Can't create custom azure policy for AKS which require access to state data

%3CLINGO-SUB%20id%3D%22lingo-sub-3177805%22%20slang%3D%22en-US%22%3ECan't%20create%20custom%20azure%20policy%20for%20AKS%20which%20require%20access%20to%20state%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3177805%22%20slang%3D%22en-US%22%3E%3CP%3ECurrently%20i%20was%20unable%20to%20create%20custom%20azure%20policy%20for%20AKS%20which%20require%20access%20to%20state%20data.For%20example%20to%20create%20a%20policy%20for%20uniqueingresshostnames%20in%20AKS%20cluster%20%2C%3CSPAN%3Eit%20is%20impossible%20to%20know%20if%20an%20ingress's%20hostname%20is%20unique%20among%20all%20ingresses%20unless%20a%20rule%20has%20access%20to%20all%20other%20ingresses.%20To%20make%20such%20rules%20possible%2C%20we%20need%20to%20enable%20syncing%20of%20data%20into%20OPA.%20Kubernetes%20data%20can%20be%20replicated%20into%20OPA%20via%20the%20sync%20config%20resource.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ECurrently%20config%20cant%20be%20edited%20for%20azure%20policy%20addon%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3177805%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Policy%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3337699%22%20slang%3D%22en-US%22%3ERe%3A%20Can't%20create%20custom%20azure%20policy%20for%20AKS%20which%20require%20access%20to%20state%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3337699%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1129198%22%20target%3D%22_blank%22%3E%40krupakar%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20first%20thing%20to%20check%20is%20does%20the%20resource%20have%20a%20property%20that%20contains%20the%20value%20you%20want%20to%20access%20from%20a%20policy%20rule%3F%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20so%2C%20then%20search%26nbsp%3B%3CA%20title%3D%22AzAliasAdvertizer%22%20href%3D%22https%3A%2F%2Fwww.azadvertizer.net%2Fazpolicyaliasesadvertizer_all.html%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EAzAliasAdvertizer%26nbsp%3B%3C%2FA%3E%26nbsp%3Bfor%20a%20Policy%20Alias%20that%20represents%20that%20resource%20property.%3C%2FLI%3E%3CLI%3EIf%20the%20Policy%20Alias%20exists%2C%20then%20you%20can%20construct%20a%20policy%20rule%20to%20examine%20and%20determine%20compliance.%3C%2FLI%3E%3CLI%3EIf%20the%20Policy%20Alias%20does%20not%20exist%2C%20then%20you%20need%20to%20open%20a%20support%20ticket%20with%20Microsoft%20Azure%20Support%20and%20request%20the%20Policy%20Alias%20to%20be%20added.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

Currently i was unable to create custom azure policy for AKS which require access to state data.For example to create a policy for uniqueingresshostnames in AKS cluster ,it is impossible to know if an ingress's hostname is unique among all ingresses unless a rule has access to all other ingresses. To make such rules possible, we need to enable syncing of data into OPA. Kubernetes data can be replicated into OPA via the sync config resource.

Currently config cant be edited for azure policy addon

1 Reply

@krupakar 

The first thing to check is does the resource have a property that contains the value you want to access from a policy rule?

  • If so, then search AzAliasAdvertizer  for a Policy Alias that represents that resource property.
  • If the Policy Alias exists, then you can construct a policy rule to examine and determine compliance.
  • If the Policy Alias does not exist, then you need to open a support ticket with Microsoft Azure Support and request the Policy Alias to be added.