Use Azure Policy to apply GitOps configurations at scale

You can use Azure Policy to apply configurations (Microsoft.KubernetesConfiguration/sourceControlConfigurations resource type) at scale on Azure Arc enabled Kubernetes clusters (Microsoft.Kubernetes/connectedclusters).

To use Azure Policy, select a built-in GitOps policy definition and create a policy assignment. When creating the policy assignment:

  1. Set the scope for the assignment.
    • The scope will be all resource groups in a subscription or management group or specific resource groups.
  2. Set the parameters for the GitOps configuration that will be created.

Once the assignment is created, the Azure Policy engine identifies all Azure Arc enabled Kubernetes clusters located within the scope and applies the GitOps configuration to each cluster.

To enable separation of concerns, you can create multiple policy assignments, each with a different GitOps configuration pointing to a different Git repo. For example, one repo may be used by cluster admins and other repositories may be used by application teams.

Tip

There are built-in policies for these scenarios:

  • Public repo or private repo with SSH keys created by Flux: Configure Kubernetes clusters with specified GitOps configuration using no secrets
  • Private repo with user-provided SSH keys: Configure Kubernetes clusters with specified GitOps configuration using SSH secrets
  • Private repo with user-provided HTTPS keys: Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets

Prerequisite

Verify you have Microsoft.Authorization/policyAssignments/write permissions on the scope (subscription or resource group) where you'll create this policy assignment.

Create a policy assignment

  1. In the Azure portal, navigate to Policy.
  2. In the Authoring section of the sidebar, select Definitions.
  3. In the "Kubernetes" category, choose the "Configure Kubernetes clusters with specified GitOps configuration using no secrets" built-in policy.
  4. Click on Assign.
  5. Set the Scope to the management group, subscription, or resource group to which the policy assignment will apply.
    • If you want to exclude any resources from the policy scope, set Exclusions.
  6. Give the policy assignment an easily identifiable Name and Description.
  7. Ensure Policy enforcement is set to Enabled.
  8. Select Next.
  9. Set the parameter values to be used while creating the sourceControlConfiguration.
  10. Select Next.
  11. Enable Create a remediation task.
  12. Verify Create a managed identity is checked, and that the identity will have Contributor permissions.
  13. Select Review + create.

After creating the policy assignment, the configuration is applied to new Azure Arc enabled Kubernetes clusters created within the scope of policy assignment.

For existing clusters, you may need to manually run a remediation task. This task typically takes 10 to 20 minutes for the policy assignment to take effect.

Verify a policy assignment

  1. In the Azure portal, navigate to one of your Azure Arc enabled Kubernetes clusters.
  2. In the Settings section of the sidebar, select Policies.
    • In the policies list, you should see the policy assignment that you created earlier with the Compliance state set as Compliant.
  3. In the Settings section of the sidebar, select GitOps.
    • In the configurations list, you should see the configuration created by the policy assignment.
  4. Use kubectl to interrogate the cluster.
    • You should see the namespace and artifacts that were created by the GitOps configuration.
    • You should see the objects described by the manifests in the Git repo getting deployed on the cluster.

Next steps

Set up Azure Monitor for Containers with Azure Arc enabled Kubernetes clusters.