Azure Policy for AKS
Azure Policy for Azure Kubernetes Service (AKS) provides centralized governance and compliance management for Kubernetes clusters through the Open Policy Agent (OPA) Gatekeeper framework. This service extends Azure’s policy management capabilities into the Kubernetes environment, enabling organizations to enforce consistent security, compliance, and operational standards across their container infrastructure.
What is Azure Policy for AKS?
Azure Policy for AKS is a cloud-native policy management service that integrates with Kubernetes clusters to enforce organizational standards and assess compliance at scale. It works by installing the Azure Policy Add-on for AKS, which deploys Gatekeeper, a validating admission controller webhook, into your cluster.
Unlike traditional policy engines that operate outside the cluster, Azure Policy for AKS runs natively within Kubernetes, evaluating resources at creation time and continuously monitoring existing resources for compliance. This approach ensures that policy violations are caught early in the deployment pipeline while maintaining comprehensive oversight of the cluster’s security posture.
Relationship with Pod Security Admission
Azure Policy for AKS and Pod Security Admission serve complementary roles in a comprehensive Kubernetes security strategy. While Pod Security Admission focuses specifically on pod-level security standards using built-in Kubernetes profiles, Azure Policy for AKS provides broader governance capabilities that extend beyond pod security to include cluster-wide policies, resource quotas, and compliance requirements.
The two systems work together harmoniously. Pod Security Admission handles the foundational security requirements for pods using standardized profiles, while Azure Policy for AKS addresses organization-specific requirements, industry regulations, and operational policies that may not be covered by the standard security profiles. For example, Pod Security Admission might enforce that containers don’t run as root, while Azure Policy for AKS might require that all container images come from approved registries or that specific labels are present on all resources.
This layered approach provides defence in depth, where Pod Security Admission acts as the first line of defence with proven security standards, and Azure Policy for AKS provides additional controls tailored to specific organizational needs and compliance requirements.
Core Components and Architecture
Azure Policy for AKS consists of several key components that work together to provide comprehensive policy management. The Azure Policy Add-on serves as the bridge between Azure Policy service and your Kubernetes cluster, automatically installing and configuring OPA Gatekeeper within the cluster. Gatekeeper acts as the admission controller, evaluating all resource requests against defined policies before allowing them to be created or modified.
The policy definitions themselves are written in Rego , OPA’s purpose-built policy language, though Azure provides a library of built-in policy definitions for common scenarios. These policies are organized into initiatives, which are collections of related policies that can be assigned together to achieve specific compliance or security objectives.
Constraint templates define the structure and logic of policies, while constraints are instances of these templates that specify the actual parameters and scope of enforcement. This separation allows for flexible policy reuse across different environments and scenarios.
Key Benefits and Use Cases
Azure Policy for AKS provides significant value across multiple dimensions of cluster management. From a security perspective, it enables organizations to enforce consistent security standards across all clusters, preventing security misconfigurations and reducing the attack surface. The service can automatically block deployments that don’t meet security requirements, such as containers running as root or using excessive privileges.
For compliance management, Azure Policy for AKS helps organizations meet regulatory requirements by enforcing necessary controls and providing audit trails. This is particularly valuable for industries subject to strict regulations, such as healthcare, finance, and government sectors, where compliance violations can result in significant penalties.
The operational benefits include improved consistency across development, staging, and production environments, reduced manual oversight, and faster incident response through automated policy enforcement. Organizations can also use Azure Policy for AKS to implement cost controls by restricting resource usage patterns that lead to unexpected expenses.
Monitoring and Compliance Reporting
Azure Policy for AKS provides comprehensive monitoring and reporting capabilities that give organizations visibility into their compliance posture. The service continuously evaluates cluster resources against defined policies and provides real-time compliance status through the Azure portal and APIs.
| Monitoring Feature | Description | Benefits |
|---|---|---|
| Compliance Dashboard | Visual representation of policy compliance across clusters | Quick identification of non-compliant resources and trends |
| Policy Violation Alerts | Real-time notifications when policies are violated | Immediate awareness of security or compliance issues |
| Audit Logs | Detailed records of policy evaluations and decisions | Comprehensive audit trail for compliance reporting |
| Resource Compliance Status | Individual resource compliance against assigned policies | Granular visibility for troubleshooting and remediation |
| Trend Analysis | Historical compliance data and trend identification | Long-term compliance monitoring and improvement tracking |
The reporting capabilities extend beyond simple compliance status to provide actionable insights for improvement. Organizations can identify patterns in policy violations, understand the impact of policy changes, and demonstrate compliance to auditors and stakeholders through comprehensive reports and dashboards.
Built-in Policy Initiatives and Definitions
Azure Policy for AKS provides an extensive library of built-in policy initiatives and individual policy definitions that address common security, compliance, and operational requirements. These pre-built policies are developed and maintained by Microsoft, incorporating industry best practices and security standards.
Policy initiatives are collections of related policies that can be assigned together to achieve specific compliance or security objectives. Azure Policy for AKS includes several key initiatives that address different aspects of cluster security and operations.
| Initiative | Description | Policies | Status |
|---|---|---|---|
| Kubernetes cluster pod security baseline standards | Implements pod security baseline standards for Linux workloads | 5 policies | Generally Available |
| Kubernetes cluster pod security restricted standards | Implements pod security restricted standards for Linux workloads | 8 policies | Generally Available |
| Deployment safeguards for AKS best practices | Collection of Kubernetes best practices recommended by AKS | 21 policies | Preview |
| CIS Kubernetes benchmark compliance | Policies for Center for Internet Security (CIS) Kubernetes benchmark | 7 policies | Preview |
| Image Integrity enforcement | Ensures only trusted and signed images are deployed | 3 policies | Preview |
The pod security initiatives are particularly important as they align with the Pod Security Standards discussed in the Pod Security Admission section. These initiatives provide policy-based enforcement of security standards that complement the built-in admission controller, offering additional flexibility and centralized management across multiple clusters.
If the built-in initiatives do not meet your requirements, or you just want to apply a few specific policies you can apply individual policies or create your own initiatives. You can find a full list of available policies in the Azure Policy for AKS documentation .
Custom Policies for AKS
While Azure Policy provides a comprehensive set of built-in policies for AKS, organizations may need to create custom policies to address specific requirements that aren’t covered by the built-in offerings. Custom policies allow you to define organization-specific rules and enforce compliance standards unique to your environment.
To create a custom policy for AKS, you define the policy in Azure Policy using the Microsoft.Kubernetes.Data mode and reference an OPA Gatekeeper constraint template and constraint. The process involves:
- Define Policy Requirements: Decide what you want to enforce (e.g., required labels, image sources).
- Create a Constraint Template: Write an OPA Gatekeeper template that describes the policy logic.
- Create a Constraint: Specify how and where the policy applies (resource types, parameters).
Example: Require Pods to have an “environment” label
Constraint Template (OPA Gatekeeper):
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8s-required-labels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg}] {
required := input.parameters.labels
provided := input.review.object.metadata.labels
missing := required[_]
not provided[missing]
msg := sprintf("Missing required label: %v", [missing])
} Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: must-have-environment-label
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
labels: ["environment"]You then reference these files in your Azure Policy definition. For more details, see the Azure Policy for AKS documentation .