 add Policy [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources (d77f191e-2338-45d0-b6d4-4ee1c586a192)
add Policy [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. (e16d171b-bfe5-4d79-a525-19736b396e92)
add Policy [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. (42ba1d72-e90f-42f8-bf99-5a1351eed2b1)
add Policy [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. (5f86d473-38a8-46c9-bdfe-d7fa3b9836bf)
add Policy [Preview]: Kubernetes cluster container images must include the preStop hook (1a3b9003-eac6-4d39-a184-4a567ace7645)
add Policy [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. (8e875f96-2c56-40ca-86db-b9f6a0be7347)
add Policy [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. (2ae2f266-ecc3-4d26-82c5-8c3cb7774f45)
add Policy [Preview]: Kubernetes cluster container images should not include latest image tag (021f8078-41a0-40e6-81b6-c6597da9f3ee)
Version change: '1.4.1-preview' to '1.6.0-preview'
2024-03-13 20:05:29 Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/deployment-safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc'
2024-03-06 19:15:55 Version change: '1.4.0-preview' to '1.4.1-preview'
2024-02-23 19:01:26 Version change: '1.3.3-preview' to '1.4.0-preview'
2024-02-05 19:34:05 Version change: '1.3.2-preview' to '1.3.3-preview'
2024-01-30 18:39:39 Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Deployment Safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc'
Name change: '[Preview]: AKS Safeguards should help guide developers towards AKS recommended best practices' to '[Preview]: Deployment safeguards should help guide developers towards AKS recommended best practices'
2023-12-07 18:54:02 Version change: '1.3.1-preview' to '1.3.2-preview'
2023-12-05 19:46:52 Name change: '[Preview]: AKS Guardrails should help guide developers towards AKS recommended best practices' to '[Preview]: AKS Safeguards should help guide developers towards AKS recommended best practices'
Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Guardrails to assign this policy initiative: https://aka.ms/aks/guardrails.' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Deployment Safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc'
2023-11-03 19:40:09 add Policy [Preview]: Kubernetes cluster services should use unique selectors (b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01)
add Policy [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets (d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d)
add Policy [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present (12db3749-7e03-4b9f-b443-d37d3fb9f8d9)
Version change: '1.2.1-preview' to '1.3.1-preview'
2023-10-11 18:00:02 add Policy Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass (4f3823b6-6dac-4b5a-9c61-ce1afb829f17)
Version change: '1.1.1-preview' to '1.2.1-preview'
2023-07-28 20:08:16 Version change: '1.1.0-preview' to '1.1.1-preview'
2023-07-24 17:56:15 Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Guardrails to assign this policy initiative: https://aka.ms/aks/guardrails.'
2023-06-08 17:46:29 Version change: '1.0.0-preview' to '1.1.0-preview'
2023-05-10 17:45:01 add Initiative c047ea8e-9c78-49b2-958b-37e56d291a44
JSON compare
compare mode: version left: version right:
JSON
api-version=2023-04-01
EPAC