Skip to content

Configuring rule defaults#

PSRule for Azure include several rules that can be configured. Setting these values overrides the default configuration with organization specific values.

Configuration#

Tip

Each of these configuration options are set within the ps-rule.yaml file. To learn how to set configuration options see Configuring options.

AKS minimum Kubernetes version#

v1.12.0

This configuration option determines the minimum version of Kubernetes for AKS clusters and node pools. Rules that check the Kubernetes version fail when the version is older than the version specified.

Syntax:

configuration:
  AZURE_AKS_CLUSTER_MINIMUM_VERSION: string # A version string

Default:

# YAML: The default AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option
configuration:
  AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.25.6

Example:

# YAML: Set the AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option to 1.22.4
configuration:
  AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.22.4

AKS minimum max pods#

This configuration option determines the minimum allowed max pods setting per node pool. When an AKS cluster node pool is created, a maxPods option is used to determine the maximum number of pods for each node in the node pool.

Depending on your workloads it may make sense to change this option:

  • Micro-services/ web applications: 50+
  • Data movement/ processing: 20-30

Syntax:

configuration:
  Azure_AKSNodeMinimumMaxPods: integer

Default:

# YAML: The default Azure_AKSNodeMinimumMaxPods configuration option
configuration:
  Azure_AKSNodeMinimumMaxPods: 50

Example:

# YAML: Set the Azure_AKSNodeMinimumMaxPods configuration option to 30
configuration:
  Azure_AKSNodeMinimumMaxPods: 30

Allowed resource regions#

This configuration option specifies a list of allowed locations that resources can be deployed to. Rules that check the location of Azure resources fail when a resource or resource group is created in a different region.

By default, Azure_AllowedRegions is not configured. The rule Azure.Resource.AllowedRegions is skipped when no allowed locations are configured.

Syntax:

configuration:
  Azure_AllowedRegions: array # An array of regions

Default:

# YAML: The default Azure_AllowedRegions configuration option
configuration:
  Azure_AllowedRegions: []

Example:

# YAML: Set the Azure_AllowedRegions configuration option to Australia East, Australia South East
configuration:
  Azure_AllowedRegions:
  - 'australiaeast'
  - 'australiasoutheast'

Minimum certificate lifetime#

This configuration option determines the minimum number of days allowed before certificate expiry. Rules that check certificate lifetime fail when the days remaining before expiry drop below this number.

Syntax:

configuration:
  Azure_MinimumCertificateLifetime: integer

Default:

# YAML: The default Azure_MinimumCertificateLifetime configuration option
configuration:
  Azure_MinimumCertificateLifetime: 30

Example:

# YAML: Set the Azure_MinimumCertificateLifetime configuration option to 90
configuration:
  Azure_MinimumCertificateLifetime: 90

Azure Policy maximum wavier#

This configuration option determines the maximum number of days in the future for a waiver policy exemption.

Syntax:

configuration:
  AZURE_POLICY_WAIVER_MAX_EXPIRY: integer

Default:

# YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option
configuration:
  AZURE_POLICY_WAIVER_MAX_EXPIRY: 366

Example:

# YAML: Set the AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option to 90
configuration:
  AZURE_POLICY_WAIVER_MAX_EXPIRY: 90

Azure AKS CNI minimum cluster subnet size#

This configuration option determines the minimum subnet size for Azure AKS CNI.

Syntax:

configuration:
  AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: integer

Default:

# YAML: The default AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option
configuration:
  AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 23

Example:

# YAML: Set the AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE configuration option to 26
configuration:
  AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE: 26

Additional region availability zone list#

This configuration option adds availability zones that are not included in the existing providers. You can use this option to add availability zones that are not included in the default list.

The following providers are supported:

  • Microsoft.Compute/virtualMachineScaleSets
  • Microsoft.Network/applicationGateways
  • Microsoft.Network/publicIPAddresses
  • Microsoft.ApiManagement/service
  • Microsoft.Cache/Redis
  • Microsoft.Cache/redisEnterprise

The following rules and configuration options are supported:

  • Azure.AKS.AvailabilityZone - AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
  • Azure.AppGw.AvailabilityZone - AZURE_APPGW_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
  • Azure.PublicIP.AvailabilityZone - AZURE_PUBLICIP_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
  • Azure.APIM.AvailabilityZone - AZURE_APIM_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
  • Azure.Redis.AvailabilityZone - AZURE_REDISCACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST
  • Azure.RedisEnterprise.Zones - AZURE_REDISENTERPRISECACHE_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST

Syntax:

configuration:
  AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: array

Default:

# YAML: The default AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option
configuration:
  AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST: []

Example:

# YAML: Set the AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST configuration option to Antarctica North and Antarctica South, with zones 1, 2, 3.
configuration:
  AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST:
  - location: 'Antarctica North'
    zones:
      - "1"
      - "2"
      - "3"
  - location: 'Antarctica South'
    zones:
      - "1"
      - "2"
      - "3"

The above example, both these forms of location are accepted:

  • Antarctica North or antarcticanorth
  • Antarctica South or antarcticasouth

The rules normalize these location formats so either is accepted in the configuration.

Note

The above are examples for illustration purpose only. At the time of writing, Antarctica North and Antarctica South are fictional locations. If they do in the future exist, use this option add them prior to PSRule for Azure support. The above shows examples specific to Azure.AKS.AvailabilityZone, but behavior is consistent across all supported rules.

Azure AKS enabled platform log categories list#

This configuration option sets selective platform diagnostic categories to report on being enabled.

Syntax:

configuration:
  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: array

Default:

# YAML: The default AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option
configuration:
  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['cluster-autoscaler', 'kube-apiserver', 'kube-controller-manager', 'kube-scheduler', 'AllMetrics']

Example:

# YAML: Set the AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option to cluster-autoscaler and AllMetrics categories only. 
configuration:
  AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['cluster-autoscaler', 'AllMetrics']

Azure Automation Account enabled platform log categories list#

This configuration option sets selective platform diagnostic categories to report on being enabled.

Syntax:

configuration:
  AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: array

Default:

# YAML: The default AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option
configuration:
  AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['JobLogs', 'JobStreams', 'DscNodeStatus', 'AllMetrics']

Example:

# YAML: Set the AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST configuration option to JobLogs and AllMetrics categories only. 
configuration:
  AZURE_AUTOMATIONACCOUNT_ENABLED_PLATFORM_LOG_CATEGORIES_LIST: ['JobLogs', 'AllMetrics']

Azure Linux OS offers#

This configurations specifies names of offers corresponding to the Linux OS. It's mostly intended to be used when analyzing templates that use private Linux offerings. Rules that check if a VM or VMSS has Linux OS also validate against the values set by this configuration.

Syntax:

configuration:
  AZURE_LINUX_OS_OFFERS: array # An array of offer names

Default:

# YAML: The default AZURE_LINUX_OS_OFFERS configuration option
configuration:
  AZURE_LINUX_OS_OFFERS: []

Example:

# YAML: Set the AZURE_LINUX_OS_OFFERS configuration option to aLinuxOffer, anotherLinuxOffer
configuration:
  AZURE_LINUX_OS_OFFERS:
  - 'aLinuxOffer'
  - 'anotherLinuxOffer'

Azure Container Apps external ingress#

This configuration specifies whether if external ingress should be enabled or disabled.

Syntax:

configuration:
  AZURE_CONTAINERAPPS_RESTRICT_INGRESS: boolean # An boolean value

Default:

# YAML: The default AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option
configuration:
  AZURE_CONTAINERAPPS_RESTRICT_INGRESS: false

Example:

# YAML: Set the AZURE_CONTAINERAPPS_RESTRICT_INGRESS configuration option to enabled
configuration:
  AZURE_CONTAINERAPPS_RESTRICT_INGRESS: true
Last update: 2023-04-06

Comments