Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azure Policy Refresh #317

Merged
merged 16 commits into from
May 24, 2022
Merged

Azure Policy Refresh #317

merged 16 commits into from
May 24, 2022

Conversation

ckittel
Copy link
Member

@ckittel ckittel commented May 19, 2022

Refreshing our Azure Policy assignments. This PR will not address adding custom in-cluster policies.

Changes:

  • No longer building tenant resource IDs for policy definitions by hand, now using built-in tenantResourceId() function
  • Added Gatekeeper constraint names to bicep file for easy cross referencing
  • included flux-system as it's coming from an extension in more excludedNamespaces on policy assignments
  • went from audit -> Audit and deny -> Deny to align with the defaults better.
  • Documented all known policy violations
  • Updated API versions related to Azure Policy assignments
  • Populated description on all Azure Policy assignments
  • Ensure take() is applied to all policy names to prevent a long RG name breaking the assignment name
  • Updated the following previously applied Azure Policy for Kubernetes policy assignments:
    • K8sAzureContainerAllowedImages
      • Added proper RegEx escaping for . in the allow list
      • Removed azurearcfork8s.azurecr.io/azurearcflux/images/stable/.+$ as those flux images are now sourced from MCR.
    • K8sAzureContainerLimits
      • No longer including cluster-baseline-settings
      • Updated limits to match cluster workload requirements.
    • K8sAzureReadOnlyRootFilesystem
      • Moved from Audit to Deny
      • Added specific exceptions for the cluster's workloads
  • Assigned the following built-in Azure Policy for Kubernetes policies:
    • K8sAzureHostFilesystem (Deny)
    • K8sAzureExternalIPs (Deny)
    • K8sAzureBlockEndpointEditDefaultRole (Audit)
    • K8sAzureBlockDefault (Audit)
  • Assigned the following built-in Azure Policy policies:
    • Authorized IP ranges should be defined on Kubernetes Services
    • Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
    • Role-Based Access Control (RBAC) should be used on Kubernetes Services
    • Azure Kubernetes Service Clusters should use managed identities
    • Container registries should have anonymous authentication disabled
    • Container registries should have local admin account disabled

Unrelated changes bundled in this PR:

@ckittel ckittel self-assigned this May 19, 2022
@ckittel ckittel added the enhancement New feature or request label May 19, 2022 — with GitHub Codespaces
@ckittel ckittel changed the title [WIP] Azure Policy Refresh Azure Policy Refresh May 23, 2022
@ckittel ckittel marked this pull request as ready for review May 23, 2022 21:36
@ckittel ckittel requested a review from ferantivero May 23, 2022 21:36
Copy link
Contributor

@ferantivero ferantivero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

w00t nicely done @ckittel, a few comments below to be discussed.

cluster-stamp.bicep Outdated Show resolved Hide resolved
acr-stamp.bicep Outdated Show resolved Hide resolved
cluster-stamp.bicep Show resolved Hide resolved
cluster-stamp.bicep Outdated Show resolved Hide resolved
cluster-stamp.bicep Show resolved Hide resolved
cluster-stamp.bicep Outdated Show resolved Hide resolved
cluster-stamp.bicep Outdated Show resolved Hide resolved
Copy link
Contributor

@ferantivero ferantivero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

w00t great additions @ckittel LGTM 🚀

@ckittel ckittel merged commit 3b96222 into main May 24, 2022
@ckittel ckittel deleted the azure-policy-update branch May 24, 2022 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

cluster-stamp.bicep produces some warnings on deployment
2 participants