Built-in Policy Release e225bba6 (#1343)

Co-authored-by: Azure Policy Bot <[email protected]>
Azure · Jul 15, 2024 · 851ae3a · 851ae3a
1 parent 809ed61
commit 851ae3a
Show file tree

Hide file tree

Showing 59 changed files with 1,355 additions and 698 deletions.
diff --git a/...efinitions/Azure Government/Guest Configuration/LinuxLogAnalyticsAgentInstalled_AINE.json b/...efinitions/Azure Government/Guest Configuration/LinuxLogAnalyticsAgentInstalled_AINE.json
@@ -1,12 +1,13 @@
 {
   "properties": {
-    "displayName": "Linux machines should have Log Analytics agent installed on Azure Arc",
+    "displayName": "[Deprecated]: Linux machines should have Log Analytics agent installed on Azure Arc",
     "policyType": "BuiltIn",
     "mode": "Indexed",
     "description": "Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server.",
     "metadata": {
       "category": "Guest Configuration",
-      "version": "1.1.0",
+      "version": "1.2.0-deprecated",
+      "deprecated": true,
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
       ],
@@ -15,7 +16,7 @@
         "version": "1.*"
       }
     },
-    "version": "1.1.0",
+    "version": "1.2.0",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -40,7 +41,7 @@
           "AuditIfNotExists",
           "Disabled"
         ],
-        "defaultValue": "AuditIfNotExists"
+        "defaultValue": "Disabled"
       }
     },
     "policyRule": {
@@ -73,6 +74,7 @@
       }
     },
     "versions": [
+      "1.2.0",
       "1.1.0"
     ]
   },

diff --git a/...initions/Azure Government/Guest Configuration/WindowsLogAnalyticsAgentInstalled_AINE.json b/...initions/Azure Government/Guest Configuration/WindowsLogAnalyticsAgentInstalled_AINE.json
@@ -1,12 +1,13 @@
 {
   "properties": {
-    "displayName": "Windows machines should have Log Analytics agent installed on Azure Arc",
+    "displayName": "[Deprecated]: Windows machines should have Log Analytics agent installed on Azure Arc",
     "policyType": "BuiltIn",
     "mode": "Indexed",
     "description": "Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server.",
     "metadata": {
       "category": "Guest Configuration",
-      "version": "1.0.0",
+      "version": "1.1.0-deprecated",
+      "deprecated": true,
       "requiredProviders": [
         "Microsoft.GuestConfiguration"
       ],
@@ -15,7 +16,7 @@
         "version": "1.*"
       }
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "parameters": {
       "IncludeArcMachines": {
         "type": "string",
@@ -39,7 +40,7 @@
           "AuditIfNotExists",
           "Disabled"
         ],
-        "defaultValue": "AuditIfNotExists"
+        "defaultValue": "Disabled"
       }
     },
     "policyRule": {
@@ -72,6 +73,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

diff --git a/...t-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMaxUnavailablePods.json b/...t-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateMaxUnavailablePods.json
@@ -5,11 +5,11 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.1.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.1.0-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -54,6 +54,7 @@
       }
     },
     "versions": [
+      "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },

diff --git a/...-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystem.json b/...-policies/policyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystem.json
@@ -5,11 +5,11 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.1.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.1.0-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -54,6 +54,7 @@
       }
     },
     "versions": [
+      "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },

diff --git a/...cyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json b/...cyDefinitions/Azure Government/Kubernetes/MutateReadOnlyRootFilesystemInitContainers.json
@@ -5,11 +5,11 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers.",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.1.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.1.0-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -54,6 +54,7 @@
       }
     },
     "versions": [
+      "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },

diff --git a/...olicies/policyDefinitions/Azure Government/Kubernetes/MutateReservedSystemPoolTaints.json b/...olicies/policyDefinitions/Azure Government/Kubernetes/MutateReservedSystemPoolTaints.json
@@ -5,11 +5,11 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools.",
     "metadata": {
-      "version": "1.0.0-preview",
+      "version": "1.1.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.0-preview",
+    "version": "1.1.0-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -54,6 +54,7 @@
       }
     },
     "versions": [
+      "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]
   },

diff --git a/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceCPULimits.json b/built-in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceCPULimits.json
@@ -5,11 +5,11 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.",
     "metadata": {
-      "version": "1.0.1-preview",
+      "version": "1.1.1-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.1-preview",
+    "version": "1.1.1-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -54,6 +54,7 @@
       }
     },
     "versions": [
+      "1.1.1-PREVIEW",
       "1.0.1-PREVIEW",
       "1.0.0-PREVIEW"
     ]

diff --git a/...in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceMemoryLimits.json b/...in-policies/policyDefinitions/Azure Government/Kubernetes/MutateResourceMemoryLimits.json
@@ -5,11 +5,11 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting container memory limits to prevent resource exhaustion attacks in a Kubernetes cluster.",
     "metadata": {
-      "version": "1.0.1-preview",
+      "version": "1.1.1-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.1-preview",
+    "version": "1.1.1-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -54,6 +54,7 @@
       }
     },
     "versions": [
+      "1.1.1-PREVIEW",
       "1.0.1-PREVIEW",
       "1.0.0-PREVIEW"
     ]

diff --git a/...olicies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileContainers.json b/...olicies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileContainers.json
@@ -0,0 +1,62 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Sets Kubernetes cluster containers' secure computing mode profile type to RuntimeDefault if not present.",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.Kubernetes.Data",
+    "description": "Setting secure computing mode profile type for containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Kubernetes",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.",
+          "portalReview": true
+        },
+        "allowedValues": [
+          "Mutate",
+          "Disabled"
+        ],
+        "defaultValue": "Mutate"
+      },
+      "excludedNamespaces": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Namespace exclusions",
+          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
+        },
+        "defaultValue": [
+          "kube-system",
+          "gatekeeper-system",
+          "azure-arc"
+        ]
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.ContainerService/managedClusters"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "mutationInfo": {
+            "sourceType": "PublicURL",
+            "url": "https://store.policy.azure.us/kubernetes/mutate-seccomp-profile-containers/v1/mutation.yaml"
+          },
+          "excludedNamespaces": "[parameters('excludedNamespaces')]"
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/6f87d474-38a9-46c9-bdfe-d7fa3b9836bf",
+  "name": "6f87d474-38a9-46c9-bdfe-d7fa3b9836bf"
+}
diff --git a/...ies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileInitContainers.json b/...ies/policyDefinitions/Azure Government/Kubernetes/MutateSeccompProfileInitContainers.json
@@ -0,0 +1,62 @@
+{
+  "properties": {
+    "displayName": "[Preview]: Sets Kubernetes cluster init containers' secure computing mode profile type to RuntimeDefault if not present.",
+    "policyType": "BuiltIn",
+    "mode": "Microsoft.Kubernetes.Data",
+    "description": "Setting secure computing mode profile type for init containers to prevent unauthorized and potentially harmful system calls to the kernel from user space.",
+    "metadata": {
+      "version": "1.0.0-preview",
+      "category": "Kubernetes",
+      "preview": true
+    },
+    "version": "1.0.0-preview",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy.",
+          "portalReview": true
+        },
+        "allowedValues": [
+          "Mutate",
+          "Disabled"
+        ],
+        "defaultValue": "Mutate"
+      },
+      "excludedNamespaces": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Namespace exclusions",
+          "description": "List of Kubernetes namespaces to exclude from policy evaluation."
+        },
+        "defaultValue": [
+          "kube-system",
+          "gatekeeper-system",
+          "azure-arc"
+        ]
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "Microsoft.ContainerService/managedClusters"
+      },
+      "then": {
+        "effect": "[parameters('effect')]",
+        "details": {
+          "mutationInfo": {
+            "sourceType": "PublicURL",
+            "url": "https://store.policy.azure.us/kubernetes/mutate-seccomp-profile-initcontainers/v1/mutation.yaml"
+          },
+          "excludedNamespaces": "[parameters('excludedNamespaces')]"
+        }
+      }
+    },
+    "versions": [
+      "1.0.0-PREVIEW"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/6bcd4321-fb89-4e3e-bf6c-999c13d47f43",
+  "name": "6bcd4321-fb89-4e3e-bf6c-999c13d47f43"
+}
diff --git a/...yDefinitions/Azure Government/Security Center/ASC_EnableRBAC_KubernetesService_Audit.json b/...yDefinitions/Azure Government/Security Center/ASC_EnableRBAC_KubernetesService_Audit.json
@@ -1,14 +1,14 @@
 {
   "properties": {
-    "displayName": "Azure Role-Based Access Control (RBAC) should be used on Kubernetes Services",
+    "displayName": "Role-Based Access Control (RBAC) should be used on Kubernetes Services",
     "policyType": "BuiltIn",
     "mode": "All",
-    "description": "To provide granular filtering on the actions that users can perform, use Azure Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.",
+    "description": "To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.",
     "metadata": {
-      "version": "1.0.3",
+      "version": "1.0.4",
       "category": "Security Center"
     },
-    "version": "1.0.3",
+    "version": "1.0.4",
     "parameters": {
       "effect": {
         "type": "string",
@@ -49,6 +49,7 @@
       }
     },
     "versions": [
+      "1.0.4",
       "1.0.3"
     ]
   },