From 1d3c52a52726f72ea796026ad35f017dcae0fb0f Mon Sep 17 00:00:00 2001 From: Thomas Defise Date: Thu, 4 Apr 2024 10:29:19 +0200 Subject: [PATCH] Added new Azure Policy --- .../azurepolicy.json | 45 +++++++++++++++++++ .../azurepolicy.parameters.json | 15 +++++++ .../azurepolicy.rules.json | 17 +++++++ 3 files changed, 77 insertions(+) create mode 100644 policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.json create mode 100644 policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.parameters.json create mode 100644 policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.rules.json diff --git a/policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.json b/policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.json new file mode 100644 index 00000000..91b72d28 --- /dev/null +++ b/policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.json @@ -0,0 +1,45 @@ +{ + "name": "2dec5f47-bc40-40d1-8c7d-a39d9d6808d2", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Ensure ephemeral disks are used for OS disks on Agent Pool Profiles", + "description": "Ephemeral OS disks are created on the local virtual machine (VM) storage and not saved to the remote Azure Storage, as when using managed OS disks.", + "metadata": { + "version": "1.0.0", + "category": "Kubernetes" + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + { + "field": "Microsoft.ContainerService/managedClusters/agentPoolProfiles[*].osDiskType", + "notequals": "Ephemeral" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.parameters.json b/policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.parameters.json new file mode 100644 index 00000000..d2c89f94 --- /dev/null +++ b/policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.parameters.json @@ -0,0 +1,15 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } +} diff --git a/policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.rules.json b/policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.rules.json new file mode 100644 index 00000000..53727c9e --- /dev/null +++ b/policyDefinitions/Kubernetes/ensure-ephemeral-disks-are-used-for-os-disks-on-agent-pool-profiles/azurepolicy.rules.json @@ -0,0 +1,17 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + { + "field": "Microsoft.ContainerService/managedClusters/agentPoolProfiles[*].osDiskType", + "notequals": "Ephemeral" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +}