From 0dc26225f1627e677a36e4424faaaa8710c2fb2b Mon Sep 17 00:00:00 2001
From: Azure Policy Bot <azgovpolicy@microsoft.com>
Date: Wed, 2 Oct 2024 18:47:51 +0000
Subject: [PATCH] Built-in Policy Release 3d9b970a

---
 .../Kubernetes/BlockNakedPods.json            |  6 ++++--
 .../Kubernetes/CannotEditIndividualNodes.json | 20 +++++++++++++++----
 ...sCacheEnterprise_PrivateEndpoint_DINE.json |  9 +++++----
 .../Kubernetes/BlockNakedPods.json            | 10 ++++++----
 .../Kubernetes/CannotEditIndividualNodes.json | 20 +++++++++++++++----
 5 files changed, 47 insertions(+), 18 deletions(-)

diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/BlockNakedPods.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/BlockNakedPods.json
index da7e43204..988159e6b 100644
--- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/BlockNakedPods.json	
+++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/BlockNakedPods.json	
@@ -5,10 +5,10 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs",
     "metadata": {
-      "version": "3.1.0",
+      "version": "3.2.0",
       "category": "Kubernetes"
     },
-    "version": "3.1.0",
+    "version": "3.2.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -116,6 +116,7 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "Original",
           "templateInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/block-naked-pods/v1/template.yaml"
@@ -133,6 +134,7 @@
       }
     },
     "versions": [
+      "3.2.0",
       "3.1.0"
     ]
   },
diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json
index 069d168c3..329e39e50 100644
--- a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json	
+++ b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json	
@@ -5,11 +5,11 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks.",
     "metadata": {
-      "version": "1.0.4-preview",
+      "version": "1.1.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.4-preview",
+    "version": "1.1.0-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -108,14 +108,25 @@
         "metadata": {
           "displayName": "Allowed Users",
           "description": "Users that are allowed by deployment safeguards to modify node labels on individual nodes."
-        }
+        },
+        "defaultValue": [
+          "nodeclient",
+          "system:serviceaccount:kube-system:aci-connector-linux",
+          "system:serviceaccount:kube-system:node-controller",
+          "acsService",
+          "aksService",
+          "system:serviceaccount:kube-system:cloud-node-manager"
+        ]
       },
       "allowedGroups": {
         "type": "Array",
         "metadata": {
           "displayName": "Allowed Groups",
           "description": "Groups that are allowed by deployment safeguards to modify node labels on individual nodes."
-        }
+        },
+        "defaultValue": [
+          "system:node"
+        ]
       }
     },
     "policyRule": {
@@ -147,6 +158,7 @@
       }
     },
     "versions": [
+      "1.1.0-PREVIEW",
       "1.0.4-PREVIEW",
       "1.0.3-PREVIEW"
     ]
diff --git a/built-in-policies/policyDefinitions/Cache/RedisCacheEnterprise_PrivateEndpoint_DINE.json b/built-in-policies/policyDefinitions/Cache/RedisCacheEnterprise_PrivateEndpoint_DINE.json
index 4c2e9e2d6..7e92c91d8 100644
--- a/built-in-policies/policyDefinitions/Cache/RedisCacheEnterprise_PrivateEndpoint_DINE.json
+++ b/built-in-policies/policyDefinitions/Cache/RedisCacheEnterprise_PrivateEndpoint_DINE.json
@@ -4,9 +4,9 @@
     "description": "Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint.",
     "metadata": {
       "category": "Cache",
-      "version": "1.0.0"
+      "version": "1.1.0"
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "policyType": "BuiltIn",
     "mode": "Indexed",
     "parameters": {
@@ -46,7 +46,7 @@
             "equals": "Approved"
           },
           "roleDefinitionIds": [
-            "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17"
+            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
           ],
           "deployment": {
             "properties": {
@@ -123,7 +123,7 @@
                                   "properties": {
                                     "privateLinkServiceId": "[parameters('serviceId')]",
                                     "groupIds": [
-                                      "redisCache"
+                                      "redisEnterprise"
                                     ],
                                     "requestMessage": "autoapprove"
                                   }
@@ -155,6 +155,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },
diff --git a/built-in-policies/policyDefinitions/Kubernetes/BlockNakedPods.json b/built-in-policies/policyDefinitions/Kubernetes/BlockNakedPods.json
index f3908087f..67bf3047f 100644
--- a/built-in-policies/policyDefinitions/Kubernetes/BlockNakedPods.json
+++ b/built-in-policies/policyDefinitions/Kubernetes/BlockNakedPods.json
@@ -5,16 +5,17 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs",
     "metadata": {
-      "version": "2.2.0",
+      "version": "2.3.0",
       "category": "Kubernetes"
     },
-    "version": "2.2.0",
+    "version": "2.3.0",
     "parameters": {
       "source": {
         "type": "String",
         "metadata": {
           "displayName": "Source",
-          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones.",
+          "deprecated": true
         },
         "defaultValue": "Original",
         "allowedValues": [
@@ -137,7 +138,7 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
-          "source": "[parameters('source')]",
+          "source": "Original",
           "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
@@ -156,6 +157,7 @@
       }
     },
     "versions": [
+      "2.3.0",
       "2.2.0",
       "2.1.0"
     ]
diff --git a/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json b/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json
index fab1f72b3..4acb89b7f 100644
--- a/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json
+++ b/built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json
@@ -5,11 +5,11 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks.",
     "metadata": {
-      "version": "1.2.0-preview",
+      "version": "1.3.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.2.0-preview",
+    "version": "1.3.0-preview",
     "parameters": {
       "source": {
         "type": "String",
@@ -129,14 +129,25 @@
         "metadata": {
           "displayName": "Allowed Users",
           "description": "Users that are allowed by deployment safeguards to modify node labels on individual nodes."
-        }
+        },
+        "defaultValue": [
+          "nodeclient",
+          "system:serviceaccount:kube-system:aci-connector-linux",
+          "system:serviceaccount:kube-system:node-controller",
+          "acsService",
+          "aksService",
+          "system:serviceaccount:kube-system:cloud-node-manager"
+        ]
       },
       "allowedGroups": {
         "type": "Array",
         "metadata": {
           "displayName": "Allowed Groups",
           "description": "Groups that are allowed by deployment safeguards to modify node labels on individual nodes."
-        }
+        },
+        "defaultValue": [
+          "system:node"
+        ]
       }
     },
     "policyRule": {
@@ -170,6 +181,7 @@
       }
     },
     "versions": [
+      "1.3.0-PREVIEW",
       "1.2.0-PREVIEW",
       "1.1.1-PREVIEW",
       "1.1.0-PREVIEW",