Azure Policy built-in definitions for Azure Arc enabled Kubernetes

This page is an index of Azure Policy built-in policy definitions for Azure Arc enabled Kubernetes. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Arc enabled Kubernetes

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Deploy GitOps to Kubernetes cluster This policy deploys a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth from the defined git repo. For instructions on using this policy, visit https://aka.ms/K8sGitOpsPolicy. DeployIfNotExists 1.0.0-preview
Do not allow privileged containers in Kubernetes cluster This policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Enforce HTTPS ingress in Kubernetes cluster This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Enforce internal load balancers in Kubernetes cluster This policy enforces load balancers do not have public IPs in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Enforce labels on pods in Kubernetes cluster This policy enforces the specified labels are provided for pods in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Ensure containers listen only on allowed ports in Kubernetes cluster This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Ensure only allowed container images in Kubernetes cluster This policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Ensure services listen only on allowed ports in Kubernetes cluster This policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 4.0.1
Kubernetes cluster containers should not share host process ID or host IPC namespace This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. audit, deny, disabled 1.0.1
Kubernetes cluster containers should not use forbidden sysctl interfaces This policy ensures containers do not use forbidden sysctl interfaces in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 2.0.1
Kubernetes cluster containers should only use allowed AppArmor profiles This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 1.0.1
Kubernetes cluster containers should only use allowed capabilities This policy ensures containers only use allowed capabilities in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 1.0.1
Kubernetes cluster containers should only use allowed ProcMountType This policy ensures containers only use allowed ProcMountType in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 2.0.1
Kubernetes cluster containers should only use allowed seccomp profiles This policy ensures containers only use allowed seccomp profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 1.0.1
Kubernetes cluster containers should run with a read only root file system This policy ensures containers run with a read only root file system in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc/. audit, deny, disabled 1.0.1
Kubernetes cluster pod FlexVolume volumes should only use allowed drivers This policy ensures pod FlexVolume volumes only use allowed drivers in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 1.0.1
Kubernetes cluster pod hostPath volumes should only use allowed host paths This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 1.0.1
Kubernetes cluster pods and containers should only run with approved user and group IDs This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 1.0.1
Kubernetes cluster pods and containers should only use allowed SELinux options This policy ensures pods and containers only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 2.0.1
Kubernetes cluster pods should only use allowed volume types This policy ensures pods can only use allowed volume types in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 1.0.1
Kubernetes cluster pods should only use approved host network and port range This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 1.0.1
Kubernetes clusters should not allow container privilege escalation This policy does not allow containers to use privilege escalation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc. audit, deny, disabled 1.0.1

Next steps