Azure Policy announces enhancements for gradual rollout, custom evaluations & Kubernetes policy!
Published Oct 12 2022 09:30 AM 1,264 Views
Microsoft

Azure Policy is excited to roll out some new features & additional support for the features you've gotten to know and love. These features provide enhancements to roll out your policies in a safe & secure manner, easily exempt or apply policy evaluation to certain resources at-scale, create policies for your Kubernetes clusters, as well as, for the first time, reflect your custom attestation scenarios in Azure Policy! 

 

Learn more about our new features below!  

 

Azure Policy releases GA support for custom policy definitions targeting Kubernetes components 

 

We’re also excited to announce the general availability of custom policy definitions targeting Kubernetes components!   

 

This means that, in addition to using our built-in policies targeting Kubernetes components, like: 

  • Blocking container images that don't come from approved container registries 
  • Restricting external IPs to an allowed list of IP addresses 
  • Making sure images come from an image digest (easier & more secure way to track an image) 

 

You can also author your own Azure custom policy definitions and apply them easily at-scale. When authoring your custom definitions, you can embed your own Gatekeeper constraint templates into Azure policy definitions, leveraging Azure Policy capabilities on a broader set of Kubernetes scenarios. 

 

You can also leverage the following enhancements to support your custom policy experience: 

  • Enhanced evaluation details to include additional information about non-compliant components (available via API today, and soon to be available for PowerShell, UI & CLI)   
  • Enhanced error state information for troubleshooting 
  • Use a public URL or privately embed a constraint template in your policy definition using Base64 Embedded format 
  • Use the Azure Policy VS Code Extension to auto-generate an Azure policy definition from any constraint template  

 

Take a look at our tutorial for authoring a custom policy definition for Kubernetes. 

 

Azure Policy releases GA support for Arc-enabled Kubernetes components 

 

We are announcing general availability for policy targeting Azure Arc-enabled Kubernetes components! 

With Azure Arc, you can extend Azure Policy capabilities at-scale to your clusters on-premise and across public clouds like AKS, EKS & GKE. 

You will be able to enforce things like: 

  • Ensuring containers only listen on allowed ports (try it now) 
  • Ensuring containers only use allowed images (try it now) 
  • Ensuring your pods use specified labels (try it now) 

 

By using our built-in policies targeting Arc-enabled clusters (or authoring your own custom policy definitions), you can enforce key standards, view component compliance across your clusters in Azure Policy’s aggregated dashboard, and leverage a suite of other Azure Policy capabilities. 

 

NehaKulkarni_0-1664998908686.png

 

 

Get started with the experience today by installing Azure Policy's Extension for Arc (or, use Azure Policy to apply the extension across your Arc clusters at-scale in a few easy clicks). 

 

 

Gradually rollout / rollback your policies using selectors (preview) 

 

Azure Policy is introducing public preview of resource selectors, which help you facilitate safe, gradual roll outs of policy assignments or exemptions to resources based on location, type, or whether they have a location. This helps limit the scope of impact when unintentional consequences occur from badly authored policy or accidental mistakes. 

 

When you use the resourceSelectors property in your policy assignments or exemptions, Azure Policy will only evaluate or exempt resources based on the conditions you define in its selectors. 

 

Here’s an example of how you could leverage this feature:  

 

Let’s say that you have built-in policy definition you want to roll out across your environment, but you want to start with a small number of resources to assess impact. Rather than reassigning the policy definition at various scopes, this can be accomplished with resource selectors: 

 

NehaKulkarni_3-1665000119561.png

 

Viola! You’ve successfully applied your resource selector so that the assignment will only evaluate resources in eastus2euap and centraluseuap. Later, you can edit the assignment or create a new one to add more locations gradually to the selector so this policy can be safely rolled out to more regions. 

 

Learn more about resource selectors! 

 

Azure Policy releases support to apply a universal effect across multiple definitions using overrides (preview) 

 

Azure Policy is introducing public preview of overrides, which allow you to change the effect of an assigned policy without having to modify the effect parameter or the underlying policy definition! 

 

Have you ever grouped policy definitions in an initiative and needed to update multiple effects? Now you can do so in an easier way, saving yourself some time and energy.  

 

Here’s how you’d apply an effect across definitions using overrides: 

NehaKulkarni_4-1665001634168.png

 

This initiative assignment would override the effect of policies "limitSku" and "limitType" with the effect "audit", and the policy "updateSku" with the effect "modify". Easy as that! No need to change or customize the policy definitions or adjust parameters. 

 

Overrides can also help with gradual rollout of policies in an initiative. You can override the effects of its many policies with “disabled” until each one is ready to be “turned on”, at which point you’d remove its policyDefinitionReferenceID from the override list. 

 

Learn more about overrides! 

 

Evaluate using your own engine through manual attestation policy (preview) 

   

Azure Policy is releasing public preview support for a new effect called manual! Manual policies enable you to define and track your own custom attestation resources, allowing manual changes to the compliance state. 

 

When you assign a Manual policy definition, you can decide what the initial value of your resources should be by setting the defaultState to non-compliant, compliant, or a new compliance state known as ‘Unknown’. 

 

Here's an example of a manual policy definition: 

NehaKulkarni_8-1665002478717.png

 

When you manually change the compliance state, you can use an Attestation resource to set the compliance state for targeted resources in a manual policy. In your Attestation, you have the option to include ‘evidence’ that shares why a resource was updated to a particular compliance state, as well the ability to select an ‘owner’ to update the compliance state. 

Read more about the new manual effect and attestations and try applying your own manual policy assignment today! 

Have fun with the new features! 

Co-Authors
Version history
Last update:
‎Oct 20 2022 11:37 AM
Updated by: