{
"properties": {
"displayName": "Kubernetes cluster pod security baseline standards for Linux-based workloads",
"policyType": "BuiltIn",
"description": "This initiative includes the policies for the Kubernetes cluster pod security baseline standards. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
"metadata": {
"version": "1.4.0",
"category": "Kubernetes"
},
"version": "1.4.0",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "'Audit' allows a non-compliant resource to be created or updated, but flags it as non-compliant. 'Deny' blocks the non-compliant resource creation or update. 'Disabled' turns off the policy.",
"portalReview": true
},
"allowedValues": [
"audit",
"Audit",
"deny",
"Deny",
"disabled",
"Disabled"
],
"defaultValue": "Audit"
},
"excludedNamespaces": {
"type": "Array",
"metadata": {
"displayName": "Namespace exclusions",
"description": "List of Kubernetes namespaces to exclude from policy evaluation."
},
"defaultValue": [
"kube-system",
"gatekeeper-system",
"azure-arc",
"azure-extensions-usage-system"
]
},
"namespaces": {
"type": "Array",
"metadata": {
"displayName": "Namespace inclusions",
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
"defaultValue": []
},
"allowedHostPaths": {
"type": "Object",
"metadata": {
"displayName": "Allowed host paths",
"description": "The host paths allowed for pod hostPath volumes to use. Provide an empty paths list to block all host paths.",
"portalReview": true
},
"defaultValue": {
"paths": []
},
"schema": {
"type": "object",
"properties": {
"paths": {
"type": "array",
"items": {
"type": "object",
"properties": {
"pathPrefix": {
"type": "string"
},
"readOnly": {
"type": "boolean"
}
},
"required": [
"pathPrefix",
"readOnly"
],
"additionalProperties": false
}
}
},
"required": [
"paths"
],
"additionalProperties": false
}
}
},
"policyDefinitions": [
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4",
"definitionVersion": "9.*.*",
"policyDefinitionReferenceId": "NoPrivilegedContainers",
"parameters": {
"effect": {
"value": "[parameters('effect')]"
},
"excludedNamespaces": {
"value": "[parameters('excludedNamespaces')]"
},
"namespaces": {
"value": "[parameters('namespaces')]"
}
}
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82985f06-dc18-4a48-bc1c-b9f4f0098cfe",
"definitionVersion": "6.*.*",
"policyDefinitionReferenceId": "BlockUsingHostNetwork",
"parameters": {
"effect": {
"value": "[parameters('effect')]"
},
"excludedNamespaces": {
"value": "[parameters('excludedNamespaces')]"
},
"namespaces": {
"value": "[parameters('namespaces')]"
},
"allowHostNetwork": {
"value": false
},
"minPort": {
"value": 0
},
"maxPort": {
"value": 0
}
}
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8",
"definitionVersion": "5.*.*",
"policyDefinitionReferenceId": "BlockUsingHostProcessIDAndIPC",
"parameters": {
"effect": {
"value": "[parameters('effect')]"
},
"excludedNamespaces": {
"value": "[parameters('excludedNamespaces')]"
},
"namespaces": {
"value": "[parameters('namespaces')]"
}
}
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c",
"definitionVersion": "6.*.*",
"policyDefinitionReferenceId": "ContainerCapabilities",
"parameters": {
"effect": {
"value": "[parameters('effect')]"
},
"excludedNamespaces": {
"value": "[parameters('excludedNamespaces')]"
},
"namespaces": {
"value": "[parameters('namespaces')]"
},
"allowedCapabilities": {
"value": [
"CHOWN",
"DAC_OVERRIDE",
"FSETID",
"FOWNER",
"MKNOD",
"NET_RAW",
"SETGID",
"SETUID",
"SETFCAP",
"SETPCAP",
"NET_BIND_SERVICE",
"SYS_CHROOT",
"KILL",
"AUDIT_WRITE"
]
},
"requiredDropCapabilities": {
"value": []
}
}
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/098fc59e-46c7-4d99-9b16-64990e543d75",
"definitionVersion": "6.*.*",
"policyDefinitionReferenceId": "NoHostPathVolume",
"parameters": {
"effect": {
"value": "[parameters('effect')]"
},
"excludedNamespaces": {
"value": "[parameters('excludedNamespaces')]"
},
"namespaces": {
"value": "[parameters('namespaces')]"
},
"allowedHostPaths": {
"value": "[parameters('allowedHostPaths')]"
}
}
}
],
"versions": [
"1.4.0"
]
},
"id": "/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d",
"name": "a8640138-9b0a-4a28-b8cb-1666c838647d"
}