Use Azure Policy Add-on with AKS clusters#
Security · Azure Kubernetes Service · 2020_12
Configure Azure Kubernetes Service (AKS) clusters to use Azure Policy Add-on for Kubernetes.
Description#
AKS clusters support integration with Azure Policy using an Open Policy Agent (OPA). Azure Policy integration is provided by an optional add-on that can be enabled on AKS clusters. Once enabled and Azure policies assigned, AKS clusters will enforce the configured constraints.
Examples of policies include:
- Enforce HTTPS ingress in Kubernetes cluster.
- Do not allow privileged containers in Kubernetes cluster.
- Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster.
Recommendation#
Consider installing the Azure Policy Add-on for AKS clusters. Additionally, assign one or more Azure Policy definitions to security controls.
Examples#
Configure with Azure template#
To deploy AKS clusters that pass this rule:
- Set
properties.addonProfiles.azurepolicy.enabled
totrue
.
For example:
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-10-01",
"name": "[parameters('clusterName')]",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
}
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"enableRBAC": true,
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": "[variables('allPools')]",
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
"tenantID": "[subscription().tenantId]"
},
"networkProfile": {
"networkPlugin": "azure",
"networkPolicy": "azure",
"loadBalancerSku": "standard",
"serviceCidr": "[variables('serviceCidr')]",
"dnsServiceIP": "[variables('dnsServiceIP')]",
"dockerBridgeCidr": "[variables('dockerBridgeCidr')]"
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"addonProfiles": {
"httpApplicationRouting": {
"enabled": false
},
"azurepolicy": {
"enabled": true,
"config": {
"version": "v2"
}
},
"omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"kubeDashboard": {
"enabled": false
},
"azureKeyvaultSecretsProvider": {
"enabled": true,
"config": {
"enableSecretRotation": "true"
}
}
},
"podIdentityProfile": {
"enabled": true
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
]
}
Configure with Bicep#
To deploy AKS clusters that pass this rule:
- Set
properties.addonProfiles.azurepolicy.enabled
totrue
.
For example:
resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
location: location
name: clusterName
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
kubernetesVersion: kubernetesVersion
enableRBAC: true
dnsPrefix: dnsPrefix
agentPoolProfiles: allPools
aadProfile: {
managed: true
enableAzureRBAC: true
adminGroupObjectIDs: clusterAdmins
tenantID: subscription().tenantId
}
networkProfile: {
networkPlugin: 'azure'
networkPolicy: 'azure'
loadBalancerSku: 'standard'
serviceCidr: serviceCidr
dnsServiceIP: dnsServiceIP
dockerBridgeCidr: dockerBridgeCidr
}
autoUpgradeProfile: {
upgradeChannel: 'stable'
}
addonProfiles: {
httpApplicationRouting: {
enabled: false
}
azurepolicy: {
enabled: true
config: {
version: 'v2'
}
}
omsagent: {
enabled: true
config: {
logAnalyticsWorkspaceResourceID: workspaceId
}
}
kubeDashboard: {
enabled: false
}
azureKeyvaultSecretsProvider: {
enabled: true
config: {
enableSecretRotation: 'true'
}
}
}
podIdentityProfile: {
enabled: true
}
}
tags: tags
}
Notes#
Azure Policy for AKS clusters is generally available (GA). Azure Policy for AKS Engine and Arc enabled Kubernetes are currently in preview.
Links#
- Governance, risk, and compliance
- Understand Azure Policy for Kubernetes clusters
- Secure your cluster with Azure Policy
- Azure deployment reference