%3CLINGO-SUB%20id%3D%22lingo-sub-1810764%22%20slang%3D%22en-US%22%3EAzure%20Policy%20for%20AKS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1810764%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Policy%20for%20Azure%20Kubernetes%20Service%20(AKS)%20clusters%20now%20utilizes%2Fextends%20Gatekeeper%20v3%20(OPA).%20The%20overview%2C%20installation%20steps%20for%20the%20Azure%20Policy%20add-on%2C%20limitations%20and%20recommendations%20are%20documented%20here%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fkubepolicydoc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fkubepolicydoc%3C%2FA%3E%3CBR%20%2F%3E-%20---%20-%20---%20-%3CBR%20%2F%3EIn%20this%20article%2C%26nbsp%3B%20the%20need%20and%20advantages%20of%20using%20the%20Azure%20Policy%20add-on%20for%20AKS%20will%20be%20highlighted%26nbsp%3B%20and%20guidance%20given%20on%20how%20to%20look%26nbsp%3B%20beyond%20a%20few%20limitations%20that%20exist%20at%20the%20moment.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EFirst%20off%2C%20I%20am%20depicting%20the%203%20Gatekeeper%20pods%20in%20the%20following%20image%20-%20which%20are%26nbsp%3B%20utilized%20after%20the%20Azure%20Policy%20add-on%20has%20been%20enabled%20for%20an%20AKS%20cluster%20-%20reiterating%20the%20utilization%20of%26nbsp%3B%20Gatekeeper.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22GateKeeper_Pods.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F228598iC5AEB3C259781135%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22GateKeeper_Pods.PNG%22%20alt%3D%22GateKeeper_Pods.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdvantage%20and%20Necessity%20for%20using%20the%26nbsp%3B%20Azure%20Policy%20add-on%3C%2FSTRONG%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20By%20installing%20%2F%20enabling%26nbsp%3B%20the%20Azure%20Policy%20add-on%20customers%20can%20gain%20the%20inherent%20benefits%20of%20utilizing%20a%20managed%20add-on%20-%20the%20most%20important%20benefit%20being%20that%26nbsp%3B%20-%20they%20would%20not%20need%20to%20resort%20to%20any%20manual%20upgrades%20if%2Fwhen%20there%20is%20a%20version%20upgrade%20of%20Gatekeeper%20itself.%3CBR%20%2F%3E%3CBR%20%2F%3E2.%26nbsp%3BAzure%20Security%20Center%20actually%20requires%20the%20add-on%20to%20audit%20and%20enforce%20security%20capabilities%20and%20compliance%20inside%20your%20clusters.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELimitations%26nbsp%3B%3C%2FSTRONG%3E%3CBR%20%2F%3EHowever%2C%20at%20present%20there%20are%20a%20few%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fpolicy%2Fconcepts%2Fpolicy-for-kubernetes%23limitations%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Elimitations.%3C%2FA%3E%26nbsp%3BLet%20us%20focus%20on%202%26nbsp%3B%20limitations%20from%20the%20present%20list%20-%3CBR%20%2F%3E1.Installations%20of%20Gatekeeper%20outside%20of%20the%20Azure%20Policy%20Add-on%20aren't%20supported.%20Uninstall%20any%20components%20installed%20by%20a%20previous%20Gatekeeper%20installation%20before%20enabling%20the%20Azure%20Policy%20Add-on.%3CBR%20%2F%3E2.%20Only%20built-in%20policy%20definitions%20are%20supported.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20means%20that%20the%20customer%20%3CU%3Ewould%20not%3C%2FU%3E%20be%20able%20to%20utilize%20custom%20policies%20-%20considering%20-%20only%20built-in%20policies%20are%20supported%20%2B%20the%20usage%20of%20the%20add-on%20precludes%20any%20native%20Gatekeeper%20installation%2Fusage.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELooking%20beyond%20limitations%20-%26nbsp%3B%3C%2FSTRONG%3E%3CBR%20%2F%3ESo%2C%20for%20customers%20requiring%20policies%20beyond%20the%20existing%26nbsp%3B%20list%20of%20built-in%20policies%2C%20the%20overarching%20guidance%20is%20to%20use%20a%20combination%20of%20preventive%20and%20detective%20measures%20to%20achieve%20the%20same%20objective%20as%20their%20intended%20custom%20policies.%3CBR%20%2F%3EAs%20an%20example%20-%20one%20of%20the%20customers%20wanted%20to%20take%20the%20policy%20driven%20route%20to%20ensure%20that%20the%20%5Bdefault%5D%20namespace%20usage%20is%20always%20prohibited.%20At%20the%20time%20of%20this%20writing%20-%20it%20is%20not%20a%20built-in%20policy%20-%20so%20a%20preventive%20measure%20this%20customer%20could%20take%20is%20utilize%20Kubernetes%20native%20capabilities%20%2F%20RBAC%20as%20part%20of%20their%20deployment%20pipeline%20not%20allowing%20objects%20to%20be%20created%20in%20the%20%5Bdefault%5D%20namespace.%3CBR%20%2F%3EEssentially%2C%20a%20preventive%20process%20enhancement%20to%20achieve%20their%20original%20objective.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20Azure%20Policy%20add-on%20is%20an%20advantage-laden%20route%26nbsp%3B%20to%20take%26nbsp%3B%20-%20%3CBR%20%2F%3E1.%20Utilize%26nbsp%3B%20the%20set%20of%20built-in%20Kubernetes%20policies%20as%20applicable%3CBR%20%2F%3E2.%20and%20combine%20them%20with%20preventive%20%2B%20detective%20measures%20to%20achieve%26nbsp%3B%20any%20custom%20policy%20intent%20-%20that%20may%20not%20exist%20today.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1810764%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Teaser.PNG%22%20style%3D%22width%3A%20467px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F228589i5C245FC7F50DE5F8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Teaser.PNG%22%20alt%3D%22Azure%20Policy%20for%20AKS%20-%20using%20the%20add-on%20and%20looking%20beyond%20limitations....%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAzure%20Policy%20for%20AKS%20-%20using%20the%20add-on%20and%20looking%20beyond%20limitations....%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

Azure Policy for Azure Kubernetes Service (AKS) clusters now utilizes/extends Gatekeeper v3 (OPA). The overview, installation steps for the Azure Policy add-on, limitations and recommendations are documented here - https://aka.ms/kubepolicydoc
- --- - --- -
In this article,  the need and advantages of using the Azure Policy add-on for AKS will be highlighted  and guidance given on how to look  beyond a few limitations that exist at the moment.


First off, I am depicting the 3 Gatekeeper pods in the following image - which are  utilized after the Azure Policy add-on has been enabled for an AKS cluster - reiterating the utilization of  Gatekeeper.

GateKeeper_Pods.PNG

 

Advantage and Necessity for using the  Azure Policy add-on 

1. By installing / enabling  the Azure Policy add-on customers can gain the inherent benefits of utilizing a managed add-on - the most important benefit being that  - they would not need to resort to any manual upgrades if/when there is a version upgrade of Gatekeeper itself.

2. Azure Security Center actually requires the add-on to audit and enforce security capabilities and compliance inside your clusters.

 

Limitations 
However, at present there are a few limitations. Let us focus on 2  limitations from the present list -
1.Installations of Gatekeeper outside of the Azure Policy Add-on aren't supported. Uninstall any components installed by a previous Gatekeeper installation before enabling the Azure Policy Add-on.
2. Only built-in policy definitions are supported.

This means that the customer would not be able to utilize custom policies - considering - only built-in policies are supported + the usage of the add-on precludes any native Gatekeeper installation/usage.

 

Looking beyond limitations - 
So, for customers requiring policies beyond the existing  list of built-in policies, the overarching guidance is to use a combination of preventive and detective measures to achieve the same objective as their intended custom policies.
As an example - one of the customers wanted to take the policy driven route to ensure that the [default] namespace usage is always prohibited. At the time of this writing - it is not a built-in policy - so a preventive measure this customer could take is utilize Kubernetes native capabilities / RBAC as part of their deployment pipeline not allowing objects to be created in the [default] namespace.
Essentially, a preventive process enhancement to achieve their original objective.

The Azure Policy add-on is an advantage-laden route  to take  -
1. Utilize  the set of built-in Kubernetes policies as applicable
2. and combine them with preventive + detective measures to achieve  any custom policy intent - that may not exist today.