您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

了解适用于 Kubernetes 群集的 Azure Policy(预览版)Understand Azure Policy for Kubernetes clusters (preview)

Azure Policy 将扩展 Gatekeeper v3,这是一个用于 Open Policy Agent (OPA) 的许可控制器 Webhook,它以集中、一致的方式对群集应用大规模操作和安全措施。Azure Policy extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. 借助 Azure Policy,可以从一个位置管理和报告 Kubernetes 群集的符合性状态。Azure Policy makes it possible to manage and report on the compliance state of your Kubernetes clusters from one place. 该加载项制定以下功能:The add-on enacts the following functions:

  • 检查 Azure Policy 服务对群集的策略分配。Checks with Azure Policy service for policy assignments to the cluster.
  • 将策略定义作为约束模板部署到群集中,并约束自定义资源。Deploys policy definitions into the cluster as constraint template and constraint custom resources.
  • 向 Azure Policy 服务报告审核和符合性详细信息。Reports auditing and compliance details back to Azure Policy service.

适用于 Kubernetes 的 Azure Policy 支持以下群集环境:Azure Policy for Kubernetes supports the following cluster environments:

重要

适用于 Kubernetes 的 Azure Policy 为预览版,仅支持 Linux 节点池和内置策略定义。Azure Policy for Kubernetes is in Preview and only supports Linux node pools and built-in policy definitions. 内置策略定义属于“Kubernetes”类别。Built-in policy definitions are in the Kubernetes category. 不_推荐_使用EnforceOPAConstraintEnforceRegoPolicy效果和相关Kubernetes 服务类别的有限预览策略定义。The limited preview policy definitions with EnforceOPAConstraint and EnforceRegoPolicy effect and the related Kubernetes Service category are deprecated. 请改用 "使用_审核_和_拒绝_" 作为资源提供程序模式 Microsoft.Kubernetes.DataInstead, use the effects audit and deny with Resource Provider mode Microsoft.Kubernetes.Data.

概述Overview

若要启用 Azure Policy 并将其用于 Kubernetes 群集,请执行以下操作:To enable and use Azure Policy with your Kubernetes cluster, take the following actions:

  1. 配置 Kubernetes 群集并安装加载项:Configure your Kubernetes cluster and install the add-on:

    备注

    有关安装的常见问题,请参阅排查 Azure 策略外接程序问题。For common issues with installation, see Troubleshoot - Azure Policy add-on.

  2. 了解适用于 Kubernetes 的 Azure Policy 语言Understand the Azure Policy language for Kubernetes

  3. 向 Kubernetes 群集分配内置定义Assign a built-in definition to your Kubernetes cluster

  4. 等待验证Wait for validation

为 AKS 安装 Azure Policy 加载项Install Azure Policy Add-on for AKS

在安装 Azure Policy 加载项或启用任何服务功能之前,订阅必须启用“Microsoft.ContainerService”和“Microsoft.PolicyInsights”资源提供程序。Before installing the Azure Policy Add-on or enabling any of the service features, your subscription must enable the Microsoft.ContainerService and Microsoft.PolicyInsights resource providers.

  1. 需要安装并配置 Azure CLI 2.0.62 或更高版本。You need the Azure CLI version 2.0.62 or later installed and configured. 运行 az --version 即可查找版本。Run az --version to find the version. 如需进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install the Azure CLI.

  2. 注册资源提供程序和预览功能。Register the resource providers and preview features.

    • Azure 门户:Azure portal:

      1. 注册“Microsoft.ContainerService”和“Microsoft.PolicyInsights”资源提供程序。Register the Microsoft.ContainerService and Microsoft.PolicyInsights resource providers. 有关步骤,请参阅资源提供程序和类型For steps, see Resource providers and types.

      2. 在 Azure 门户中单击“所有服务”,然后搜索并选择“策略”,启动 Azure Policy 服务。 Launch the Azure Policy service in the Azure portal by clicking All services, then searching for and selecting Policy.

        在“所有服务”中搜索“策略”

      3. 选择“Azure Policy”页左侧的“加入预览”。Select Join Preview on the left side of the Azure Policy page.

        加入“适用于 AKS 的 Policy”预览

      4. 选择要添加到预览的订阅行。Select the row of the subscription you want added to the preview.

      5. 选择订阅列表顶部的“选择加入”按钮。Select the Opt-in button at the top of the list of subscriptions.

    • Azure CLI:Azure CLI:

      # Log in first with az login if you're not using Cloud Shell
      
      # Provider register: Register the Azure Kubernetes Service provider
      az provider register --namespace Microsoft.ContainerService
      
      # Provider register: Register the Azure Policy provider
      az provider register --namespace Microsoft.PolicyInsights
      
      # Feature register: enables installing the add-on
      az feature register --namespace Microsoft.ContainerService --name AKS-AzurePolicyAutoApprove
      
      # Use the following to confirm the feature has registered
      az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AKS-AzurePolicyAutoApprove')].   {Name:name,State:properties.state}"
      
      # Once the above shows 'Registered' run the following to propagate the update
      az provider register -n Microsoft.ContainerService
      
  3. 如果安装了有限预览策略定义,请在“策略(预览)”页下,删除 AKS 群集中带有“禁用”按钮的加载项。If limited preview policy definitions were installed, remove the add-on with the Disable button on your AKS cluster under the Policies (preview) page.

  4. AKS 群集的版本必须是 1.14 或更高版本。The AKS cluster must be version 1.14 or higher. 使用以下脚本验证 AKS 群集版本:Use the following script to validate your AKS cluster version:

    # Log in first with az login if you're not using Cloud Shell
    
    # Look for the value in kubernetesVersion
    az aks list
    
  5. 安装适用于 AKS 的 Azure CLI 预览扩展版本 0.4.0 aks-previewInstall version 0.4.0 of the Azure CLI preview extension for AKS, aks-preview:

    # Log in first with az login if you're not using Cloud Shell
    
    # Install/update the preview extension
    az extension add --name aks-preview
    
    # Validate the version of the preview extension
    az extension show --name aks-preview --query [version]
    

    备注

    如果以前安装了 aks-preview 扩展,请使用 az extension update --name aks-preview 命令安装任何更新。If you've previously installed the aks-preview extension, install any updates using the az extension update --name aks-preview command.

完成上述先决条件步骤后,请在要管理的 AKS 群集中安装 Azure Policy 加载项。Once the above prerequisite steps are completed, install the Azure Policy Add-on in the AKS cluster you want to manage.

  • Azure 门户Azure portal

    1. 在 Azure 门户中单击“所有服务”,然后搜索并选择“Kubernetes 服务”,启动 AKS 服务。 Launch the AKS service in the Azure portal by clicking All services, then searching for and selecting Kubernetes services.

    2. 选择 AKS 群集之一。Select one of your AKS clusters.

    3. 选择“Kubernetes 服务”页面左侧的“策略(预览)”。Select Policies (preview) on the left side of the Kubernetes service page.

      AKS 群集中的策略定义

    4. 在主页中,选择“启用加载项”按钮。In the main page, select the Enable add-on button.

      启用适用于 AKS 的 Azure Policy 加载项

      备注

      如果“启用加载项”按钮显示为灰色,则尚未将订阅添加到预览。If the Enable add-on button is grayed out, the subscription hasn't yet been added to the preview. 如果“禁用加载项”按钮已启用,并且显示了到 v2 的迁移警告消息,则 Gatekeepver v2 仍已安装,必须将其删除。If the Disable add-on button is enabled and a migration warning to v2 message is displayed, Gatekeepver v2 is still installed and must be removed.

  • Azure CLIAzure CLI

    # Log in first with az login if you're not using Cloud Shell
    
    az aks enable-addons --addons azure-policy --name MyAKSCluster --resource-group MyResourceGroup
    

若要验证加载项安装是否成功以及 azure-policy 和 gatekeeper Pod 是否正在运行,请运行以下命令 :To validate that the add-on installation was successful and that the azure-policy and gatekeeper pods are running, run the following command:

# azure-policy pod is installed in kube-system namespace
kubectl get pods -n kube-system

# gatekeeper pod is installed in gatekeeper-system namespace
kubectl get pods -n gatekeeper-system

最后,通过运行此 Azure CLI 命令,并将 <rg> 替换为资源组名称,将 <cluster-name> 替换为 AKS 群集名称 az aks show -g <rg> -n <cluster-name>,来验证是否已安装最新的加载项。Lastly, verify that the latest add-on is installed by running this Azure CLI command, replacing <rg> with your resource group name and <cluster-name> with the name of your AKS cluster: az aks show -g <rg> -n <cluster-name>. 结果应类似于以下输出,config.version 应为 v2The result should look similar to the following output and config.version should be v2:

"addonProfiles": {
    "azurepolicy": {
        "config": {
            "version": "v2"
        },
        "enabled": true,
        "identity": null
    },
}

为已启用 Azure Arc 的 Kubernetes 安装 Azure Policy 加载项Install Azure Policy Add-on for Azure Arc enabled Kubernetes

在安装 Azure Policy 加载项或启用任何服务功能之前,订阅必须启用 Microsoft.PolicyInsights 资源提供程序并为群集服务主体创建角色分配。Before installing the Azure Policy Add-on or enabling any of the service features, your subscription must enable the Microsoft.PolicyInsights resource provider and create a role assignment for the cluster service principal.

  1. 需要安装并配置 Azure CLI 2.0.62 或更高版本。You need the Azure CLI version 2.0.62 or later installed and configured. 运行 az --version 即可查找版本。Run az --version to find the version. 如需进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install the Azure CLI.

  2. 若要启用资源提供程序,请按照资源提供程序和类型中的步骤操作,或运行 Azure CLI 或 Azure PowerShell 命令:To enable the resource provider, follow the steps in Resource providers and types or run either the Azure CLI or Azure PowerShell command:

    • Azure CLIAzure CLI

      # Log in first with az login if you're not using Cloud Shell
      
      # Provider register: Register the Azure Policy provider
      az provider register --namespace 'Microsoft.PolicyInsights'
      
    • Azure PowerShellAzure PowerShell

      # Log in first with Connect-AzAccount if you're not using Cloud Shell
      
      # Provider register: Register the Azure Policy provider
      Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
      
  3. Kubernetes 群集的版本必须是 1.14 或更高版本。The Kubernetes cluster must be version 1.14 or higher.

  4. 安装 Helm 3Install Helm 3.

  5. 已为 Azure Arc 启用 Kubernetes 群集。有关详细信息,请参阅将 Kubernetes 群集载入 Azure ArcYour Kubernetes cluster enabled for Azure Arc. For more information, see onboarding a Kubernetes cluster to Azure Arc.

  6. 拥有已启用 Azure Arc 的 Kubernetes 群集的完全限定 Azure 资源 ID。Have the fully qualified Azure Resource ID of the Azure Arc enabled Kubernetes cluster.

  7. 打开加载项的端口。Open ports for the add-on. Azure Policy 加载项使用这些域和端口提取策略定义和分配,并将群集的符合性报告回 Azure Policy。The Azure Policy Add-on uses these domains and ports to fetch policy definitions and assignments and report compliance of the cluster back to Azure Policy.

    Domain 端口Port
    gov-prod-policy-data.trafficmanager.net 443
    raw.githubusercontent.com 443
    login.windows.net 443
    dc.services.visualstudio.com 443
  8. 将“策略见解数据编写器(预览版)”角色分配给已启用 Azure Arc 的 Kubernetes 群集。Assign 'Policy Insights Data Writer (Preview)' role assignment to the Azure Arc enabled Kubernetes cluster. <subscriptionId> 替换为你的订阅 ID,将 <rg> 替换为已启用 Azure Arc 的 Kubernetes 群集的资源组,并将 <clusterName> 替换为已启用 Azure Arc 的 Kubernetes 群集的名称。Replace <subscriptionId> with your subscription ID, <rg> with the Azure Arc enabled Kubernetes cluster's resource group, and <clusterName> with the name of the Azure Arc enabled Kubernetes cluster. 对于安装步骤,请跟踪“AppId”、“密码”和“租户”的返回值。Keep track of the returned values for appId, password, and tenant for the installation steps.

    • Azure CLIAzure CLI

      az ad sp create-for-rbac --role "Policy Insights Data Writer (Preview)" --scopes "/subscriptions/<subscriptionId>/resourceGroups/<rg>/providers/Microsoft.Kubernetes/connectedClusters/<clusterName>"
      
    • Azure PowerShellAzure PowerShell

      $sp = New-AzADServicePrincipal -Role "Policy Insights Data Writer (Preview)" -Scope "/subscriptions/<subscriptionId>/resourceGroups/<rg>/providers/Microsoft.Kubernetes/connectedClusters/<clusterName>"
      
      @{ appId=$sp.ApplicationId;password=[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sp.Secret));tenant=(Get-AzContext).Tenant.Id } | ConvertTo-Json
      

    上述命令的示例输出如下:Sample output of the above commands:

    {
        "appId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
        "password": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
        "tenant": "cccccccc-cccc-cccc-cccc-cccccccccccc"
    }
    

完成上述先决条件步骤后,请在已启用 Azure Arc 的 Kubernetes 群集中安装 Azure Policy 加载项:Once the above prerequisite steps are completed, install the Azure Policy Add-on in your Azure Arc enabled Kubernetes cluster:

  1. 将 Azure Policy 加载项存储库添加到 Helm:Add the Azure Policy Add-on repo to Helm:

    helm repo add azure-policy https://raw.githubusercontent.com/Azure/azure-policy/master/extensions/policy-addon-kubernetes/helm-charts
    
  2. 使用 Helm 图表安装 Azure Policy 加载项:Install the Azure Policy Add-on using Helm Chart:

    # In below command, replace the following values with those gathered above.
    #    <AzureArcClusterResourceId> with your Azure Arc enabled Kubernetes cluster resource Id. For example: /subscriptions/<subscriptionId>/resourceGroups/<rg>/providers/Microsoft.Kubernetes/connectedClusters/<clusterName>
    #    <ServicePrincipalAppId> with app Id of the service principal created during prerequisites.
    #    <ServicePrincipalPassword> with password of the service principal created during prerequisites.
    #    <ServicePrincipalTenantId> with tenant of the service principal created during prerequisites.
    helm install azure-policy-addon azure-policy/azure-policy-addon-arc-clusters \
        --set azurepolicy.env.resourceid=<AzureArcClusterResourceId> \
        --set azurepolicy.env.clientid=<ServicePrincipalAppId> \
        --set azurepolicy.env.clientsecret=<ServicePrincipalPassword> \
        --set azurepolicy.env.tenantid=<ServicePrincipalTenantId>
    

    有关加载项 Helm 图表安装内容的详细信息,请参阅 GitHub 上的 Azure Policy 加载项 Helm 图表定义For more information about what the add-on Helm Chart installs, see the Azure Policy Add-on Helm Chart definition on GitHub.

若要验证加载项安装是否成功以及 azure-policy 和 gatekeeper Pod 是否正在运行,请运行以下命令 :To validate that the add-on installation was successful and that the azure-policy and gatekeeper pods are running, run the following command:

# azure-policy pod is installed in kube-system namespace
kubectl get pods -n kube-system

# gatekeeper pod is installed in gatekeeper-system namespace
kubectl get pods -n gatekeeper-system

为 AKS 引擎安装 Azure Policy 加载项Install Azure Policy Add-on for AKS Engine

在安装 Azure Policy 加载项或启用任何服务功能之前,订阅必须启用 Microsoft.PolicyInsights 资源提供程序并为群集服务主体创建角色分配。Before installing the Azure Policy Add-on or enabling any of the service features, your subscription must enable the Microsoft.PolicyInsights resource provider and create a role assignment for the cluster service principal.

  1. 需要安装并配置 Azure CLI 2.0.62 或更高版本。You need the Azure CLI version 2.0.62 or later installed and configured. 运行 az --version 即可查找版本。Run az --version to find the version. 如需进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install the Azure CLI.

  2. 若要启用资源提供程序,请按照资源提供程序和类型中的步骤操作,或运行 Azure CLI 或 Azure PowerShell 命令:To enable the resource provider, follow the steps in Resource providers and types or run either the Azure CLI or Azure PowerShell command:

    • Azure CLIAzure CLI

      # Log in first with az login if you're not using Cloud Shell
      
      # Provider register: Register the Azure Policy provider
      az provider register --namespace 'Microsoft.PolicyInsights'
      
    • Azure PowerShellAzure PowerShell

      # Log in first with Connect-AzAccount if you're not using Cloud Shell
      
      # Provider register: Register the Azure Policy provider
      Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
      
  3. 为群集服务主体创建角色分配。Create a role assignment for the cluster service principal.

    • 如果你不知道群集服务主体应用 ID,请使用以下命令查找。If you don't know the cluster service principal app ID, look it up with the following command.

      # Get the kube-apiserver pod name
      kubectl get pods -n kube-system
      
      # Find the aadClientID value
      kubectl exec <kube-apiserver pod name> -n kube-system cat /etc/kubernetes/azure.json
      
    • 使用 Azure CLI 将“策略见解数据编写器(预览版)”角色分配到群集服务主体应用 ID(上一步中的 aadClientID 值)。Assign 'Policy Insights Data Writer (Preview)' role assignment to the cluster service principal app ID (value aadClientID from previous step) with Azure CLI. <subscriptionId> 替换为订阅 ID,将 <aks engine cluster resource group> 替换为 AKS 引擎自托管 Kubernetes 群集所在的资源组。Replace <subscriptionId> with your subscription ID and <aks engine cluster resource group> with the resource group the AKS Engine self-managed Kubernetes cluster is in.

      az role assignment create --assignee <cluster service principal app ID> --scope "/subscriptions/<subscriptionId>/resourceGroups/<aks engine cluster resource group>" --role "Policy Insights Data Writer (Preview)"
      

完成上述先决条件步骤后,安装 Azure Policy 加载项。Once the above prerequisite steps are completed, install the Azure Policy Add-on. 可在 AKS 引擎的创建或更新周期中进行安装,也可以作为对现有群集的独立操作进行安装。The installation can be during the creation or update cycle of an AKS Engine or as an independent action on an existing cluster.

  • 在创建或更新周期期间安装Install during creation or update cycle

    若要在创建新的自托管群集或更新现有群集时启用 Azure Policy 加载项,请包含 AKS 引擎的加载项属性群集定义。To enable the Azure Policy Add-on during the creation of a new self-managed cluster or as an update to an existing cluster, include the addons property cluster definition for AKS Engine.

    "addons": [{
        "name": "azure-policy",
        "enabled": true
    }]
    

    有关详细信息,请参阅外部指南 AKS 引擎群集定义For more information about, see the external guide AKS Engine cluster definition.

  • 在现有群集中使用 Helm 图表进行安装Install in existing cluster with Helm Charts

    使用以下步骤来准备群集并安装加载项:Use the following steps to prepare the cluster and install the add-on:

    1. 安装 Helm 3Install Helm 3.

    2. 将 Azure Policy 存储库添加到 Helm。Add the Azure Policy repo to Helm.

      helm repo add azure-policy https://raw.githubusercontent.com/Azure/azure-policy/master/extensions/policy-addon-kubernetes/helm-charts
      

      有关详细信息,请参阅 Helm 图表 - 快速入门指南For more information, see Helm Chart - Quickstart Guide.

    3. 使用 Helm 图表安装加载项。Install the add-on with a Helm Chart. <subscriptionId> 替换为订阅 ID,将 <aks engine cluster resource group> 替换为 AKS 引擎自托管 Kubernetes 群集所在的资源组。Replace <subscriptionId> with your subscription ID and <aks engine cluster resource group> with the resource group the AKS Engine self-managed Kubernetes cluster is in.

      helm install azure-policy-addon azure-policy/azure-policy-addon-aks-engine --set azurepolicy.env.resourceid="/subscriptions/<subscriptionId>/resourceGroups/<aks engine cluster resource group>"
      

      有关加载项 Helm 图表安装内容的详细信息,请参阅 GitHub 上的 Azure Policy 加载项 Helm 图表定义For more information about what the add-on Helm Chart installs, see the Azure Policy Add-on Helm Chart definition on GitHub.

      备注

      由于 Azure Policy 加载项与资源组 ID 之间的关系,Azure Policy 对每个资源组仅支持一个 AKS 引擎群集。Because of the relationship between Azure Policy Add-on and the resource group id, Azure Policy supports only one AKS Engine cluster for each resource group.

若要验证加载项安装是否成功以及 azure-policy 和 gatekeeper Pod 是否正在运行,请运行以下命令 :To validate that the add-on installation was successful and that the azure-policy and gatekeeper pods are running, run the following command:

# azure-policy pod is installed in kube-system namespace
kubectl get pods -n kube-system

# gatekeeper pod is installed in gatekeeper-system namespace
kubectl get pods -n gatekeeper-system

Policy 语言Policy language

用于管理 Kubernetes 的 Azure Policy 语言结构遵循现有策略定义。The Azure Policy language structure for managing Kubernetes follows that of existing policy definitions. 使用的资源提供程序模式 Microsoft.Kubernetes.Data ,会使用 "审核" 和 "拒绝" 来管理你的 Kubernetes 群集。With a Resource Provider mode of Microsoft.Kubernetes.Data, the effects audit and deny are used to manage your Kubernetes clusters. _审核_和_拒绝_必须提供特定于使用OPA 约束框架和网关守卫 v3 的详细信息属性。Audit and deny must provide details properties specific to working with OPA Constraint Framework and Gatekeeper v3.

作为策略定义中 details.constraintTemplate 和 details.constraint 属性的一部分,Azure Policy 将这些 CustomResourceDefinitions (CRD) 的 URI 传递给加载项 。As part of the details.constraintTemplate and details.constraint properties in the policy definition, Azure Policy passes the URIs of these CustomResourceDefinitions (CRD) to the add-on. Rego 是 OPA 和 Gatekeeper 支持的语言,用于验证对 Kubernetes 群集的请求。Rego is the language that OPA and Gatekeeper support to validate a request to the Kubernetes cluster. 通过支持 Kubernetes 管理的现有标准,Azure Policy 可重用现有规则并将其与 Azure Policy 配对以获得统一的云符合性报告体验。By supporting an existing standard for Kubernetes management, Azure Policy makes it possible to reuse existing rules and pair them with Azure Policy for a unified cloud compliance reporting experience. 有关详细信息,请参阅什么是 Rego?For more information, see What is Rego?.

分配内置策略定义Assign a built-in policy definition

若要为 Kubernetes 群集分配策略定义,系统必须为你分配适当的基于角色的访问控制 (RBAC) 策略分配操作。To assign a policy definition to your Kubernetes cluster, you must be assigned the appropriate role-based access control (RBAC) policy assignment operations. 内置 RBAC 角色“资源策略参与者”和“所有者”可进行这些操作。The built-in RBAC roles Resource Policy Contributor and Owner have these operations. 若要了解详细信息,请参阅 Azure Policy 中的 RBAC 权限To learn more, see RBAC permissions in Azure Policy.

通过以下步骤,使用 Azure 门户查找用于管理群集的内置策略定义:Find the built-in policy definitions for managing your cluster using the Azure portal with the following steps:

  1. 在 Azure 门户中启动 Azure Policy 服务。Start the Azure Policy service in the Azure portal. 在左窗格中选择“所有服务”,然后搜索并选择“策略” 。Select All services in the left pane and then search for and select Policy.

  2. 在“Azure Policy”页面的左侧窗格中,选择“定义”。In the left pane of the Azure Policy page, select Definitions.

  3. 从“类别”下拉列表框中,使用“全选”清除筛选器,然后选择“Kubernetes” 。From the Category drop-down list box, use Select all to clear the filter and then select Kubernetes.

  4. 选择策略定义,然后选择“分配”按钮。Select the policy definition, then select the Assign button.

  5. 将“范围”设置为将应用策略分配的 Kubernetes 群集的管理组、订阅或资源组。Set the Scope to the management group, subscription, or resource group of the Kubernetes cluster where the policy assignment will apply.

    备注

    为 Kubernetes 定义分配 Azure Policy 时,“范围”必须包括群集资源。When assigning the Azure Policy for Kubernetes definition, the Scope must include the cluster resource. 对于 AKS 引擎群集,“范围”必须是群集的资源组。For an AKS Engine cluster, the Scope must be the resource group of the cluster.

  6. 为策略分配提供可以用于轻松识别它的“名称”和“说明”。Give the policy assignment a Name and Description that you can use to identify it easily.

  7. 策略实施设置为下面的一个值Set the Policy enforcement to one of the values
    使用。below.

    • 已启用 - 在群集上强制实施策略。Enabled - Enforce the policy on the cluster. 拒绝带有冲突的 Kubernetes 许可请求。Kubernetes admission requests with violations are denied.

    • 已禁用 - 不在群集上强制实施策略。Disabled - Don't enforce the policy on the cluster. 不拒绝带有冲突的 Kubernetes 许可请求。Kubernetes admission requests with violations aren't denied. 符合性评估结果仍可用。Compliance assessment results are still available. 向运行群集推出新策略定义时,“已禁用”选项可用于测试策略定义,因为不拒绝带有冲突的许可请求。When rolling out new policy definitions to running clusters, Disabled option is helpful for testing the policy definition as admission requests with violations aren't denied.

  8. 选择“下一页”。Select Next.

  9. 设置参数值Set parameter values

    • 若要从策略评估中排除 Kubernetes 命名空间,请在参数“命名空间排除”中指定命名空间的列表。To exclude Kubernetes namespaces from policy evaluation, specify the list of namespaces in parameter Namespace exclusions. 建议排除以下内容:kube-system、gatekeeper-system 和 azure-arc。It's recommended to exclude: kube-system, gatekeeper-system, and azure-arc.
  10. 选择“查看 + 创建”。Select Review + create.

或者,使用分配策略 - 门户快速入门来查找和分配 Kubernetes 策略。Alternately, use the Assign a policy - Portal quickstart to find and assign a Kubernetes policy. 搜索 Kubernetes 策略定义,而不是示例“audit vms”。Search for a Kubernetes policy definition instead of the sample 'audit vms'.

重要

内置策略定义适用于 Kubernetes 类别的 Kubernetes 群集。Built-in policy definitions are available for Kubernetes clusters in category Kubernetes. 有关内置策略定义的列表,请参阅 Kubernetes 示例For a list of built-in policy definitions, see Kubernetes samples.

策略评估Policy evaluation

加载项每 15 分钟使用 Azure Policy 服务签入一次,查看策略分配中的更改。The add-on checks in with Azure Policy service for changes in policy assignments every 15 minutes. 在此刷新周期内,加载项将检查更改。During this refresh cycle, the add-on checks for changes. 这些更改将触发约束模板和约束的创建、更新或删除。These changes trigger creates, updates, or deletes of the constraint templates and constraints.

在 Kubernetes 群集中,如果命名空间具有以下任意一种标签,则不拒绝带有冲突的许可请求。In a Kubernetes cluster, if a namespace has either of the following labels, the admission requests with violations aren't denied. 符合性评估结果仍可用。Compliance assessment results are still available.

  • control-plane
  • admission.policy.azure.com/ignore

备注

虽然群集管理员可能有权创建和更新 Azure Policy 加载项安装的约束模板和约束资源,但这些情况不受支持,因为手动更新会被覆盖。While a cluster admin may have permission to create and update constraint templates and constraints resources install by the Azure Policy Add-on, these aren't supported scenarios as manual updates are overwritten. Gatekeeper 会继续评估在安装加载项和分配 Azure Policy 策略定义之前已存在的策略。Gatekeeper continues to evaluate policies that existed prior to installing the add-on and assigning Azure Policy policy definitions.

每隔 15 分钟,加载项就会调用对群集的完全扫描。Every 15 minutes, the add-on calls for a full scan of the cluster. 在收集完全扫描的详细信息和 Gatekeeper 对群集尝试更改的所有实时评估后,加载项将结果报告回 Azure Policy,以便像所有 Azure Policy 分配一样包含在符合性详细信息中。After gathering details of the full scan and any real-time evaluations by Gatekeeper of attempted changes to the cluster, the add-on reports the results back to Azure Policy for inclusion in compliance details like any Azure Policy assignment. 在审核周期中,仅返回活动策略分配的结果。Only results for active policy assignments are returned during the audit cycle. 审核结果也可以视为已失败约束的“状态”字段中列出的冲突Audit results can also be seen as violations listed in the status field of the failed constraint.

备注

适用于 Kubernetes 群集的 Azure Policy 中的每个符合性报告都包含过去 45 分钟内的所有冲突。Each compliance report in Azure Policy for your Kubernetes clusters include all violations within the last 45 minutes. 时间戳指示发生冲突的时间。The timestamp indicates when a violation occurred.

日志记录Logging

作为 Kubernetes 控制器/容器,azure-policy 和 gatekeeper pod 在 Kubernetes 群集中保留日志。As a Kubernetes controller/container, both the the azure-policy and gatekeeper pods keep logs in the Kubernetes cluster. 日志可以在 Kubernetes 群集的“见解”页中公开。The logs can be exposed in the Insights page of the Kubernetes cluster. 有关详细信息,请参阅使用适用于容器的 Azure Monitor 监视 Kubernetes 群集性能For more information, see Monitor your Kubernetes cluster performance with Azure Monitor for containers.

若要查看加载项日志,请使用 kubectlTo view the add-on logs, use kubectl:

# Get the azure-policy pod name installed in kube-system namespace
kubectl logs <azure-policy pod name> -n kube-system

# Get the gatekeeper pod name installed in gatekeeper-system namespace
kubectl logs <gatekeeper pod name> -n gatekeeper-system

有关详细信息,请参阅 Gatekeeper 文档中的调试 GatekeeperFor more information, see Debugging Gatekeeper in the Gatekeeper documentation.

删除加载项Remove the add-on

从 AKS 删除加载项Remove the add-on from AKS

若要从 AKS 群集中删除 Azure Policy 加载项,请使用 Azure 门户或 Azure CLI:To remove the Azure Policy Add-on from your AKS cluster, use either the Azure portal or Azure CLI:

  • Azure 门户Azure portal

    1. 在 Azure 门户中单击“所有服务”,然后搜索并选择“Kubernetes 服务”,启动 AKS 服务。 Launch the AKS service in the Azure portal by clicking All services, then searching for and selecting Kubernetes services.

    2. 选择要在其中禁用 Azure Policy 加载项的 AKS 群集。Select your AKS cluster where you want to disable the Azure Policy Add-on.

    3. 选择“Kubernetes 服务”页面左侧的“策略(预览)”。Select Policies (preview) on the left side of the Kubernetes service page.

      AKS 群集中的策略定义

    4. 在主页中,选择“禁用加载项”按钮。In the main page, select the Disable add-on button.

      禁用适用于 AKS 的 Azure Policy 加载项

  • Azure CLIAzure CLI

    # Log in first with az login if you're not using Cloud Shell
    
    az aks disable-addons --addons azure-policy --name MyAKSCluster --resource-group MyResourceGroup
    

从已启用 Azure Arc 的 Kubernetes 中删除加载项Remove the add-on from Azure Arc enabled Kubernetes

若要从已启用 Azure Arc 的 Kubernetes 群集中删除 Azure Policy 加载项和 Gatekeeper,请运行以下 Helm 命令:To remove the Azure Policy Add-on and Gatekeeper from your Azure Arc enabled Kubernetes cluster, run the following Helm command:

helm uninstall azure-policy-addon

从 AKS 引擎删除加载项Remove the add-on from AKS Engine

若要从 AKS 引擎群集中删除 Azure Policy 加载项和 Gatekeeper,请使用与加载项的安装方式一致的方法:To remove the Azure Policy Add-on and Gatekeeper from your AKS Engine cluster, use the method that aligns with how the add-on was installed:

  • 如果设置 AKS 引擎群集定义中的“加载项”属性进行安装:If installed by setting the addons property in the cluster definition for AKS Engine:

    将 azure-policy 的“加载项”属性更改为 false 后,将群集定义重新部署到 AKS 引擎:Redeploy the cluster definition to AKS Engine after changing the addons property for azure-policy to false:

    "addons": [{
        "name": "azure-policy",
        "enabled": false
    }]
    

    有关详细信息,请参阅 AKS 引擎 - 禁用 Azure Policy 加载项For more information, see AKS Engine - Disable Azure Policy Add-on.

  • 如果安装有 Helm 图表,请运行以下 Helm 命令:If installed with Helm Charts, run the following Helm command:

    helm uninstall azure-policy-addon
    

Azure Policy 加载项收集的诊断数据Diagnostic data collected by Azure Policy Add-on

适用于 Kubernetes 的 Azure Policy 加载项收集有限的群集诊断数据。The Azure Policy Add-on for Kubernetes collects limited cluster diagnostic data. 该诊断数据是与软件和性能相关的重要技术数据。This diagnostic data is vital technical data related to software and performance. 可通过以下方式使用该数据:It's used in the following ways:

  • 使 Azure Policy 加载项保持最新Keep Azure Policy Add-on up to date
  • 使 Azure Policy 加载项保持安全、可靠和高性能Keep Azure Policy Add-on secure, reliable, performant
  • 改进 Azure Policy 加载项 - 通过对加载项使用的聚合分析Improve Azure Policy Add-on - through the aggregate analysis of the use of the add-on

加载项收集的信息不是个人数据。The information collected by the add-on isn't personal data. 当前正在收集以下详细信息:The following details are currently collected:

  • Azure Policy 加载项代理版本Azure Policy Add-on agent version
  • 群集类型Cluster type
  • 群集区域Cluster region
  • 群集资源组Cluster resource group
  • 群集资源 IDCluster resource ID
  • 群集订阅 IDCluster subscription ID
  • 群集 OS(示例:Linux)Cluster OS (Example: Linux)
  • 群集城市(示例:西雅图)Cluster city (Example: Seattle)
  • 群集州或省/自治区/直辖市(示例:华盛顿州)Cluster state or province (Example: Washington)
  • 群集国家或地区(示例:美国)Cluster country or region (Example: United States)
  • 在策略评估的代理安装期间,Azure Policy 加载项遇到异常/错误Exceptions/errors encountered by Azure Policy Add-on during agent installation on policy evaluation
  • Azure Policy 加载项未安装的 Gatekeeper 策略数Number of Gatekeeper policy definitions not installed by Azure Policy Add-on

后续步骤Next steps