Blog Post

Azure Governance and Management Blog
4 MIN READ

Azure Policy for Kubernetes releases support for custom policy

NehaKulkarni's avatar
NehaKulkarni
Icon for Microsoft rankMicrosoft
Sep 01, 2021

Azure Policy and AKS teams are excited to announce the public preview of custom policy support for Azure Kubernetes Service (AKS) clusters!

 

With this feature is enabled, you can create and assign custom policy definitions and constraint templates to your AKS clusters. We are also rolling out some exciting enhancements to the AKS policy such as enhanced error state information for troubleshooting, definition schema changes to auto-generate constraints instead of requiring customer input, VS Code extension for Azure Policy update for easier authoring, and an embedded constraint template inside the policy definition to not have dependency on an external endpoint.

 

Let’s walk through the cool new features step-by-step! 

 

Embed Your Constraint Template Using TemplateInfo  

 

 

 

 

 

 

"then": { 
        "effect": "[parameters('effect')]", 
        "details": { 
          "templateInfo": { 
            "sourceType": "PublicURL", 
            "url": https://store.policy.core.windows.net/kubernetes/container-allowed-images/v1/template.yaml 
          } 
} 

 

 

 

 

 

 

Azure Policy is introducing a new property known as templateInfo that allows users to define the source type for the constraint template. By defining templateInfo in policy definitions, users  don’t have to define constraintTemplate or constraint properties. Users still need to define apiGroups and kinds — more on that below. TemplateInfo initially supports two ways to define the constraint template source type: Base64Encoded and PublicUrlBase64Encoded format allows users to privately embed the constraint template within a policy definition.   

 

Learn more about templateInfo in our documentation 

 

Generate Custom Policy Definitions Using Azure Policy’s Visual Studio Code Extension 

 

Users are encouraged to use the Azure Policy Visual Studio (VS) Code Extension to use this new capability and create their custom Microsoft.Kubernetes.Data definitions seamlessly. With the VS Code Extension, once a user provides any Open Policy Agent  (OPA) GateKeeper v3  constraint template, they can auto-generate their policy definition JSON file!   

 

Here’s how it works: 

  1. Confirm you’ve installed the Azure Policy VS Code Extension 
  1. Open up the valid constraint template YAML file as you would to reference it in your policy definition. You need to have the YAML file open for the Command Palette to display the auto-generation  option. 
  1. From the menu bar, go to  View > Command Palette, and enter  Azure Policy for Kubernetes: Create Policy Definition from Constraint Template. 

```````````````````````````` ````````

 

  1. Select the appropriate  sourceType  value. This is where you can choose how you want your constraint template to be referenced in your policy definition — as a public URL or privately encoded within the policy definition using Embedded format. 

                                    

 

  1. Let’s select the Base64Encoded (Embedded) option to check it out Once you select it, voilà! A new file opens up with your auto-generated policy definition. Make sure to fill in the  /* EDIT HERE */ portions of the policy definition JSON with actual values: 
 

 

Remember to take this completed policy definition JSON to the Azure portal or another supported SDK to create the policy definition within your Azure environment. 

 

Learn more about the Azure Policy VS Code Extension in our documentation. 

 

Defining API Groups & Kinds In Your Custom Definitions 

 

It’s important to note that with the new templateInfo property, users are expected to define apiGroups and kinds directly in their policy definitions since constraint and constraintTemplate properties are not used. 

 

Here’s a quick refresher of apiGroups and kinds: 

 

Users have seen these fields in a constraint file previously, like this:

 

 

Let’s go through a quick example!

 

We would like to create a custom policy definition that specifies that AKS clusters that follow a specific naming convention and only uses allowed images. We will use a constraint template from the Azure Policy library. 

 

We defined apiGroups as [“”]  because we chose to include the core apiGroup. 

 

We decided to specify “Pod” in the kinds property to limit constraint application to the pod level. 

 

Therefore, using the VS Code Extension to generate our Azure Policy custom policy definition and inputting the right values, the ‘then’ clause of our policy definition would look like this: 

 

 

"then": {
        "effect": "[parameters('effect')]",
        "details": {
          "templateInfo": {
            "sourceType": "PublicURL",
            "url": https://store.policy.core.windows.net/kubernetes/container-allowed-images/v1/template.yaml
          },
          "excludedNamespaces": "[parameters('excludedNamespaces')]",
          "namespaces": "[parameters('namespaces')]",
          "values": {
            imageRegex: "^.+azurecr.io\/.+$",
            "excludedNamespaces": "[parameters('excludedNamespaces')]"
          },
          "apiGroups": [
            ""
          ],
          "kinds": [
            "Pod"
          ]
        }
      }

 

 

 

 

 

Let us know what you think of these additions to the Azure Policy experience in the comments below! 

Updated Sep 01, 2021
Version 1.0
  • ltmleo's avatar
    ltmleo
    Copper Contributor

    Hello, is there any way to use a CLI or something to do this? Using the constraints directly would be great, I can't see why I need Azure policy in this case, the Azure Policy portal does not even show what resources in AKS are not compliant. 

  • Hi krupakarreddy custom policy that target AKS clusters or AKS components are both GA'd, but data replication scenarios are in our roadmap. Feel free to reach out to policypm@microsoft.com for any follow up questions-- would be happy to chat more on your scenario. 

  • Hi AshutoshNirkhe & Ale_Sandro -- yes, please visit this link for deploying policy via Terraform. Please note that you'll need to specify the mode to be Microsoft.Kubernetes.Data for policy assignments that target Kubernetes components (pods, containers, etc.).  Ale_Sandro, can you clarify what you mean by "Also can I use rego files which are easier to find instead of constraint templates?"

     

    And AshutoshNirkhe -- glad to hear that you like the experience! Feel free to send us any thoughts/input to AzPolicyKube@microsoft.com. We'd be happy to chat.

  • krupakar's avatar
    krupakar
    Copper Contributor

    NehaKulkarni  

    Currently i was unable to create custom azure policy for AKS which require access to state data.For example to create a policy for uniqueingresshostnames in AKS cluster ,it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we need to enable syncing of data into OPA. Kubernetes data can be replicated into OPA via the sync config resource.
    One more example would be uniqueservicesselector(to enforce a requirement where services must have globally unique selectors.)
     Currently config cant be edited for azure policy addon
     
  • Hi krupakar, thanks for your question! Syncing with OPA cache is not supported today through the Azure Policy add-on for Kubernetes, which is why your custom policy is not functioning as expected. However, we'd love to hear more about your use case and why this policy is valuable for your organization to help our investigation into how to support this functionality in the future-- please feel free to get in touch with us at AzPolicyKube@microsoft.com.

  • Ale_Sandro's avatar
    Ale_Sandro
    Copper Contributor

    Hi, is there a way to do that by Terraform, filling also the parameters fields?

    Also can I use rego files which are easier to find instead of constraint templates?