From 1216b4b180ee4e862d8793140c2a1792b0a19907 Mon Sep 17 00:00:00 2001 From: gokmen-msft <48890186+gokmen-msft@users.noreply.github.com> Date: Wed, 14 Aug 2024 17:43:03 -0700 Subject: [PATCH] Built-in Policy Release 12332adb (#1366) Co-authored-by: Azure Policy Bot --- ...ontainerAllowedCapabilitiesContainers.json | 19 +- ...inerAllowedCapabilitiesInitContainers.json | 19 +- .../Kubernetes/MutateMaxUnavailablePods.json | 19 +- .../MutateMountServiceAccountToken.json | 62 ++++++ .../MutatePrivilegeEscalationContainers.json | 62 ++++++ ...tatePrivilegeEscalationInitContainers.json | 62 ++++++ .../MutateReadOnlyRootFilesystem.json | 19 +- ...eReadOnlyRootFilesystemInitContainers.json | 19 +- .../MutateReservedSystemPoolTaints.json | 19 +- .../Kubernetes/MutateResourceCPULimits.json | 19 +- .../MutateResourceMemoryLimits.json | 19 +- .../Kubernetes/MutateRunAsUserContainers.json | 62 ++++++ .../MutateRunAsUserInitContainers.json | 62 ++++++ .../Kubernetes/MutateRunAsUserPod.json | 62 ++++++ .../MutateSeccompProfileContainers.json | 19 +- .../MutateSeccompProfileInitContainers.json | 19 +- ...oadTestService_NetworkIsolation_Audit.json | 51 +++++ ...etworkIsolation_Audit_Versioning_Test.json | 64 +++++++ .../Kubernetes/AllowedExternalIPs.json | 28 ++- .../Kubernetes/AllowedHostPaths.json | 28 ++- .../Kubernetes/AllowedProcMountType.json | 28 ++- .../Kubernetes/AllowedSeccompProfile.json | 28 ++- .../Kubernetes/AllowedUsersGroups.json | 28 ++- .../Kubernetes/AllowedVolumeTypes.json | 28 ++- .../Kubernetes/BlockAdminRolebindings.json | 28 ++- .../Kubernetes/BlockAutomountToken.json | 28 ++- .../Kubernetes/BlockDefaultNamespace.json | 28 ++- .../BlockEndpointEditDefaultRole.json | 28 ++- .../Kubernetes/BlockHostNamespace.json | 28 ++- .../Kubernetes/BlockNakedPods.json | 28 ++- .../Kubernetes/BlockResource.json | 28 ++- .../Kubernetes/BlockWildcardRoles.json | 28 ++- .../Kubernetes/CannotEditIndividualNodes.json | 23 ++- .../ContainerAllowedCapabilities.json | 28 ++- .../Kubernetes/ContainerAllowedImages.json | 23 ++- .../ContainerAllowedPullPolicy.json | 28 ++- .../ContainerDisallowedCapabilities.json | 28 ++- .../ContainerEnforcePreStopHook.json | 23 ++- .../Kubernetes/ContainerEnforceProbes.json | 23 ++- .../Kubernetes/ContainerNoPrivilege.json | 28 ++- .../ContainerNoPrivilegeEscalation.json | 28 ++- .../Kubernetes/ContainerResourceLimits.json | 23 ++- .../ContainerRestrictedImagePulls.json | 23 ++- .../DisallowedBadPodDisruptionBudgets.json | 23 ++- .../Kubernetes/EnforceAppArmorProfile.json | 28 ++- .../Kubernetes/EnforceCSIDriver.json | 23 ++- .../Kubernetes/EnforceResourceAnnotation.json | 28 ++- .../Kubernetes/FlexVolumeDrivers.json | 28 ++- .../Kubernetes/ForbiddenSysctlInterfaces.json | 28 ++- .../Kubernetes/HostNetworkPorts.json | 28 ++- .../ImageIntegrityNotationVerification.json | 28 ++- .../Kubernetes/ImagesDoNotUseLatest.json | 23 ++- .../Kubernetes/IngressHttpsOnly.json | 28 ++- .../Kubernetes/LoadbalancerNoPublicIPs.json | 28 ++- .../MustHaveAntiAffinityRulesSet.json | 23 ++- ...ontainerAllowedCapabilitiesContainers.json | 19 +- ...inerAllowedCapabilitiesInitContainers.json | 19 +- .../Kubernetes/MutateMaxUnavailablePods.json | 19 +- .../MutateMountServiceAccountToken.json | 19 +- .../MutatePrivilegeEscalationContainers.json | 19 +- ...tatePrivilegeEscalationInitContainers.json | 19 +- .../MutateReadOnlyRootFilesystem.json | 19 +- ...eReadOnlyRootFilesystemInitContainers.json | 19 +- .../MutateReservedSystemPoolTaints.json | 19 +- .../Kubernetes/MutateResourceCPULimits.json | 19 +- .../MutateResourceMemoryLimits.json | 19 +- .../MutateSeccompProfileContainers.json | 19 +- .../MutateSeccompProfileInitContainers.json | 19 +- .../Kubernetes/NoAKSSpecificLabels.json | 23 ++- .../Kubernetes/PodEnforceLabels.json | 28 ++- .../Kubernetes/PrintMutationsAnnotations.json | 19 +- .../Kubernetes/ReadOnlyRootFileSystem.json | 23 ++- .../Kubernetes/ReservedSystemPoolTaints.json | 23 ++- .../policyDefinitions/Kubernetes/SELinux.json | 28 ++- .../Kubernetes/ServiceAllowedPorts.json | 28 ++- .../Kubernetes/UniqueServiceSelectors.json | 23 ++- .../WindowsBlockContainerAdmin.json | 28 ++- .../Kubernetes/WindowsBlockHostProcess.json | 176 ++++++++++++++++++ .../WindowsContainerAllowedUsername.json | 28 ++- .../WindowsContainerResourceLimits.json | 28 ++- .../Network/PublicIPWithFPUOnly_Audit.json | 78 ++++++++ 81 files changed, 2245 insertions(+), 198 deletions(-) create mode 100644 built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMountServiceAccountToken.json create mode 100644 built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutatePrivilegeEscalationContainers.json create mode 100644 built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutatePrivilegeEscalationInitContainers.json create mode 100644 built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserContainers.json create mode 100644 built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserInitContainers.json create mode 100644 built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserPod.json create mode 100644 built-in-policies/policyDefinitions/Azure Load Testing/LoadTestService_NetworkIsolation_Audit.json create mode 100644 built-in-policies/policyDefinitions/BuiltInPolicyTest/LoadTestService_NetworkIsolation_Audit_Versioning_Test.json create mode 100644 built-in-policies/policyDefinitions/Kubernetes/WindowsBlockHostProcess.json create mode 100644 built-in-policies/policyDefinitions/Network/PublicIPWithFPUOnly_Audit.json diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json index f7a14511d..ab3bac4c6 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux containers", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/mutate-container-allowed-capabilities-containers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json index f5d3d73a3..ff2e6b13f 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux init containers", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/mutate-container-allowed-capabilities-initcontainers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMaxUnavailablePods.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMaxUnavailablePods.json index f9fe897df..1a0a2f474 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMaxUnavailablePods.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMaxUnavailablePods.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.0-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/mutate-max-unavailable-pods/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMountServiceAccountToken.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMountServiceAccountToken.json new file mode 100644 index 000000000..f2b0a6398 --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMountServiceAccountToken.json @@ -0,0 +1,62 @@ +{ + "properties": { + "displayName": "[Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false.", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.azure.us/kubernetes/mutate-mount-service-account-token/v1/mutation.yaml" + }, + "excludedNamespaces": "[parameters('excludedNamespaces')]" + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/57f274ef-580a-4ed2-bcf8-5c6fa3775253", + "name": "57f274ef-580a-4ed2-bcf8-5c6fa3775253" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutatePrivilegeEscalationContainers.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutatePrivilegeEscalationContainers.json new file mode 100644 index 000000000..e18918720 --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutatePrivilegeEscalationContainers.json @@ -0,0 +1,62 @@ +{ + "properties": { + "displayName": "[Preview]: Sets Privilege escalation in the Pod spec to false.", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.azure.us/kubernetes/mutate-privilege-escalation-containers/v1/mutation.yaml" + }, + "excludedNamespaces": "[parameters('excludedNamespaces')]" + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/d77df159-718b-4aca-b94b-8e8890a98231", + "name": "d77df159-718b-4aca-b94b-8e8890a98231" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutatePrivilegeEscalationInitContainers.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutatePrivilegeEscalationInitContainers.json new file mode 100644 index 000000000..1ec34bbde --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutatePrivilegeEscalationInitContainers.json @@ -0,0 +1,62 @@ +{ + "properties": { + "displayName": "[Preview]: Sets Privilege escalation in the Pod spec in init containers to false.", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.azure.us/kubernetes/mutate-privilege-escalation-init-containers/v1/mutation.yaml" + }, + "excludedNamespaces": "[parameters('excludedNamespaces')]" + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8", + "name": "4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystem.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystem.json index 8a52d70e9..3cbd5d00d 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystem.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystem.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.0-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/mutate-read-only-root-filesystem/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json index db8078c44..e278a59df 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers.", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.0-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/mutate-read-only-root-filesystem-init-containers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReservedSystemPoolTaints.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReservedSystemPoolTaints.json index 03b38f629..dcd4598e3 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReservedSystemPoolTaints.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReservedSystemPoolTaints.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools.", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.0-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/mutate-systempool-taints/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceCPULimits.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceCPULimits.json index 471510c13..d40531e22 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceCPULimits.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceCPULimits.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.", "metadata": { - "version": "1.1.1-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.1-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/mutate-resource-cpu-limits/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.1-PREVIEW", "1.0.1-PREVIEW", "1.0.0-PREVIEW" diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceMemoryLimits.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceMemoryLimits.json index c3f1e922a..331b552f3 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceMemoryLimits.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceMemoryLimits.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster.", "metadata": { - "version": "1.1.1-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.1-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/mutate-resource-memory-limits/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.1-PREVIEW", "1.0.1-PREVIEW", "1.0.0-PREVIEW" diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserContainers.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserContainers.json new file mode 100644 index 000000000..5c39571b5 --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserContainers.json @@ -0,0 +1,62 @@ +{ + "properties": { + "displayName": "[Preview]: Sets Kubernetes cluster container securityContext.runAsUser fields to 1000, a non-root user id", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.azure.us/kubernetes/mutate-run-as-user-containers/v1/mutation.yaml" + }, + "excludedNamespaces": "[parameters('excludedNamespaces')]" + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/a8e3ce3c-cac3-4402-a28a-03ee3ede9790", + "name": "a8e3ce3c-cac3-4402-a28a-03ee3ede9790" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserInitContainers.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserInitContainers.json new file mode 100644 index 000000000..637bae235 --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserInitContainers.json @@ -0,0 +1,62 @@ +{ + "properties": { + "displayName": "[Preview]: Sets Kubernetes cluster init containers securityContext.runAsUser fields to 1000, a non-root user id", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.azure.us/kubernetes/mutate-run-as-user-initContainers/v1/mutation.yaml" + }, + "excludedNamespaces": "[parameters('excludedNamespaces')]" + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/97de439f-fd35-4d43-a693-3644f51a51fd", + "name": "97de439f-fd35-4d43-a693-3644f51a51fd" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserPod.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserPod.json new file mode 100644 index 000000000..1f96ce794 --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateRunAsUserPod.json @@ -0,0 +1,62 @@ +{ + "properties": { + "displayName": "[Preview]: Sets Kubernetes cluster Pod securityContext.runAsUser fields to 1000, a non-root user id", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Reduces attack surface introduced by escalating privileges as root user in the presence of security vulnerabilities.", + "metadata": { + "version": "1.0.0-preview", + "category": "Kubernetes", + "preview": true + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Mutate", + "Disabled" + ], + "defaultValue": "Mutate" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc" + ] + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "mutationInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.azure.us/kubernetes/mutate-run-as-user-pod/v1/mutation.yaml" + }, + "excludedNamespaces": "[parameters('excludedNamespaces')]" + } + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/fe74a23d-79e4-401c-bd0d-fd7a5b35af32", + "name": "fe74a23d-79e4-401c-bd0d-fd7a5b35af32" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileContainers.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileContainers.json index c431a028d..21f2f579a 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileContainers.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/mutate-seccomp-profile-containers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileInitContainers.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileInitContainers.json index 903196b90..3978b270a 100644 --- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileInitContainers.json +++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileInitContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.azure.us/kubernetes/mutate-seccomp-profile-initcontainers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Azure Load Testing/LoadTestService_NetworkIsolation_Audit.json b/built-in-policies/policyDefinitions/Azure Load Testing/LoadTestService_NetworkIsolation_Audit.json new file mode 100644 index 000000000..a0cfb0592 --- /dev/null +++ b/built-in-policies/policyDefinitions/Azure Load Testing/LoadTestService_NetworkIsolation_Audit.json @@ -0,0 +1,51 @@ +{ + "properties": { + "displayName": "[Preview]: Load tests using Azure Load Testing should be run only against private endpoints from within a virtual network.", + "policyType": "BuiltIn", + "mode": "Microsoft.LoadTestService.Data", + "description": "Azure Load Testing engine instances should use virtual network injection for the following purposes: 1. Isolate Azure Load Testing engines to a virtual network. 2. Enable Azure Load Testing engines to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Load Testing engines.", + "metadata": { + "version": "1.0.0-preview", + "preview": true, + "category": "Azure Load Testing" + }, + "version": "1.0.0-preview", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.LoadTestService.Data/loadTests/testRuns" + }, + { + "field": "Microsoft.LoadTestService.Data/loadTests/testRuns/subnetId", + "equals": "" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + }, + "versions": [ + "1.0.0-PREVIEW" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/d855fd7a-9be5-4d84-8b75-28d41aadc158", + "name": "d855fd7a-9be5-4d84-8b75-28d41aadc158" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/BuiltInPolicyTest/LoadTestService_NetworkIsolation_Audit_Versioning_Test.json b/built-in-policies/policyDefinitions/BuiltInPolicyTest/LoadTestService_NetworkIsolation_Audit_Versioning_Test.json new file mode 100644 index 000000000..e29c96144 --- /dev/null +++ b/built-in-policies/policyDefinitions/BuiltInPolicyTest/LoadTestService_NetworkIsolation_Audit_Versioning_Test.json @@ -0,0 +1,64 @@ +{ + "properties": { + "displayName": "[Deprecated]: Load tests should be run only against private endpoints from within a virtual network. Versioning Test BuiltIn.", + "policyType": "BuiltIn", + "mode": "Microsoft.LoadTestService.Data", + "description": "Azure Load Testing engine instances should use virtual network injection for the following purposes: 1. Isolate Azure Load Testing engines to a virtual network. 2. Enable Azure Load Testing engines to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Load Testing engines.", + "metadata": { + "version": "1.1.0-deprecated", + "category": "BuiltInPolicyTest", + "deprecated": true + }, + "version": "1.1.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "testString": { + "metadata": { + "displayName": "Test string", + "description": "A string to be compared against 'test' in the policy rule to generate the desired compliance result." + }, + "type": "string", + "defaultValue": "test" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "value": "[parameters('testString')]", + "equals": "test" + }, + { + "field": "type", + "equals": "Microsoft.LoadTestService.Data/loadTests/testRuns" + }, + { + "field": "Microsoft.LoadTestService.Data/loadTests/testRuns/subnetId", + "equals": "" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + }, + "versions": [ + "1.1.0", + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/033f1f0f-0eff-42f0-85aa-f79b78e59a40", + "name": "033f1f0f-0eff-42f0-85aa-f79b78e59a40" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Kubernetes/AllowedExternalIPs.json b/built-in-policies/policyDefinitions/Kubernetes/AllowedExternalIPs.json index 0501dc4c4..543630fbe 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/AllowedExternalIPs.json +++ b/built-in-policies/policyDefinitions/Kubernetes/AllowedExternalIPs.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Use allowed external IPs to avoid the potential attack (CVE-2020-8554) in a Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "5.1.0", + "version": "5.2.0", "category": "Kubernetes" }, - "version": "5.1.0", + "version": "5.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -128,6 +149,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/allowed-external-ips/v1/template.yaml" @@ -148,6 +171,7 @@ } }, "versions": [ + "5.2.0", "5.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json b/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json index d84f7273e..314abcc1b 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json +++ b/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "6.1.1", + "version": "6.2.0", "category": "Kubernetes" }, - "version": "6.1.1", + "version": "6.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -175,6 +196,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/allowed-host-paths/v3/template.yaml" @@ -197,6 +220,7 @@ } }, "versions": [ + "6.2.0", "6.1.1" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/AllowedProcMountType.json b/built-in-policies/policyDefinitions/Kubernetes/AllowedProcMountType.json index 664073ea3..2df34d70b 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/AllowedProcMountType.json +++ b/built-in-policies/policyDefinitions/Kubernetes/AllowedProcMountType.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Pod containers can only use allowed ProcMountTypes in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "8.1.1", + "version": "8.2.0", "category": "Kubernetes" }, - "version": "8.1.1", + "version": "8.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -149,6 +170,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/allowed-proc-mount-types/v4/template.yaml" @@ -171,6 +194,7 @@ } }, "versions": [ + "8.2.0", "8.1.1" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/AllowedSeccompProfile.json b/built-in-policies/policyDefinitions/Kubernetes/AllowedSeccompProfile.json index 5841d3b22..772252863 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/AllowedSeccompProfile.json +++ b/built-in-policies/policyDefinitions/Kubernetes/AllowedSeccompProfile.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Pod containers can only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "7.1.1", + "version": "7.2.0", "category": "Kubernetes" }, - "version": "7.1.1", + "version": "7.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -145,6 +166,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/allowed-seccomp-profiles/v3/template.yaml" @@ -167,6 +190,7 @@ } }, "versions": [ + "7.2.0", "7.1.1" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json b/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json index b5c130550..1a36cd8e8 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json +++ b/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "6.1.1", + "version": "6.2.0", "category": "Kubernetes" }, - "version": "6.1.1", + "version": "6.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -348,6 +369,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/allowed-users-groups/v3/template.yaml" @@ -385,6 +408,7 @@ } }, "versions": [ + "6.2.0", "6.1.1" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/AllowedVolumeTypes.json b/built-in-policies/policyDefinitions/Kubernetes/AllowedVolumeTypes.json index 349f74507..3d6f2f37f 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/AllowedVolumeTypes.json +++ b/built-in-policies/policyDefinitions/Kubernetes/AllowedVolumeTypes.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "5.1.1", + "version": "5.2.0", "category": "Kubernetes" }, - "version": "5.1.1", + "version": "5.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -137,6 +158,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/allowed-volume-types/v2/template.yaml" @@ -158,6 +181,7 @@ } }, "versions": [ + "5.2.0", "5.1.1" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/BlockAdminRolebindings.json b/built-in-policies/policyDefinitions/Kubernetes/BlockAdminRolebindings.json index f2b91fb3d..a65e728ec 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/BlockAdminRolebindings.json +++ b/built-in-policies/policyDefinitions/Kubernetes/BlockAdminRolebindings.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "The role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Kubernetes" }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -112,6 +133,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/block-admin-rolebindings/v1/template.yaml" @@ -130,6 +153,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json b/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json index d47d0b77a..df6389925 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json +++ b/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "4.1.0", + "version": "4.2.0", "category": "Kubernetes" }, - "version": "4.1.0", + "version": "4.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -128,6 +149,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/block-automount-token/v2/template.yaml" @@ -148,6 +171,7 @@ } }, "versions": [ + "4.2.0", "4.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json b/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json index 7b5357e8c..c11bb842e 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json +++ b/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "4.1.0", + "version": "4.2.0", "category": "Kubernetes" }, - "version": "4.1.0", + "version": "4.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -121,6 +142,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/block-default-namespace/v1/template.yaml" @@ -140,6 +163,7 @@ } }, "versions": [ + "4.2.0", "4.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/BlockEndpointEditDefaultRole.json b/built-in-policies/policyDefinitions/Kubernetes/BlockEndpointEditDefaultRole.json index ece682644..86fd410fd 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/BlockEndpointEditDefaultRole.json +++ b/built-in-policies/policyDefinitions/Kubernetes/BlockEndpointEditDefaultRole.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Kubernetes" }, - "version": "3.1.0", + "version": "3.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -115,6 +136,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/block-endpoint-edit-default-role/v1/template.yaml" @@ -132,6 +155,7 @@ } }, "versions": [ + "3.2.0", "3.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json b/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json index c4cbc2081..3a84d5a98 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json +++ b/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "5.1.0", + "version": "5.2.0", "category": "Kubernetes" }, - "version": "5.1.0", + "version": "5.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -128,6 +149,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/block-host-namespace/v2/template.yaml" @@ -148,6 +171,7 @@ } }, "versions": [ + "5.2.0", "5.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/BlockNakedPods.json b/built-in-policies/policyDefinitions/Kubernetes/BlockNakedPods.json index e27266396..f3908087f 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/BlockNakedPods.json +++ b/built-in-policies/policyDefinitions/Kubernetes/BlockNakedPods.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs", "metadata": { - "version": "2.1.0", + "version": "2.2.0", "category": "Kubernetes" }, - "version": "2.1.0", + "version": "2.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -116,6 +137,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/block-naked-pods/v1/template.yaml" @@ -133,6 +156,7 @@ } }, "versions": [ + "2.2.0", "2.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/BlockResource.json b/built-in-policies/policyDefinitions/Kubernetes/BlockResource.json index cdc740618..6514a001d 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/BlockResource.json +++ b/built-in-policies/policyDefinitions/Kubernetes/BlockResource.json @@ -5,12 +5,33 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Given Kubernetes resource type should not be deployed in certain namespace.", "metadata": { - "version": "2.2.0-preview", + "version": "2.3.0-preview", "category": "Kubernetes", "preview": true }, - "version": "2.2.0-preview", + "version": "2.3.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -135,6 +156,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/block-resource/v1/template.yaml" @@ -150,6 +173,7 @@ } }, "versions": [ + "2.3.0-PREVIEW", "2.2.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/BlockWildcardRoles.json b/built-in-policies/policyDefinitions/Kubernetes/BlockWildcardRoles.json index e9f480677..d4cfc89a0 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/BlockWildcardRoles.json +++ b/built-in-policies/policyDefinitions/Kubernetes/BlockWildcardRoles.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Using wildcards '*' can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Kubernetes" }, - "version": "1.0.0", + "version": "1.1.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -112,6 +133,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/block-wildcard-roles/v1/template.yaml" @@ -130,6 +153,7 @@ } }, "versions": [ + "1.1.0", "1.0.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json b/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json index c5341e069..fab1f72b3 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json +++ b/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json @@ -5,22 +5,31 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks.", "metadata": { - "version": "1.1.1-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.1-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -138,6 +147,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -160,6 +170,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.1-PREVIEW", "1.1.0-PREVIEW", "1.0.3-PREVIEW" diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json index a491ed29d..20990b837 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "6.1.0", + "version": "6.2.0", "category": "Kubernetes" }, - "version": "6.1.0", + "version": "6.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -154,6 +175,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/container-allowed-capabilities/v3/template.yaml" @@ -177,6 +200,7 @@ } }, "versions": [ + "6.2.0", "6.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json index 2da1ad462..0b208569e 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json @@ -5,21 +5,30 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "9.2.0", + "version": "9.3.0", "category": "Kubernetes" }, - "version": "9.2.0", + "version": "9.3.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -147,6 +156,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -169,6 +179,7 @@ } }, "versions": [ + "9.3.0", "9.2.0", "9.1.1", "9.1.0" diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedPullPolicy.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedPullPolicy.json index 631d8dde9..b76af08af 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedPullPolicy.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedPullPolicy.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Restrict containers' pull policy to enforce containers to use only allowed images on deployments", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Kubernetes" }, - "version": "3.1.0", + "version": "3.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "defaultValue": "Audit", @@ -137,6 +158,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/container-allowed-pull-policy/v2/template.yaml" @@ -158,6 +181,7 @@ } }, "versions": [ + "3.2.0", "3.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedCapabilities.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedCapabilities.json index ac58b736f..aef0b350f 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedCapabilities.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedCapabilities.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Prevent specific security capabilities in Kubernetes clusters to prevent ungranted privileges on the Pod resource. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "5.1.0", + "version": "5.2.0", "category": "Kubernetes" }, - "version": "5.1.0", + "version": "5.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -145,6 +166,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/container-disallowed-capabilities/v3/template.yaml" @@ -167,6 +190,7 @@ } }, "versions": [ + "5.2.0", "5.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerEnforcePreStopHook.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerEnforcePreStopHook.json index 68c3d512e..dd5abcba5 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ContainerEnforcePreStopHook.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerEnforcePreStopHook.json @@ -5,22 +5,31 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns.", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -124,6 +133,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -145,6 +155,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerEnforceProbes.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerEnforceProbes.json index 0afcb76d6..7285cae04 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ContainerEnforceProbes.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerEnforceProbes.json @@ -5,21 +5,30 @@ "mode": "Microsoft.Kubernetes.Data", "description": "This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.", "metadata": { - "version": "3.2.0", + "version": "3.3.0", "category": "Kubernetes" }, - "version": "3.2.0", + "version": "3.3.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -157,6 +166,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -180,6 +190,7 @@ } }, "versions": [ + "3.3.0", "3.2.0", "3.1.0" ] diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json index cfa70ccdb..78f1a491c 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "9.1.0", + "version": "9.2.0", "category": "Kubernetes" }, - "version": "9.1.0", + "version": "9.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -136,6 +157,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/container-no-privilege/v2/template.yaml" @@ -157,6 +180,7 @@ } }, "versions": [ + "9.2.0", "9.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json index c3ef1c11c..a8475ffd4 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "7.1.0", + "version": "7.2.0", "category": "Kubernetes" }, - "version": "7.1.0", + "version": "7.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -136,6 +157,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/container-no-privilege-escalation/v3/template.yaml" @@ -157,6 +180,7 @@ } }, "versions": [ + "7.2.0", "7.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json index d273a8dfa..29c42535a 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json @@ -5,21 +5,30 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "9.2.0", + "version": "9.3.0", "category": "Kubernetes" }, - "version": "9.2.0", + "version": "9.3.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -164,6 +173,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -188,6 +198,7 @@ } }, "versions": [ + "9.3.0", "9.2.0", "9.1.0" ] diff --git a/built-in-policies/policyDefinitions/Kubernetes/ContainerRestrictedImagePulls.json b/built-in-policies/policyDefinitions/Kubernetes/ContainerRestrictedImagePulls.json index c83b7b697..abda7ceca 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ContainerRestrictedImagePulls.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ContainerRestrictedImagePulls.json @@ -5,22 +5,31 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.0-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -126,6 +135,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -146,6 +156,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Kubernetes/DisallowedBadPodDisruptionBudgets.json b/built-in-policies/policyDefinitions/Kubernetes/DisallowedBadPodDisruptionBudgets.json index be08e67ec..49b493687 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/DisallowedBadPodDisruptionBudgets.json +++ b/built-in-policies/policyDefinitions/Kubernetes/DisallowedBadPodDisruptionBudgets.json @@ -5,22 +5,31 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Prevents faulty Pod Disruption Budgets, ensuring a minimum number of operational pods. Refer to the official Kubernetes documentation for details. Relies on Gatekeeper data replication and syncs all ingress resources scoped to it into OPA. Before applying this policy, ensure that the synced ingress resources won't strain your memory capacity. Though parameters evaluate specific namespaces, all resources of that kind across namespaces will sync. Note: currently in preview for Kubernetes Service (AKS).", "metadata": { - "version": "1.1.1-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.1-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -124,6 +133,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -146,6 +156,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.1-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" diff --git a/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json b/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json index 5dbe20e79..4127275e3 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json +++ b/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "6.1.1", + "version": "6.2.0", "category": "Kubernetes" }, - "version": "6.1.1", + "version": "6.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -147,6 +168,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/enforce-apparmor-profile/v3/template.yaml" @@ -169,6 +192,7 @@ } }, "versions": [ + "6.2.0", "6.1.1" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/EnforceCSIDriver.json b/built-in-policies/policyDefinitions/Kubernetes/EnforceCSIDriver.json index 26c3299ac..663500e0c 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/EnforceCSIDriver.json +++ b/built-in-policies/policyDefinitions/Kubernetes/EnforceCSIDriver.json @@ -5,21 +5,30 @@ "mode": "Microsoft.Kubernetes.Data", "description": "The Container Storage Interface (CSI) is a standard for exposing arbitrary block and file storage systems to containerized workloads on Kubernetes. In-tree provisioner StorageClass should be deprecated since AKS version 1.21. To learn more, https://aka.ms/aks-csi-driver", "metadata": { - "version": "2.2.0", + "version": "2.3.0", "category": "Kubernetes" }, - "version": "2.2.0", + "version": "2.3.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -128,6 +137,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -146,6 +156,7 @@ } }, "versions": [ + "2.3.0", "2.2.0", "2.1.0" ] diff --git a/built-in-policies/policyDefinitions/Kubernetes/EnforceResourceAnnotation.json b/built-in-policies/policyDefinitions/Kubernetes/EnforceResourceAnnotation.json index 412f05353..ee150c108 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/EnforceResourceAnnotation.json +++ b/built-in-policies/policyDefinitions/Kubernetes/EnforceResourceAnnotation.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Ensure that required annotations are attached on a given Kubernetes resource kind for improved resource management of your Kubernetes resources. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Kubernetes" }, - "version": "3.1.0", + "version": "3.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -165,6 +186,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/enforce-required-annotation/v1/template.yaml" @@ -185,6 +208,7 @@ } }, "versions": [ + "3.2.0", "3.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/FlexVolumeDrivers.json b/built-in-policies/policyDefinitions/Kubernetes/FlexVolumeDrivers.json index b7cc133d0..c84b7bbf7 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/FlexVolumeDrivers.json +++ b/built-in-policies/policyDefinitions/Kubernetes/FlexVolumeDrivers.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Pod FlexVolume volumes should only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "5.1.1", + "version": "5.2.0", "category": "Kubernetes" }, - "version": "5.1.1", + "version": "5.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -128,6 +149,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/flexvolume-drivers/v1/template.yaml" @@ -148,6 +171,7 @@ } }, "versions": [ + "5.2.0", "5.1.1" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ForbiddenSysctlInterfaces.json b/built-in-policies/policyDefinitions/Kubernetes/ForbiddenSysctlInterfaces.json index e8328a30d..e80576d2a 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ForbiddenSysctlInterfaces.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ForbiddenSysctlInterfaces.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Containers should not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "7.1.1", + "version": "7.2.0", "category": "Kubernetes" }, - "version": "7.1.1", + "version": "7.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -127,6 +148,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/forbidden-sysctl-interfaces/v1/template.yaml" @@ -147,6 +170,7 @@ } }, "versions": [ + "7.2.0", "7.1.1" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json b/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json index 4df86951b..6432120fd 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json +++ b/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "6.1.0", + "version": "6.2.0", "category": "Kubernetes" }, - "version": "6.1.0", + "version": "6.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -163,6 +184,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/host-network-ports/v3/template.yaml" @@ -187,6 +210,7 @@ } }, "versions": [ + "6.2.0", "6.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ImageIntegrityNotationVerification.json b/built-in-policies/policyDefinitions/Kubernetes/ImageIntegrityNotationVerification.json index bee0c80ae..d2596d3ce 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ImageIntegrityNotationVerification.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ImageIntegrityNotationVerification.json @@ -5,12 +5,33 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Use images signed by notation to ensure that images come from trusted sources and will not be maliciously modified. For more info, visit https://aka.ms/aks/image-integrity", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -124,6 +145,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/image-integrity-notation-verification/v1/template.yaml" @@ -144,6 +167,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ImagesDoNotUseLatest.json b/built-in-policies/policyDefinitions/Kubernetes/ImagesDoNotUseLatest.json index a09af669b..edfcdf903 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ImagesDoNotUseLatest.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ImagesDoNotUseLatest.json @@ -5,22 +5,31 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images.", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -124,6 +133,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -145,6 +155,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json b/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json index 4e290bce2..3d52b9cf8 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json +++ b/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc", "metadata": { - "version": "8.1.0", + "version": "8.2.0", "category": "Kubernetes" }, - "version": "8.1.0", + "version": "8.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -119,6 +140,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/ingress-https-only/v1/template.yaml" @@ -137,6 +160,7 @@ } }, "versions": [ + "8.2.0", "8.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/LoadbalancerNoPublicIPs.json b/built-in-policies/policyDefinitions/Kubernetes/LoadbalancerNoPublicIPs.json index 16d17e103..daa9df83e 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/LoadbalancerNoPublicIPs.json +++ b/built-in-policies/policyDefinitions/Kubernetes/LoadbalancerNoPublicIPs.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Use internal load balancers to make a Kubernetes service accessible only to applications running in the same virtual network as the Kubernetes cluster. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "8.1.0", + "version": "8.2.0", "category": "Kubernetes" }, - "version": "8.1.0", + "version": "8.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -118,6 +139,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/load-balancer-no-public-ips/v1/template.yaml" @@ -135,6 +158,7 @@ } }, "versions": [ + "8.2.0", "8.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/MustHaveAntiAffinityRulesSet.json b/built-in-policies/policyDefinitions/Kubernetes/MustHaveAntiAffinityRulesSet.json index e95736ab4..0a278f62b 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MustHaveAntiAffinityRulesSet.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MustHaveAntiAffinityRulesSet.json @@ -5,22 +5,31 @@ "mode": "Microsoft.Kubernetes.Data", "description": "This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience.", "metadata": { - "version": "1.1.1-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.1-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -124,6 +133,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -145,6 +155,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.1-PREVIEW", "1.1.0-PREVIEW", "1.0.1-PREVIEW" diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json b/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json index c29c906b9..dbe87f57b 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux containers", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-container-allowed-capabilities-containers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json b/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json index 1ae114fd9..73e201cdb 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux init containers", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-container-allowed-capabilities-initcontainers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateMaxUnavailablePods.json b/built-in-policies/policyDefinitions/Kubernetes/MutateMaxUnavailablePods.json index 239789a5d..045b64060 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutateMaxUnavailablePods.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateMaxUnavailablePods.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.0-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-max-unavailable-pods/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateMountServiceAccountToken.json b/built-in-policies/policyDefinitions/Kubernetes/MutateMountServiceAccountToken.json index 8937209e4..1694f605a 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutateMountServiceAccountToken.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateMountServiceAccountToken.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-mount-service-account-token/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutatePrivilegeEscalationContainers.json b/built-in-policies/policyDefinitions/Kubernetes/MutatePrivilegeEscalationContainers.json index e8b05b31d..e78d43f9a 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutatePrivilegeEscalationContainers.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutatePrivilegeEscalationContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-privilege-escalation-containers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutatePrivilegeEscalationInitContainers.json b/built-in-policies/policyDefinitions/Kubernetes/MutatePrivilegeEscalationInitContainers.json index ff5eb3c59..06421c82d 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutatePrivilegeEscalationInitContainers.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutatePrivilegeEscalationInitContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-privilege-escalation-init-containers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystem.json b/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystem.json index b959673dc..5fb9ed95e 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystem.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystem.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.0-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-read-only-root-filesystem/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json b/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json index 80575187d..e3f89ed85 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers.", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.0-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-read-only-root-filesystem-init-containers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateReservedSystemPoolTaints.json b/built-in-policies/policyDefinitions/Kubernetes/MutateReservedSystemPoolTaints.json index bf367a3a4..8193973a4 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutateReservedSystemPoolTaints.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateReservedSystemPoolTaints.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools.", "metadata": { - "version": "1.1.0-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.0-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-systempool-taints/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateResourceCPULimits.json b/built-in-policies/policyDefinitions/Kubernetes/MutateResourceCPULimits.json index 83ee6cc5d..37d6e33d9 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutateResourceCPULimits.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateResourceCPULimits.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.", "metadata": { - "version": "1.1.1-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.1-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-resource-cpu-limits/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.1-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateResourceMemoryLimits.json b/built-in-policies/policyDefinitions/Kubernetes/MutateResourceMemoryLimits.json index 8177a43bc..ba0c2b132 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutateResourceMemoryLimits.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateResourceMemoryLimits.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster.", "metadata": { - "version": "1.1.1-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.1-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-resource-memory-limits/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.1-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateSeccompProfileContainers.json b/built-in-policies/policyDefinitions/Kubernetes/MutateSeccompProfileContainers.json index 923540357..f6d2f4f1b 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutateSeccompProfileContainers.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateSeccompProfileContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-seccomp-profile-containers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/MutateSeccompProfileInitContainers.json b/built-in-policies/policyDefinitions/Kubernetes/MutateSeccompProfileInitContainers.json index 8919ec77a..690a2d37a 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/MutateSeccompProfileInitContainers.json +++ b/built-in-policies/policyDefinitions/Kubernetes/MutateSeccompProfileInitContainers.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "effect": { "type": "String", "metadata": { @@ -45,6 +58,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "mutationInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/mutate-seccomp-profile-initcontainers/v1/mutation.yaml" @@ -54,6 +68,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/NoAKSSpecificLabels.json b/built-in-policies/policyDefinitions/Kubernetes/NoAKSSpecificLabels.json index 59c6d2a2c..3901e4411 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/NoAKSSpecificLabels.json +++ b/built-in-policies/policyDefinitions/Kubernetes/NoAKSSpecificLabels.json @@ -5,22 +5,31 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Prevents customers from applying AKS specific labels. AKS uses labels prefixed with `kubernetes.azure.com` to denote AKS owned components. The customer should not use these labels.", "metadata": { - "version": "1.1.1-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.1-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -145,6 +154,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -174,6 +184,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.1-PREVIEW", "1.1.0-PREVIEW", "1.0.1-PREVIEW" diff --git a/built-in-policies/policyDefinitions/Kubernetes/PodEnforceLabels.json b/built-in-policies/policyDefinitions/Kubernetes/PodEnforceLabels.json index dbe6d83c3..ac334e805 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/PodEnforceLabels.json +++ b/built-in-policies/policyDefinitions/Kubernetes/PodEnforceLabels.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Use specified labels to identify the pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "7.1.0", + "version": "7.2.0", "category": "Kubernetes" }, - "version": "7.1.0", + "version": "7.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -127,6 +148,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/pod-enforce-labels/v1/template.yaml" @@ -147,6 +170,7 @@ } }, "versions": [ + "7.2.0", "7.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/PrintMutationsAnnotations.json b/built-in-policies/policyDefinitions/Kubernetes/PrintMutationsAnnotations.json index 7dd3856d3..a3317416e 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/PrintMutationsAnnotations.json +++ b/built-in-policies/policyDefinitions/Kubernetes/PrintMutationsAnnotations.json @@ -5,12 +5,25 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Looks up the mutation annotations applied and prints a message if annotation exists.", "metadata": { - "version": "1.0.0-preview", + "version": "1.1.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.0.0-preview", + "version": "1.1.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { @@ -118,6 +131,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -138,6 +152,7 @@ } }, "versions": [ + "1.1.0-PREVIEW", "1.0.0-PREVIEW" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json b/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json index 2522c39a4..5ff2fa2ba 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json @@ -5,21 +5,30 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "6.2.0", + "version": "6.3.0", "category": "Kubernetes" }, - "version": "6.2.0", + "version": "6.3.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -148,6 +157,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -170,6 +180,7 @@ } }, "versions": [ + "6.3.0", "6.2.0", "6.1.0" ] diff --git a/built-in-policies/policyDefinitions/Kubernetes/ReservedSystemPoolTaints.json b/built-in-policies/policyDefinitions/Kubernetes/ReservedSystemPoolTaints.json index 3b9dd335a..5c9c6abc0 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ReservedSystemPoolTaints.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ReservedSystemPoolTaints.json @@ -5,22 +5,31 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Restricts the CriticalAddonsOnly taint to just the system pool. AKS uses the CriticalAddonsOnly taint to keep customer pods away from the system pool. It ensures a clear separation between AKS components and customer pods, as well as prevents customer pods from being evicted if they do not tolerate the CriticalAddonsOnly taint.", "metadata": { - "version": "1.1.1-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.1-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -131,6 +140,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -152,6 +162,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.1-PREVIEW", "1.1.0-PREVIEW", "1.0.1-PREVIEW" diff --git a/built-in-policies/policyDefinitions/Kubernetes/SELinux.json b/built-in-policies/policyDefinitions/Kubernetes/SELinux.json index bea9b982a..8665be74d 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/SELinux.json +++ b/built-in-policies/policyDefinitions/Kubernetes/SELinux.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "7.1.1", + "version": "7.2.0", "category": "Kubernetes" }, - "version": "7.1.1", + "version": "7.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -169,6 +190,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/selinux/v2/template.yaml" @@ -190,6 +213,7 @@ } }, "versions": [ + "7.2.0", "7.1.1" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/ServiceAllowedPorts.json b/built-in-policies/policyDefinitions/Kubernetes/ServiceAllowedPorts.json index f6ba51158..103fe9d0a 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/ServiceAllowedPorts.json +++ b/built-in-policies/policyDefinitions/Kubernetes/ServiceAllowedPorts.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "metadata": { - "version": "8.1.0", + "version": "8.2.0", "category": "Kubernetes" }, - "version": "8.1.0", + "version": "8.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -127,6 +148,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/service-allowed-ports/v1/template.yaml" @@ -148,6 +171,7 @@ } }, "versions": [ + "8.2.0", "8.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/UniqueServiceSelectors.json b/built-in-policies/policyDefinitions/Kubernetes/UniqueServiceSelectors.json index b76fa8865..acf9ecc98 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/UniqueServiceSelectors.json +++ b/built-in-policies/policyDefinitions/Kubernetes/UniqueServiceSelectors.json @@ -5,22 +5,31 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Ensure Services in a Namespace Have Unique Selectors. A unique service selector ensures that each service within a namespace is uniquely identifiable based on specific criteria. This policy syncs ingress resources into OPA via Gatekeeper. Before applying, verify Gatekeeper pods memory capacity won't be exceeded. Parameters apply to specific namespaces, but it syncs all resources of that type across all namespaces. Currently in preview for Kubernetes Service (AKS).", "metadata": { - "version": "1.1.1-preview", + "version": "1.2.0-preview", "category": "Kubernetes", "preview": true }, - "version": "1.1.1-preview", + "version": "1.2.0-preview", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, "warn": { "type": "Boolean", "metadata": { "displayName": "Warn", "description": "Whether or not to return warnings back to the user in the kubectl cli" }, - "allowedValues": [ - true, - false - ], "defaultValue": false }, "effect": { @@ -124,6 +133,7 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", @@ -142,6 +152,7 @@ } }, "versions": [ + "1.2.0-PREVIEW", "1.1.1-PREVIEW", "1.1.0-PREVIEW", "1.0.0-PREVIEW" diff --git a/built-in-policies/policyDefinitions/Kubernetes/WindowsBlockContainerAdmin.json b/built-in-policies/policyDefinitions/Kubernetes/WindowsBlockContainerAdmin.json index 28978910a..2812b3b65 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/WindowsBlockContainerAdmin.json +++ b/built-in-policies/policyDefinitions/Kubernetes/WindowsBlockContainerAdmin.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Prevent usage of ContainerAdministrator as the user to execute the container processes for Windows pods or containers. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ .", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Kubernetes" }, - "version": "1.1.0", + "version": "1.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -125,6 +146,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/windows-block-container-admin/v1/template.yaml" @@ -145,6 +168,7 @@ } }, "versions": [ + "1.2.0", "1.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/WindowsBlockHostProcess.json b/built-in-policies/policyDefinitions/Kubernetes/WindowsBlockHostProcess.json new file mode 100644 index 000000000..5860bfa1f --- /dev/null +++ b/built-in-policies/policyDefinitions/Kubernetes/WindowsBlockHostProcess.json @@ -0,0 +1,176 @@ +{ + "properties": { + "displayName": "Kubernetes cluster Windows pods should not run HostProcess containers", + "policyType": "BuiltIn", + "mode": "Microsoft.Kubernetes.Data", + "description": "Prevent prviledged access to the windows node. This recommendation is intended to improve the security of Windows nodes. For more information, see https://kubernetes.io/docs/concepts/windows/intro/ .", + "metadata": { + "version": "1.0.0", + "category": "Kubernetes" + }, + "version": "1.0.0", + "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces \"kube-system\", \"gatekeeper-system\" and \"azure-arc\" are always excluded by design. \"azure-extensions-usage-system\" is optional to remove." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc", + "azure-extensions-usage-system" + ] + }, + "namespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "labelSelector": { + "type": "object", + "metadata": { + "displayName": "Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + }, + "excludedImages": { + "type": "Array", + "metadata": { + "displayName": "Image exclusions", + "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.", + "portalReview": true + }, + "defaultValue": [] + } + }, + "policyRule": { + "if": { + "field": "type", + "in": [ + "Microsoft.Kubernetes/connectedClusters", + "Microsoft.ContainerService/managedClusters" + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", + "templateInfo": { + "sourceType": "PublicURL", + "url": "https://store.policy.core.windows.net/kubernetes/windows-block-host-process/v1/template.yaml" + }, + "apiGroups": [ + "" + ], + "kinds": [ + "Pod" + ], + "excludedNamespaces": "[parameters('excludedNamespaces')]", + "namespaces": "[parameters('namespaces')]", + "labelSelector": "[parameters('labelSelector')]", + "values": { + "excludedImages": "[parameters('excludedImages')]" + } + } + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/077f0ce1-86d6-4058-bc60-de05067e8622", + "name": "077f0ce1-86d6-4058-bc60-de05067e8622" +} \ No newline at end of file diff --git a/built-in-policies/policyDefinitions/Kubernetes/WindowsContainerAllowedUsername.json b/built-in-policies/policyDefinitions/Kubernetes/WindowsContainerAllowedUsername.json index 423ec58e8..16526e0f3 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/WindowsContainerAllowedUsername.json +++ b/built-in-policies/policyDefinitions/Kubernetes/WindowsContainerAllowedUsername.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Control the user that Windows pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies on Windows nodes which are intended to improve the security of your Kubernetes environments.", "metadata": { - "version": "2.1.0", + "version": "2.2.0", "category": "Kubernetes" }, - "version": "2.1.0", + "version": "2.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -133,6 +154,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/windows-container-allowed-usernames/v1/template.yaml" @@ -154,6 +177,7 @@ } }, "versions": [ + "2.2.0", "2.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Kubernetes/WindowsContainerResourceLimits.json b/built-in-policies/policyDefinitions/Kubernetes/WindowsContainerResourceLimits.json index f29ff76fc..f61db2c80 100644 --- a/built-in-policies/policyDefinitions/Kubernetes/WindowsContainerResourceLimits.json +++ b/built-in-policies/policyDefinitions/Kubernetes/WindowsContainerResourceLimits.json @@ -5,11 +5,32 @@ "mode": "Microsoft.Kubernetes.Data", "description": "Windows container resource requests should be less or equal to the resource limit or unspecified to avoid overcommit. If Windows memory is over-provisioned it will process pages in disk - which can slow down performance - instead of terminating the container with out-of-memory", "metadata": { - "version": "2.1.0", + "version": "2.2.0", "category": "Kubernetes" }, - "version": "2.1.0", + "version": "2.2.0", "parameters": { + "source": { + "type": "String", + "metadata": { + "displayName": "Source", + "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." + }, + "defaultValue": "Original", + "allowedValues": [ + "All", + "Generated", + "Original" + ] + }, + "warn": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "defaultValue": false + }, "effect": { "type": "String", "metadata": { @@ -125,6 +146,8 @@ "then": { "effect": "[parameters('effect')]", "details": { + "source": "[parameters('source')]", + "warn": "[parameters('warn')]", "templateInfo": { "sourceType": "PublicURL", "url": "https://store.policy.core.windows.net/kubernetes/windows-container-resources/v1/template.yaml" @@ -145,6 +168,7 @@ } }, "versions": [ + "2.2.0", "2.1.0" ] }, diff --git a/built-in-policies/policyDefinitions/Network/PublicIPWithFPUOnly_Audit.json b/built-in-policies/policyDefinitions/Network/PublicIPWithFPUOnly_Audit.json new file mode 100644 index 000000000..bb0479b75 --- /dev/null +++ b/built-in-policies/policyDefinitions/Network/PublicIPWithFPUOnly_Audit.json @@ -0,0 +1,78 @@ +{ + "properties": { + "displayName": "Public IPs and Public IP prefixes should have FirstPartyUsage tag", + "policyType": "BuiltIn", + "mode": "Indexed", + "description": "Ensure all Public IP addresses and Public IP Prefixes have a FirstPartyUsage tag.", + "metadata": { + "version": "1.0.0", + "category": "Network" + }, + "version": "1.0.0", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/publicIPAddresses" + }, + { + "count": { + "field": "Microsoft.Network/publicIPAddresses/ipTags[*]", + "where": { + "field": "Microsoft.Network/publicIPAddresses/ipTags[*].ipTagType", + "equals": "FirstPartyUsage" + } + }, + "less": 1 + } + ] + }, + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/publicIPPrefixes" + }, + { + "count": { + "field": "Microsoft.Network/publicIPPrefixes/ipTags[*]", + "where": { + "field": "Microsoft.Network/publicIPPrefixes/ipTags[*].ipTagType", + "equals": "FirstPartyUsage" + } + }, + "less": 1 + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + }, + "versions": [ + "1.0.0" + ] + }, + "id": "/providers/Microsoft.Authorization/policyDefinitions/fe8a9af4-a003-4c7d-b7a4-b9808310c4f8", + "name": "fe8a9af4-a003-4c7d-b7a4-b9808310c4f8" +} \ No newline at end of file