Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update AKS_DisableRunCommand_Deploy.json #1239

Closed
wants to merge 1 commit into from
Closed

Update AKS_DisableRunCommand_Deploy.json #1239

wants to merge 1 commit into from

Conversation

denniszielke
Copy link

If dnsprefix is not set on the cluster then the policy will fail. So this check should prevent that.
However it might be more suitable to upgrade the ARM api version to a more recent level and make the upgrade only change one value and not write every value.

@denniszielke
Update AKS_DisableRunCommand_Deploy.json
7db8154 
If dnsprefix is not set on the cluster then the policy will fail.
So this check should prevent that.
However it might be more suitable to upgrade the ARM api version to a more recent level and make the upgrade only change one value and not write every value.
@robga
Copy link
Collaborator

robga commented Dec 7, 2023

Changes can not be made to built-in policies directly in this repo. If you find an issue in a built-in policy, feel free to open an issue, or open a Microsoft Azure support ticket. Changes to built-ins are made out-of-band and will be represented in this repo after the next built-in policy release.
https://github.com/Azure/azure-policy/tree/master/built-in-policies#contributing

I have notified the team owns the built-in policy. They will triage.

@fseldow
Copy link
Collaborator

fseldow commented Dec 8, 2023
edited
Loading

Hi @denniszielke
thanks for feedback
may have one quick question, can you share the scenario that cluster without dnsprefix. it should be abnormal that dnsprefix does not exist for one existed cluster from my side

@fseldow
Copy link
Collaborator

fseldow commented Dec 8, 2023
edited
Loading

about However it might be more suitable to upgrade the ARM api version to a more recent level and make the upgrade only change one value and not write every value.

Currently, we have design confliction between policy 'deny' policy with AKS partial put. It means if the dine policy does not provide the full template, it will be possible be rejected by 'deny' policy because the deny effect policy will only check the request body and assume all put request should be full. Though we have stopped providing more 'deny' effect control plane AKS built-in policies, customers may still have their own customer policies. That is the reason we choose to provide full arm template as possible.

About apiversion upgrade, i will try to bump it as possible. The concern is that, the newer api will contain more conflict properties. Some of them require linked permission that on included in any of built-in role. So the bump progress might be slow.

@denniszielke
Copy link
Author

@fseldow I have a set of customers that created clusters where that policy always fails because that property is not set.
The added if clause fixed it for them, hence the ask to fix the policy.

@fseldow
Copy link
Collaborator

fseldow commented Jan 22, 2024

the policy is updated without dnsprefix so that it should not catch that error. Since i cannot repro empty dnsprefix from my side, please contact me if the issue still presist. @denniszielke

@robga robga closed this Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pilor pilor Awaiting requested review from pilor

@robga robga Awaiting requested review from robga robga is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@denniszielke @robga @fseldow