-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Azure Policy Bot
committed
Jul 19, 2024
1 parent
851ae3a
commit 27ce7fa
Showing
4 changed files
with
248 additions
and
0 deletions.
There are no files selected for viewing
62 changes: 62 additions & 0 deletions
62
...Definitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| { | ||
| "properties": { | ||
| "displayName": "[Preview]: Mutate K8s Container to drop all capabilities", | ||
| "policyType": "BuiltIn", | ||
| "mode": "Microsoft.Kubernetes.Data", | ||
| "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux containers", | ||
| "metadata": { | ||
| "version": "1.0.0-preview", | ||
| "category": "Kubernetes", | ||
| "preview": true | ||
| }, | ||
| "version": "1.0.0-preview", | ||
| "parameters": { | ||
| "effect": { | ||
| "type": "String", | ||
| "metadata": { | ||
| "displayName": "Effect", | ||
| "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", | ||
| "portalReview": true | ||
| }, | ||
| "allowedValues": [ | ||
| "Mutate", | ||
| "Disabled" | ||
| ], | ||
| "defaultValue": "Mutate" | ||
| }, | ||
| "excludedNamespaces": { | ||
| "type": "Array", | ||
| "metadata": { | ||
| "displayName": "Namespace exclusions", | ||
| "description": "List of Kubernetes namespaces to exclude from policy evaluation." | ||
| }, | ||
| "defaultValue": [ | ||
| "kube-system", | ||
| "gatekeeper-system", | ||
| "azure-arc" | ||
| ] | ||
| } | ||
| }, | ||
| "policyRule": { | ||
| "if": { | ||
| "field": "type", | ||
| "equals": "Microsoft.ContainerService/managedClusters" | ||
| }, | ||
| "then": { | ||
| "effect": "[parameters('effect')]", | ||
| "details": { | ||
| "mutationInfo": { | ||
| "sourceType": "PublicURL", | ||
| "url": "https://store.policy.azure.us/kubernetes/mutate-container-allowed-capabilities-containers/v1/mutation.yaml" | ||
| }, | ||
| "excludedNamespaces": "[parameters('excludedNamespaces')]" | ||
| } | ||
| } | ||
| }, | ||
| "versions": [ | ||
| "1.0.0-PREVIEW" | ||
| ] | ||
| }, | ||
| "id": "/providers/Microsoft.Authorization/policyDefinitions/c873b3ba-c605-42e4-a64b-a142a93826fc", | ||
| "name": "c873b3ba-c605-42e4-a64b-a142a93826fc" | ||
| } |
62 changes: 62 additions & 0 deletions
62
...nitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| { | ||
| "properties": { | ||
| "displayName": "[Preview]: Mutate K8s Init Container to drop all capabilities", | ||
| "policyType": "BuiltIn", | ||
| "mode": "Microsoft.Kubernetes.Data", | ||
| "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux init containers", | ||
| "metadata": { | ||
| "version": "1.0.0-preview", | ||
| "category": "Kubernetes", | ||
| "preview": true | ||
| }, | ||
| "version": "1.0.0-preview", | ||
| "parameters": { | ||
| "effect": { | ||
| "type": "String", | ||
| "metadata": { | ||
| "displayName": "Effect", | ||
| "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", | ||
| "portalReview": true | ||
| }, | ||
| "allowedValues": [ | ||
| "Mutate", | ||
| "Disabled" | ||
| ], | ||
| "defaultValue": "Mutate" | ||
| }, | ||
| "excludedNamespaces": { | ||
| "type": "Array", | ||
| "metadata": { | ||
| "displayName": "Namespace exclusions", | ||
| "description": "List of Kubernetes namespaces to exclude from policy evaluation." | ||
| }, | ||
| "defaultValue": [ | ||
| "kube-system", | ||
| "gatekeeper-system", | ||
| "azure-arc" | ||
| ] | ||
| } | ||
| }, | ||
| "policyRule": { | ||
| "if": { | ||
| "field": "type", | ||
| "equals": "Microsoft.ContainerService/managedClusters" | ||
| }, | ||
| "then": { | ||
| "effect": "[parameters('effect')]", | ||
| "details": { | ||
| "mutationInfo": { | ||
| "sourceType": "PublicURL", | ||
| "url": "https://store.policy.azure.us/kubernetes/mutate-container-allowed-capabilities-initcontainers/v1/mutation.yaml" | ||
| }, | ||
| "excludedNamespaces": "[parameters('excludedNamespaces')]" | ||
| } | ||
| } | ||
| }, | ||
| "versions": [ | ||
| "1.0.0-PREVIEW" | ||
| ] | ||
| }, | ||
| "id": "/providers/Microsoft.Authorization/policyDefinitions/c812272d-7488-495f-a505-047d34b83f58", | ||
| "name": "c812272d-7488-495f-a505-047d34b83f58" | ||
| } |
62 changes: 62 additions & 0 deletions
62
...n-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| { | ||
| "properties": { | ||
| "displayName": "[Preview]: Mutate K8s Container to drop all capabilities", | ||
| "policyType": "BuiltIn", | ||
| "mode": "Microsoft.Kubernetes.Data", | ||
| "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux containers", | ||
| "metadata": { | ||
| "version": "1.0.0-preview", | ||
| "category": "Kubernetes", | ||
| "preview": true | ||
| }, | ||
| "version": "1.0.0-preview", | ||
| "parameters": { | ||
| "effect": { | ||
| "type": "String", | ||
| "metadata": { | ||
| "displayName": "Effect", | ||
| "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", | ||
| "portalReview": true | ||
| }, | ||
| "allowedValues": [ | ||
| "Mutate", | ||
| "Disabled" | ||
| ], | ||
| "defaultValue": "Mutate" | ||
| }, | ||
| "excludedNamespaces": { | ||
| "type": "Array", | ||
| "metadata": { | ||
| "displayName": "Namespace exclusions", | ||
| "description": "List of Kubernetes namespaces to exclude from policy evaluation." | ||
| }, | ||
| "defaultValue": [ | ||
| "kube-system", | ||
| "gatekeeper-system", | ||
| "azure-arc" | ||
| ] | ||
| } | ||
| }, | ||
| "policyRule": { | ||
| "if": { | ||
| "field": "type", | ||
| "equals": "Microsoft.ContainerService/managedClusters" | ||
| }, | ||
| "then": { | ||
| "effect": "[parameters('effect')]", | ||
| "details": { | ||
| "mutationInfo": { | ||
| "sourceType": "PublicURL", | ||
| "url": "https://store.policy.core.windows.net/kubernetes/mutate-container-allowed-capabilities-containers/v1/mutation.yaml" | ||
| }, | ||
| "excludedNamespaces": "[parameters('excludedNamespaces')]" | ||
| } | ||
| } | ||
| }, | ||
| "versions": [ | ||
| "1.0.0-PREVIEW" | ||
| ] | ||
| }, | ||
| "id": "/providers/Microsoft.Authorization/policyDefinitions/c873b3ba-c605-42e4-a64b-a142a93826fc", | ||
| "name": "c873b3ba-c605-42e4-a64b-a142a93826fc" | ||
| } |
62 changes: 62 additions & 0 deletions
62
...licies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| { | ||
| "properties": { | ||
| "displayName": "[Preview]: Mutate K8s Init Container to drop all capabilities", | ||
| "policyType": "BuiltIn", | ||
| "mode": "Microsoft.Kubernetes.Data", | ||
| "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux init containers", | ||
| "metadata": { | ||
| "version": "1.0.0-preview", | ||
| "category": "Kubernetes", | ||
| "preview": true | ||
| }, | ||
| "version": "1.0.0-preview", | ||
| "parameters": { | ||
| "effect": { | ||
| "type": "String", | ||
| "metadata": { | ||
| "displayName": "Effect", | ||
| "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", | ||
| "portalReview": true | ||
| }, | ||
| "allowedValues": [ | ||
| "Mutate", | ||
| "Disabled" | ||
| ], | ||
| "defaultValue": "Mutate" | ||
| }, | ||
| "excludedNamespaces": { | ||
| "type": "Array", | ||
| "metadata": { | ||
| "displayName": "Namespace exclusions", | ||
| "description": "List of Kubernetes namespaces to exclude from policy evaluation." | ||
| }, | ||
| "defaultValue": [ | ||
| "kube-system", | ||
| "gatekeeper-system", | ||
| "azure-arc" | ||
| ] | ||
| } | ||
| }, | ||
| "policyRule": { | ||
| "if": { | ||
| "field": "type", | ||
| "equals": "Microsoft.ContainerService/managedClusters" | ||
| }, | ||
| "then": { | ||
| "effect": "[parameters('effect')]", | ||
| "details": { | ||
| "mutationInfo": { | ||
| "sourceType": "PublicURL", | ||
| "url": "https://store.policy.core.windows.net/kubernetes/mutate-container-allowed-capabilities-initcontainers/v1/mutation.yaml" | ||
| }, | ||
| "excludedNamespaces": "[parameters('excludedNamespaces')]" | ||
| } | ||
| } | ||
| }, | ||
| "versions": [ | ||
| "1.0.0-PREVIEW" | ||
| ] | ||
| }, | ||
| "id": "/providers/Microsoft.Authorization/policyDefinitions/c812272d-7488-495f-a505-047d34b83f58", | ||
| "name": "c812272d-7488-495f-a505-047d34b83f58" | ||
| } |