Merge pull request #251 from Azure/gb-azurepolicy

Azure Policy - Fixes and adding restricted option
Azure · Apr 20, 2022 · e46abae · e46abae
2 parents 67999ae + 2e11c65
commit e46abae
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 11 deletions.
diff --git a/.github/workflows_dep/regressionparams/restrictedAzPolicy.json b/.github/workflows_dep/regressionparams/restrictedAzPolicy.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "resourceName": {
+      "value": "az-k8s-pol12"
+    },
+    "azurepolicy": {
+      "value": "audit"
+    },
+    "azurePolicyInitiative": {
+      "value": "Restricted"
+    }
+  }
+}
diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -822,9 +822,20 @@ param networkPlugin string = 'azure'
 @description('The network policy to use.')
 param networkPolicy string = ''
 
+@allowed([
+  ''
+  'audit'
+  'deny'
+])
 @description('Enable the Azure Policy addon')
 param azurepolicy string = ''
 
+@allowed([
+  'Baseline'
+  'Restricted'
+])
+param azurePolicyInitiative string = 'Baseline'
+
 @description('Enable the git ops addon')
 param gitops string = ''
 
@@ -1099,25 +1110,32 @@ resource aks 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
 }
 output aksClusterName string = aks.name
 
-var policySetPodSecBaseline = resourceId('Microsoft.Authorization/policySetDefinitions', 'a8640138-9b0a-4a28-b8cb-1666c838647d')
+var policySetBaseline = '/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d'
+var policySetRestrictive = '/providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00'
+
 resource aks_policies 'Microsoft.Authorization/policyAssignments@2020-09-01' = if (!empty(azurepolicy)) {
-  name: '${resourceName}-baseline'
+  name: '${resourceName}-${azurePolicyInitiative}'
   location: location
   properties: {
-    //scope: resourceGroup().id
-    policyDefinitionId: policySetPodSecBaseline
+    policyDefinitionId: azurePolicyInitiative == 'Baseline' ? policySetBaseline : policySetRestrictive
     parameters: {
-      // Gives error: "The request content was invalid and could not be deserialized"
-      //excludedNamespaces: '[  "kube-system",  "gatekeeper-system",  "azure-arc"]'
+      excludedNamespaces: {
+        value: [
+            'kube-system'
+            'gatekeeper-system'
+            'azure-arc'
+            'cluster-baseline-setting'
+        ]
+      }
       effect: {
         value: azurepolicy
       }
     }
     metadata: {
       assignedBy: 'Aks Construction'
     }
-    displayName: 'Aks Baseline Security Policy'
-    description: 'As per: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Kubernetes/Kubernetes_PSPBaselineStandard.json'
+    displayName: 'Kubernetes cluster pod security ${azurePolicyInitiative} standards for Linux-based workloads'
+    description: 'As per: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Kubernetes/'
   }
 }
 

diff --git a/cspell.json b/cspell.json
@@ -91,6 +91,7 @@
         "postdeploy",
         "pwsh",
         "routable",
+        "seccomp",
         "serviceparams",
         "smanifests",
         "snuck",

diff --git a/helper/src/components/addonsTab.js b/helper/src/components/addonsTab.js
@@ -242,22 +242,42 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
                     selectedKey={addons.azurepolicy}
                     options={[
                         { key: 'none', text: 'No restrictions, users can deploy any kubernetes workloads' },
-                        { key: 'audit', text: 'AUDIT compliance with the set of cluster pod security baseline standards for Linux-based workloads' },
-                        { key: 'deny', text: 'BLOCK and non-compliant Linux-based workloads with the set of cluster pod security baseline standards' }
+                        { key: 'audit', text: 'AUDIT non-compliant Linux-based workloads with the set of cluster pod security baseline standards' },
+                        { key: 'deny', text: 'BLOCK non-compliant Linux-based workloads with the set of cluster pod security baseline standards' }
                     ]}
                     onChange={(ev, { key }) => updateFn("azurepolicy", key)}
                 />
                 {addons.azurepolicy !== 'none' &&
+                <Stack.Item align="center" styles={{ root: { maxWidth: '700px'}}}>
+                    <Dropdown
+                        label="Pod Security Policy"
+                        onChange={(ev, { key }) => updateFn("azurePolicyInitiative", key)} selectedKey={addons.azurePolicyInitiative}
+                        styles={{ root: {  marginTop: '20px', marginLeft: '100px', width: '700px' } }}
+                        options={[
+                            { key: 'Baseline', text: 'Baseline pod security standards' },
+                            { key: 'Restricted', text: 'Restricted pod security standards' }
+                        ]}
+                    />
                     <MessageBar messageBarType={MessageBarType.success} styles={{ root: { marginTop: '20px', marginLeft: '100px', width: '700px' } }}>
-                        The template will automatically assign and <b>{addons.azurepolicy}</b> the following <Link target="_target" href="https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Kubernetes/Kubernetes_PSPBaselineStandard.json">Policies</Link>:
+                        The baseline policy will automatically assign and <b>{addons.azurepolicy}</b> the following <Link target="_target" href="https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Kubernetes/Kubernetes_PSPBaselineStandard.json">Policies</Link>:
                         <ul>
                             <li>Do not allow privileged containers in Kubernetes cluster</li>
                             <li>Kubernetes cluster pods should only use approved host network and port range</li>
                             <li>Kubernetes cluster containers should not share host process ID or host IPC namespace</li>
                             <li>Kubernetes cluster containers should only use allowed capabilities</li>
                             <li>Kubernetes cluster pod hostPath volumes should only use allowed host paths</li>
                         </ul>
+
+                        The restricted policy will additionally automatically assign and <b>{addons.azurepolicy}</b> the following <Link target="_target" href="https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Kubernetes/Kubernetes_PSPRestrictedStandard.json">Policies</Link>:
+                        <ul>
+                            <li>Kubernetes cluster containers should only use allowed seccomp profiles</li>
+                            <li>Kubernetes cluster pods should only use allowed volume types</li>
+                            <li>Kubernetes cluster pods and containers should only run with approved user and group IDs</li>
+                        </ul>
+
+                        To review these policies and browse other policies that can be applied at other scopes, see the <Link target="_target" href="https://docs.microsoft.com/azure/aks/policy-reference">Policy Docs</Link>
                     </MessageBar>
+                </Stack.Item>
                 }
             </Stack.Item>
             <Separator className="notopmargin" />

diff --git a/helper/src/components/deployTab.js b/helper/src/components/deployTab.js
@@ -52,6 +52,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
     ...(addons.networkPolicy !== "none" && { networkPolicy: addons.networkPolicy }),
     ...(defaults.addons.openServiceMeshAddon !== addons.openServiceMeshAddon && {openServiceMeshAddon: addons.openServiceMeshAddon }),
     ...(addons.azurepolicy !== "none" && { azurepolicy: addons.azurepolicy }),
+    ...(addons.azurepolicy !== "none" && addons.azurePolicyInitiative !== defaults.addons.azurePolicyInitiative && { azurePolicyInitiative: addons.azurePolicyInitiative }),
     ...(net.networkPlugin !== defaults.net.networkPlugin && {networkPlugin: net.networkPlugin}),
     ...(net.vnet_opt === "custom" && net.networkPlugin === 'kubenet' && defaults.net.podCidr !== net.podCidr && { podCidr: net.podCidr }),
     ...(cluster.availabilityZones === "yes" && { availabilityZones: ['1', '2', '3'] }),

diff --git a/helper/src/config.json b/helper/src/config.json
@@ -50,6 +50,7 @@
             "openServiceMeshAddon": false,
             "denydefaultNetworkPolicy": false,
             "azurepolicy": "none",
+            "azurePolicyInitiative": "Baseline",
             "ingress": "none",
             "ingressEveryNode": false,
             "appgw_privateIp": false,