Skip to content

Commit

Permalink
Built-in Policy Release f2126eef (#1191)
Browse files Browse the repository at this point in the history 
Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>
  • Loading branch information
@pilor
pilor and Azure Policy Bot authored Aug 2, 2023
1 parent eeb0000 commit dda7b19
Show file tree
Hide file tree
Showing 16 changed files with 358 additions and 144 deletions.
18 changes: 9 additions & 9 deletions ...olicyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsCannotEditIndividualNodes.json
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
{
"properties": {
"displayName": "[Preview]: [AKS Guardrails] Cannot Edit Individual Nodes",
"displayName": "[Preview]: Cannot Edit Individual Nodes",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools.",
"metadata": {
"version": "1.0.0-preview",
"version": "1.0.1-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.0-preview",
"version": "1.0.1-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "[AKS Guardrails] Effect",
"displayName": "Effect",
"description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
},
"allowedValues": [
Expand All @@ -27,7 +27,7 @@
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace exclusions",
"displayName": "Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": [
Expand All @@ -39,15 +39,15 @@
"namespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace inclusions",
"displayName": "Namespace inclusions",
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
"defaultValue": []
},
"labelSelector": {
"type": "Object",
"metadata": {
"displayName": "[AKS Guardrails] Kubernetes label selector",
"displayName": "Kubernetes label selector",
"description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
"defaultValue": {},
Expand Down Expand Up @@ -106,14 +106,14 @@
"allowedUsers": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Allowed Users",
"displayName": "Allowed Users",
"description": "Users that are allowed by AKS Guardrails to modify node labels on individual nodes."
}
},
"allowedGroups": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Allowed Groups",
"displayName": "Allowed Groups",
"description": "Groups that are allowed by AKS Guardrails to modify node labels on individual nodes."
}
}
Expand Down
14 changes: 7 additions & 7 deletions ...cyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsMustHaveAntiAffinityRulesSet.json
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
{
"properties": {
"displayName": "[Preview]: [AKS Guardrails] Must Have Anty Affinity Rules Set",
"displayName": "[Preview]: Must Have Anti Affinity Rules Set",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"description": "Requires affinity rules to be set.",
"metadata": {
"version": "1.0.0-preview",
"version": "1.0.1-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.0-preview",
"version": "1.0.1-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "[AKS Guardrails] Effect",
"displayName": "Effect",
"description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
},
"allowedValues": [
Expand All @@ -27,7 +27,7 @@
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace exclusions",
"displayName": "Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": [
Expand All @@ -39,15 +39,15 @@
"namespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace inclusions",
"displayName": "Namespace inclusions",
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
"defaultValue": []
},
"labelSelector": {
"type": "Object",
"metadata": {
"displayName": "[AKS Guardrails] Kubernetes label selector",
"displayName": "Kubernetes label selector",
"description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
"defaultValue": {},
Expand Down
20 changes: 10 additions & 10 deletions ...cies/policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsNoAKSSpecificLabels.json
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
{
"properties": {
"displayName": "[Preview]: [AKS Guardrails] No AKS Specific Labels",
"displayName": "[Preview]: No AKS Specific Labels",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"description": "Prevents customers from applying AKS specific labels",
"metadata": {
"version": "1.0.0-preview",
"version": "1.0.1-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.0-preview",
"version": "1.0.1-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "[AKS Guardrails] Effect",
"displayName": "Effect",
"description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
},
"allowedValues": [
Expand All @@ -27,7 +27,7 @@
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace exclusions",
"displayName": "Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": [
Expand All @@ -39,15 +39,15 @@
"namespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace inclusions",
"displayName": "Namespace inclusions",
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
"defaultValue": []
},
"labelSelector": {
"type": "Object",
"metadata": {
"displayName": "[AKS Guardrails] Kubernetes label selector",
"displayName": "Kubernetes label selector",
"description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
"defaultValue": {},
Expand Down Expand Up @@ -106,21 +106,21 @@
"labels": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] AKS Specific Labels",
"displayName": "AKS Specific Labels",
"description": "Labels specific to AKS."
}
},
"allowedUsers": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Allowed Users",
"displayName": "Allowed Users",
"description": "Users that are allowed to use AKS specific labels."
}
},
"allowedGroups": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Allowed Groups",
"displayName": "Allowed Groups",
"description": "Groups that are allowed to use AKS specific labels."
}
}
Expand Down
16 changes: 8 additions & 8 deletions ...policyDefinitions/Azure Government/Kubernetes/AKS_GuardrailsReservedSystemPoolTaints.json
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
{
"properties": {
"displayName": "[Preview]: [AKS Guardrails] Reserved System Pool Taints",
"displayName": "[Preview]: Reserved System Pool Taints",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"description": "Restricts the CriticalAddonsOnly taint to just the system pool",
"metadata": {
"version": "1.0.0-preview",
"version": "1.0.1-preview",
"category": "Kubernetes",
"preview": true
},
"version": "1.0.0-preview",
"version": "1.0.1-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "[AKS Guardrails] Effect",
"displayName": "Effect",
"description": "'audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'deny' blocks the non-compliant resource creation or update. 'disabled' turns off the policy."
},
"allowedValues": [
Expand All @@ -27,7 +27,7 @@
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace exclusions",
"displayName": "Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": [
Expand All @@ -39,15 +39,15 @@
"namespaces": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Namespace inclusions",
"displayName": "Namespace inclusions",
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
"defaultValue": []
},
"labelSelector": {
"type": "Object",
"metadata": {
"displayName": "[AKS Guardrails] Kubernetes label selector",
"displayName": "Kubernetes label selector",
"description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
"defaultValue": {},
Expand Down Expand Up @@ -106,7 +106,7 @@
"reservedTaints": {
"type": "Array",
"metadata": {
"displayName": "[AKS Guardrails] Reserved Taints",
"displayName": "Reserved Taints",
"description": "Reserved taints."
}
}
Expand Down
78 changes: 78 additions & 0 deletions built-in-policies/policyDefinitions/Backup/RecoveryServices_Immutability_Audit.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
{
"properties": {
"displayName": "[Preview]: Immutability must be enabled for Recovery Services vaults",
"description": "This policy audits if the immutable vaults property is enabled for Recovery Services vaults in the scope. This helps protect your backup data from being deleted before its intended expiry. Learn more at https://aka.ms/AB-ImmutableVaults.",
"policyType": "BuiltIn",
"mode": "Indexed",
"metadata": {
"version": "1.0.0-preview",
"preview": true,
"category": "Backup"
},
"version": "1.0.0-preview",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy."
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"checkLockedImmutabilityOnly": {
"type": "Boolean",
"metadata": {
"displayName": "CheckLockedImmutabilityOnly",
"description": "This parameter checks if Immutability is locked for Recovery Services Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant."
},
"allowedValues": [
true,
false
],
"defaultValue": true
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.RecoveryServices/vaults"
},
{
"anyOf": [
{
"field": "Microsoft.RecoveryServices/vaults/securitySettings.immutabilitySettings.state",
"notIn": [
"Locked",
"UnLocked"
]
},
{
"allOf": [
{
"value": "[parameters('checkLockedImmutabilityOnly')]",
"equals": true
},
{
"field": "Microsoft.RecoveryServices/vaults/securitySettings.immutabilitySettings.state",
"notEquals": "Locked"
}
]
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868",
"name": "d6f6f560-14b7-49a4-9fc8-d2c3a9807868"
}
10 changes: 3 additions & 7 deletions built-in-policies/policyDefinitions/Guest Configuration/Azure_PrivateLink_Deny.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
"mode": "All",
"description": "Private endpoint connections enforce secure communication by enabling private connectivity to Guest Configuration for virtual machines. Virtual machines will be non-compliant unless they have the tag, 'EnablePrivateNetworkGC'. This tag enforces secure communication through private connectivity to Guest Configuration for Virtual Machines. Private connectivity limits access to traffic coming only from known networks and prevents access from all other IP addresses, including within Azure.",
"metadata": {
"version": "1.0.0",
"version": "1.1.0",
"category": "Guest Configuration"
},
"version": "1.0.0",
"version": "1.1.0",
"parameters": {
"effect": {
"type": "String",
Expand All @@ -29,11 +29,7 @@
"allOf": [
{
"field": "type",
"equals": "Microsoft.GuestConfiguration/guestConfigurationAssignments"
},
{
"field": "id",
"contains": "Microsoft.Compute/virtualMachines"
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
Expand Down
Loading

0 comments on commit dda7b19

Please sign in to comment.