last sync: 2024-Apr-24 17:47:19 UTC

[Preview]: Deployment safeguards should help guide developers towards AKS recommended best practices

Azure BuiltIn Policy Initiative (PolicySet)

Source Azure Portal
Display name[Preview]: Deployment safeguards should help guide developers towards AKS recommended best practices
Idc047ea8e-9c78-49b2-958b-37e56d291a44
Version1.7.0-preview
Details on versioning
CategoryKubernetes
Microsoft Learn
DescriptionA collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/deployment-safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc
TypeBuiltIn
DeprecatedFalse
PreviewTrue
Policy count Total Policies: 19
Builtin Policies: 19
Static Policies: 0
Policy used
Policy DisplayName Policy Id Category Effect Roles# Roles State
[Preview]: Cannot Edit Individual Nodes 53a4a537-990c-495a-92e0-7c21a465442c Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 Preview
[Preview]: Kubernetes cluster container images must include the preStop hook 1a3b9003-eac6-4d39-a184-4a567ace7645 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 Preview
[Preview]: Kubernetes cluster container images should not include latest image tag 021f8078-41a0-40e6-81b6-c6597da9f3ee Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 Preview
[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present 12db3749-7e03-4b9f-b443-d37d3fb9f8d9 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 Preview
[Preview]: Kubernetes cluster services should use unique selectors b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 Preview
[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 Preview
[Preview]: Must Have Anti Affinity Rules Set 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 Preview
[Preview]: No AKS Specific Labels a22123bd-b9da-4c86-9424-24903e91fd55 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 Preview
[Preview]: Reserved System Pool Taints 48940d92-ff05-449e-9111-e742d9280451 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 Preview
[Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. e16d171b-bfe5-4d79-a525-19736b396e92 Kubernetes Default
Mutate
Allowed
Mutate, Disabled
0 Preview
[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. 42ba1d72-e90f-42f8-bf99-5a1351eed2b1 Kubernetes Default
Mutate
Allowed
Mutate, Disabled
0 Preview
[Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. 5f86d473-38a8-46c9-bdfe-d7fa3b9836bf Kubernetes Default
Mutate
Allowed
Mutate, Disabled
0 Preview
[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources d77f191e-2338-45d0-b6d4-4ee1c586a192 Kubernetes Default
Mutate
Allowed
Mutate, Disabled
0 Preview
[Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. 2ae2f266-ecc3-4d26-82c5-8c3cb7774f45 Kubernetes Default
Mutate
Allowed
Mutate, Disabled
0 Preview
[Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. 8e875f96-2c56-40ca-86db-b9f6a0be7347 Kubernetes Default
Mutate
Allowed
Mutate, Disabled
0 Preview
Ensure cluster containers have readiness or liveness probes configured b1a9997f-2883-4f12-bdff-2280f99b5915 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits e345eecc-fa47-480f-9e88-67dcc122b164 Kubernetes Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes cluster containers should only use allowed images febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled
0 GA
Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes Default
Audit
Allowed
Audit, Deny, Disabled
0 GA
Roles used No Roles used
History
Date/Time (UTC ymd) (i) Changes
2024-04-17 17:45:34 Version change: '1.6.0-preview' to '1.7.0-preview'
2024-04-11 17:47:35 add Policy [Preview]: Restricts the CriticalAddonsOnly taint to just the system pool. (e16d171b-bfe5-4d79-a525-19736b396e92)
add Policy [Preview]: Kubernetes cluster container images must include the preStop hook (1a3b9003-eac6-4d39-a184-4a567ace7645)
add Policy [Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present. (42ba1d72-e90f-42f8-bf99-5a1351eed2b1)
add Policy [Preview]: Sets Kubernetes cluster containers memory limits to default values in case not present. (5f86d473-38a8-46c9-bdfe-d7fa3b9836bf)
add Policy [Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. (8e875f96-2c56-40ca-86db-b9f6a0be7347)
add Policy [Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. (2ae2f266-ecc3-4d26-82c5-8c3cb7774f45)
add Policy [Preview]: Kubernetes cluster container images should not include latest image tag (021f8078-41a0-40e6-81b6-c6597da9f3ee)
add Policy [Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources (d77f191e-2338-45d0-b6d4-4ee1c586a192)
Version change: '1.4.1-preview' to '1.6.0-preview'
2024-03-13 20:05:29 Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/deployment-safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc'
2024-03-06 19:15:55 Version change: '1.4.0-preview' to '1.4.1-preview'
2024-02-23 19:01:26 Version change: '1.3.3-preview' to '1.4.0-preview'
2024-02-05 19:34:05 Version change: '1.3.2-preview' to '1.3.3-preview'
2024-01-30 18:39:39 Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Deployment Safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc'
Name change: '[Preview]: AKS Safeguards should help guide developers towards AKS recommended best practices' to '[Preview]: Deployment safeguards should help guide developers towards AKS recommended best practices'
2023-12-07 18:54:02 Version change: '1.3.1-preview' to '1.3.2-preview'
2023-12-05 19:46:52 Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Guardrails to assign this policy initiative: https://aka.ms/aks/guardrails.' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Deployment Safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc'
Name change: '[Preview]: AKS Guardrails should help guide developers towards AKS recommended best practices' to '[Preview]: AKS Safeguards should help guide developers towards AKS recommended best practices'
2023-11-03 19:40:09 add Policy [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets (d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d)
add Policy [Preview]: Kubernetes cluster services should use unique selectors (b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01)
add Policy [Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present (12db3749-7e03-4b9f-b443-d37d3fb9f8d9)
Version change: '1.2.1-preview' to '1.3.1-preview'
2023-10-11 18:00:02 add Policy Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass (4f3823b6-6dac-4b5a-9c61-ce1afb829f17)
Version change: '1.1.1-preview' to '1.2.1-preview'
2023-07-28 20:08:16 Version change: '1.1.0-preview' to '1.1.1-preview'
2023-07-24 17:56:15 Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Guardrails to assign this policy initiative: https://aka.ms/aks/guardrails.'
2023-06-08 17:46:29 Version change: '1.0.0-preview' to '1.1.0-preview'
2023-05-10 17:45:01 add Initiative c047ea8e-9c78-49b2-958b-37e56d291a44
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC