Azure Policy and AKS teams are excited to announce the public preview of custom policy support for Azure Kubernetes Service (AKS) clusters!
With this feature is enabled, you can create and assign custom policy definitions and constraint templates to your AKS clusters. We are also rolling out some exciting enhancements to the AKS policy such as enhanced error state information for troubleshooting, definition schema changes to auto-generate constraints instead of requiring customer input, VS Code extension for Azure Policy update for easier authoring, and an embedded constraint template inside the policy definition to not have dependency on an external endpoint.
Let’s walk through the cool new features step-by-step!
Azure Policy is introducing a new property known as templateInfo that allows users to define the source type for the constraint template. By defining templateInfo in policy definitions, users don’t have to define constraintTemplate or constraint properties. Users still need to define apiGroups and kinds — more on that below. TemplateInfo initially supports two ways to define the constraint template source type: Base64Encoded and PublicUrl. Base64Encoded format allows users to privately embed the constraint template within a policy definition.
Generate Custom Policy Definitions Using Azure Policy’s Visual Studio Code Extension
Users are encouraged to use the Azure Policy Visual Studio (VS) Code Extension to use this new capability and create their custom Microsoft.Kubernetes.Data definitions seamlessly. With the VS Code Extension, once a user provides any Open Policy Agent (OPA) GateKeeper v3 constraint template, they can auto-generate their policy definition JSON file!
Open up the valid constraint template YAML file as you would to reference it in your policy definition. You need to have the YAML file open for the Command Palette to display the auto-generation option.
From the menu bar, go to View > Command Palette, and enter Azure Policy for Kubernetes: Create Policy Definition from Constraint Template.
Select the appropriate sourceType value.This is where youcanchoose how youwantyour constraint template to be referenced in your policy definition— as a public URL or privately encoded within the policy definition using Embedded format.
Let’sselectthe Base64Encoded (Embedded) optionto check it out. Once youselectit,voilà!A new fileopensupwith your auto-generated policy definition. Make sure to fill inthe /* EDIT HERE */ portions of the policy definition JSONwith actual values:
Remember to take this completed policy definition JSON to the Azure portal or another supported SDK to create the policy definition within your Azure environment.
Defining API Groups & KindsIn Your Custom Definitions
It’s important to note that with the new templateInfo property, users are expected to define apiGroups and kinds directly in their policy definitions since constraint and constraintTemplate properties are not used.