Azure · robga · Oct 14, 2024 · Oct 9, 2024
@@ -0,0 +1,48 @@
+{
+  "properties": {
+    "displayName": "App Configuration should use geo-replication",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Use the geo-replication feature to create replicas in other locations of your current configuration store for enhanced resiliency and availability. Additionally, having multi-region replicas lets you better distribute load, lower latency, protect against datacenter outages, and compartmentalize globally distributed workloads. Learn more at: https://aka.ms/appconfig/geo-replication.",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "App Configuration"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "defaultValue": "AuditIfNotExists",
+        "allowedValues": [
+          "AuditIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.AppConfiguration/configurationStores"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.AppConfiguration/configurationStores/replicas",
+          "existenceCondition": {
+            "field": "Microsoft.AppConfiguration/configurationStores/replicas/provisioningState",
+            "equals": "Succeeded"
+          }
+        }
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/d242c24b-bac7-439e-8af7-22d7dcfd3c4f",
+  "name": "d242c24b-bac7-439e-8af7-22d7dcfd3c4f"
+}
@@ -5,12 +5,33 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks.",
     "metadata": {
-      "version": "1.1.0-preview",
+      "version": "1.2.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.1.0-preview",
+    "version": "1.2.0-preview",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
+      "warn": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Warn",
+          "description": "Whether or not to return warnings back to the user in the kubectl cli"
+        },
+        "defaultValue": false
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -137,6 +158,8 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
+          "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/restricted-node-edits/v1/template.yaml"
@@ -158,6 +181,7 @@
       }
     },
     "versions": [
+      "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.4-PREVIEW",
       "1.0.3-PREVIEW"

@@ -5,11 +5,32 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "10.1.1",
+      "version": "10.2.0",
       "category": "Kubernetes"
     },
-    "version": "10.1.1",
+    "version": "10.2.0",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
+      "warn": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Warn",
+          "description": "Whether or not to return warnings back to the user in the kubectl cli"
+        },
+        "defaultValue": false
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -135,6 +156,8 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
+          "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/container-allowed-images/v2/template.yaml"
@@ -156,6 +179,7 @@
       }
     },
     "versions": [
+      "10.2.0",
       "10.1.1",
       "10.1.0"
     ]

@@ -5,12 +5,33 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns.",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.1.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.1.0-preview",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
+      "warn": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Warn",
+          "description": "Whether or not to return warnings back to the user in the kubectl cli"
+        },
+        "defaultValue": false
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -112,6 +133,8 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
+          "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/container-enforce-pre-stop-hook/v1/template.yaml"
@@ -132,6 +155,7 @@
       }
     },
     "versions": [
+      "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },

@@ -5,11 +5,32 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "4.1.0",
+      "version": "4.2.0",
       "category": "Kubernetes"
     },
-    "version": "4.1.0",
+    "version": "4.2.0",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
+      "warn": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Warn",
+          "description": "Whether or not to return warnings back to the user in the kubectl cli"
+        },
+        "defaultValue": false
+      },
       "effect": {
         "type": "String",
         "defaultValue": "Audit",
@@ -145,6 +166,8 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
+          "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/container-enforce-probes/v2/template.yaml"
@@ -167,6 +190,7 @@
       }
     },
     "versions": [
+      "4.2.0",
       "4.1.0"
     ]
   },

@@ -5,11 +5,32 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "10.1.0",
+      "version": "10.2.0",
       "category": "Kubernetes"
     },
-    "version": "10.1.0",
+    "version": "10.2.0",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
+      "warn": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Warn",
+          "description": "Whether or not to return warnings back to the user in the kubectl cli"
+        },
+        "defaultValue": false
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -152,6 +173,8 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
+          "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/container-resource-limits/v3/template.yaml"
@@ -175,6 +198,7 @@
       }
     },
     "versions": [
+      "10.2.0",
       "10.1.0"
     ]
   },

@@ -5,12 +5,33 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.1.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.1.0-preview",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
+      "warn": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Warn",
+          "description": "Whether or not to return warnings back to the user in the kubectl cli"
+        },
+        "defaultValue": false
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -114,6 +135,8 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
+          "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/container-restricted-image-pulls/v1/template.yaml"
@@ -133,6 +156,7 @@
       }
     },
     "versions": [
+      "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },