This repository contains a set of gatekeeper policies for AKS. These policies are based on the Azure Policy for AKS so you can apply them on the resource, resource group, subscription level or even management group level.
Important
This describes a preview feature and is not recommended for production use.
Warning
Please bear in mind that these policies will likely break your application without warning. We strongly advise to use deny policies instead since they will give your users a good description of what is wrong with their deployment.
You need to enable the AKS-AzurePolicyMutation feature flag on your
Subscription since mutating webhooks are still in preview.
az feature register --namespace Microsoft.ContainerService --name AKS-AzurePolicyMutation
az provider register -n Microsoft.ContainerServiceThis repository uses terraform to create a set of policies and and an initiative to collect them together. You can use the following commands to create the policies and initiative:
terrafrom init
terraform applyYou can then apply the initiative to your cluster using terraform:
data "azurerm_policy_set_definition" "mutatepsp" {
name = "mutatepsp"
}
resource "azurerm_resource_policy_assignment" "cluster_mutatepsp" {
name = "mutatepsp-assignment"
resource_id = <your_cluster_resource_id>
policy_definition_id = data.azurerm_policy_set_definition.mutatepsp.id
}