Azure Policy for AKS
Published Oct 22 2020 05:16 PM 4,533 Views

Azure Policy for Azure Kubernetes Service (AKS) clusters now utilizes/extends Gatekeeper v3 (OPA). The overview, installation steps for the Azure Policy add-on, limitations and recommendations are documented here -
- --- - --- -
In this article,  the need and advantages of using the Azure Policy add-on for AKS will be highlighted  and guidance given on how to look  beyond a few limitations that exist at the moment.

First off, I am depicting the 3 Gatekeeper pods in the following image - which are  utilized after the Azure Policy add-on has been enabled for an AKS cluster - reiterating the utilization of  Gatekeeper.



Advantage and Necessity for using the  Azure Policy add-on 

1. By installing / enabling  the Azure Policy add-on customers can gain the inherent benefits of utilizing a managed add-on - the most important benefit being that  - they would not need to resort to any manual upgrades if/when there is a version upgrade of Gatekeeper itself.

2. Azure Security Center actually requires the add-on to audit and enforce security capabilities and compliance inside your clusters.


However, at present there are a few limitations. Let us focus on 2  limitations from the present list -
1.Installations of Gatekeeper outside of the Azure Policy Add-on aren't supported. Uninstall any components installed by a previous Gatekeeper installation before enabling the Azure Policy Add-on.
2. Only built-in policy definitions are supported.

This means that the customer would not be able to utilize custom policies - considering - only built-in policies are supported + the usage of the add-on precludes any native Gatekeeper installation/usage.


Looking beyond limitations - 
So, for customers requiring policies beyond the existing  list of built-in policies, the overarching guidance is to use a combination of preventive and detective measures to achieve the same objective as their intended custom policies.
As an example - one of the customers wanted to take the policy driven route to ensure that the [default] namespace usage is always prohibited. At the time of this writing - it is not a built-in policy - so a preventive measure this customer could take is utilize Kubernetes native capabilities / RBAC as part of their deployment pipeline not allowing objects to be created in the [default] namespace.
Essentially, a preventive process enhancement to achieve their original objective.

The Azure Policy add-on is an advantage-laden route  to take  -
1. Utilize  the set of built-in Kubernetes policies as applicable
2. and combine them with preventive + detective measures to achieve  any custom policy intent - that may not exist today.

Version history
Last update:
‎Oct 23 2020 01:22 PM
Updated by: