Built-in Policy Release 12332adb

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesContainers.json

@@ -5,12 +5,25 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux containers",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.1.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.1.0-preview",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -45,6 +58,7 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
           "mutationInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/mutate-container-allowed-capabilities-containers/v1/mutation.yaml"
@@ -54,6 +68,7 @@
       }
     },
     "versions": [
+      "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateContainerAllowedCapabilitiesInitContainers.json

@@ -5,12 +5,25 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Mutates securityContext.capabilities.drop to add in \"ALL\". This drops all capabilities for k8s linux init containers",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.1.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.1.0-preview",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -45,6 +58,7 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
           "mutationInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/mutate-container-allowed-capabilities-initcontainers/v1/mutation.yaml"
@@ -54,6 +68,7 @@
       }
     },
     "versions": [
+      "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMaxUnavailablePods.json

@@ -5,12 +5,25 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption",
     "metadata": {
-      "version": "1.1.0-preview",
+      "version": "1.2.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.1.0-preview",
+    "version": "1.2.0-preview",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -45,6 +58,7 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
           "mutationInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/mutate-max-unavailable-pods/v1/mutation.yaml"
@@ -54,6 +68,7 @@
       }
     },
     "versions": [
+      "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMountServiceAccountToken.json

@@ -0,0 +1,62 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Sets automountServiceAccountToken in the Pod spec in containers to false.",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.Kubernetes.Data",
+    "description": "Setting automountServiceAccountToken to false increases security by avoiding the default auto-mounting of service account tokens",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Kubernetes",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.",
+          "portalReview": true
+        },
+        "allowedValues": [
+          "Mutate",
+          "Disabled"
+        ],
+        "defaultValue": "Mutate"
+      },
+      "excludedNamespaces": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Namespace exclusions",
+          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
+        },
+        "defaultValue": [
+          "kube-system",
+          "gatekeeper-system",
+          "azure-arc"
+        ]
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.ContainerService/managedClusters"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "mutationInfo": {
+            "sourceType": "PublicURL",
+            "url": "https://store.policy.azure.us/kubernetes/mutate-mount-service-account-token/v1/mutation.yaml"
+          },
+          "excludedNamespaces": "[parameters('excludedNamespaces')]"
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/57f274ef-580a-4ed2-bcf8-5c6fa3775253",
+  "name": "57f274ef-580a-4ed2-bcf8-5c6fa3775253"
+}

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutatePrivilegeEscalationContainers.json

@@ -0,0 +1,62 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Sets Privilege escalation in the Pod spec to false.",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.Kubernetes.Data",
+    "description": "Setting Privilege escalation to false increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Kubernetes",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.",
+          "portalReview": true
+        },
+        "allowedValues": [
+          "Mutate",
+          "Disabled"
+        ],
+        "defaultValue": "Mutate"
+      },
+      "excludedNamespaces": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Namespace exclusions",
+          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
+        },
+        "defaultValue": [
+          "kube-system",
+          "gatekeeper-system",
+          "azure-arc"
+        ]
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.ContainerService/managedClusters"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "mutationInfo": {
+            "sourceType": "PublicURL",
+            "url": "https://store.policy.azure.us/kubernetes/mutate-privilege-escalation-containers/v1/mutation.yaml"
+          },
+          "excludedNamespaces": "[parameters('excludedNamespaces')]"
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/d77df159-718b-4aca-b94b-8e8890a98231",
+  "name": "d77df159-718b-4aca-b94b-8e8890a98231"
+}

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutatePrivilegeEscalationInitContainers.json

@@ -0,0 +1,62 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Sets Privilege escalation in the Pod spec in init containers to false.",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.Kubernetes.Data",
+    "description": "Setting Privilege escalation to false in init containers increases security by preventing containers from allowing privilege escalation such as via set-user-ID or set-group-ID file mode.",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Kubernetes",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.",
+          "portalReview": true
+        },
+        "allowedValues": [
+          "Mutate",
+          "Disabled"
+        ],
+        "defaultValue": "Mutate"
+      },
+      "excludedNamespaces": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Namespace exclusions",
+          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
+        },
+        "defaultValue": [
+          "kube-system",
+          "gatekeeper-system",
+          "azure-arc"
+        ]
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.ContainerService/managedClusters"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "mutationInfo": {
+            "sourceType": "PublicURL",
+            "url": "https://store.policy.azure.us/kubernetes/mutate-privilege-escalation-init-containers/v1/mutation.yaml"
+          },
+          "excludedNamespaces": "[parameters('excludedNamespaces')]"
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8",
+  "name": "4ee3ee6a-96ea-4d25-9c00-17f11d2e02c8"
+}

built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystem.json

@@ -5,12 +5,25 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem",
     "metadata": {
-      "version": "1.1.0-preview",
+      "version": "1.2.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.1.0-preview",
+    "version": "1.2.0-preview",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -45,6 +58,7 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
           "mutationInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/mutate-read-only-root-filesystem/v1/mutation.yaml"
@@ -54,6 +68,7 @@
       }
     },
     "versions": [
+      "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]