Built-in Policy Release 5bdabf55

Author: Azure Policy Bot

built-in-policies/policyDefinitions/Azure Government/Kubernetes/AllowedHostPaths.json

@@ -5,10 +5,10 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "7.2.0",
+      "version": "7.3.0",
       "category": "Kubernetes"
     },
-    "version": "7.2.0",
+    "version": "7.3.0",
     "parameters": {
       "source": {
         "type": "String",
@@ -167,6 +167,45 @@
           "additionalProperties": false
         }
       },
+      "windowsAllowedHostPaths": {
+        "type": "Object",
+        "metadata": {
+          "displayName": "Allowed host paths for windows containers",
+          "description": "The host paths allowed for windows pod hostPath volumes to use. Provide an empty paths list to block all host paths. Use \"C:\\\" to allow all windows host paths.",
+          "portalReview": true
+        },
+        "defaultValue": {
+          "paths": []
+        },
+        "schema": {
+          "type": "object",
+          "properties": {
+            "paths": {
+              "type": "array",
+              "items": {
+                "type": "object",
+                "properties": {
+                  "pathPrefix": {
+                    "type": "string"
+                  },
+                  "readOnly": {
+                    "type": "boolean"
+                  }
+                },
+                "required": [
+                  "pathPrefix",
+                  "readOnly"
+                ],
+                "additionalProperties": false
+              }
+            }
+          },
+          "required": [
+            "paths"
+          ],
+          "additionalProperties": false
+        }
+      },
       "excludedContainers": {
         "type": "Array",
         "metadata": {
@@ -200,7 +239,7 @@
           "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
-            "url": "https://store.policy.azure.us/kubernetes/allowed-host-paths/v3/template.yaml"
+            "url": "https://store.policy.azure.us/kubernetes/allowed-host-paths/v4/template.yaml"
           },
           "apiGroups": [
             ""
@@ -213,13 +252,15 @@
           "labelSelector": "[parameters('labelSelector')]",
           "values": {
             "allowedHostPaths": "[parameters('allowedHostPaths').paths]",
+            "windowsAllowedHostPaths": "[parameters('windowsAllowedHostPaths').paths]",
             "excludedContainers": "[parameters('excludedContainers')]",
             "excludedImages": "[parameters('excludedImages')]"
           }
         }
       }
     },
     "versions": [
+      "7.3.0",
       "7.2.0",
       "7.1.1"
     ]

built-in-policies/policyDefinitions/Azure Government/Kubernetes/ContainerNoPrivilegeEscalation.json

@@ -5,11 +5,32 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "8.1.0",
+      "version": "9.0.0",
       "category": "Kubernetes"
     },
-    "version": "8.1.0",
+    "version": "9.0.0",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
+      "warn": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Warn",
+          "description": "Whether or not to return warnings back to the user in the kubectl cli"
+        },
+        "defaultValue": false
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -18,11 +39,8 @@
           "portalReview": true
         },
         "allowedValues": [
-          "audit",
           "Audit",
-          "deny",
           "Deny",
-          "disabled",
           "Disabled"
         ],
         "defaultValue": "Audit"
@@ -107,6 +125,14 @@
           "additionalProperties": false
         }
       },
+      "forcePrivilegeEscalationToBeFalse": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Force all container securityContext.allowPrivilegeEscalation fields to be explicity set to false",
+          "description": "If set to true, then `allowPrivilegeEscalation` must explicitly be set to false regardless of the `runAsUser` field in the container securityContext. Setting this value to true will make this policy follow the behavior of the Kubernetes Pod Security Standards for Privilege Escalation at the restricted level: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted"
+        },
+        "defaultValue": false
+      },
       "excludedContainers": {
         "type": "Array",
         "metadata": {
@@ -136,9 +162,11 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
+          "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
-            "url": "https://store.policy.azure.us/kubernetes/container-no-privilege-escalation/v3/template.yaml"
+            "url": "https://store.policy.azure.us/kubernetes/container-no-privilege-escalation/v4/template.yaml"
           },
           "apiGroups": [
             ""
@@ -151,12 +179,14 @@
           "labelSelector": "[parameters('labelSelector')]",
           "values": {
             "excludedContainers": "[parameters('excludedContainers')]",
-            "excludedImages": "[parameters('excludedImages')]"
+            "excludedImages": "[parameters('excludedImages')]",
+            "forcePrivilegeEscalationToBeFalse": "[parameters('forcePrivilegeEscalationToBeFalse')]"
           }
         }
       }
     },
     "versions": [
+      "9.0.0",
       "8.1.0"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Kubernetes/EnforceAppArmorProfile.json

@@ -5,11 +5,32 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "7.1.1",
+      "version": "7.2.0",
       "category": "Kubernetes"
     },
-    "version": "7.1.1",
+    "version": "7.2.0",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
+      "warn": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Warn",
+          "description": "Whether or not to return warnings back to the user in the kubectl cli"
+        },
+        "defaultValue": false
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -111,7 +132,7 @@
         "type": "Array",
         "metadata": {
           "displayName": "Allowed AppArmor profiles",
-          "description": "The list of AppArmor profiles that containers are allowed to use. E.g. [ \"runtime/default\", \"docker/default\" ]. Provide empty list as input to block everything.",
+          "description": "The list of AppArmor profiles that containers are allowed to use. E.g. [ \"runtime/default\", \"docker/default\" ]. Use \"localhost/*\" to allow all localhost profiles. Provide empty list as input to block everything.",
           "portalReview": true
         },
         "defaultValue": [
@@ -147,6 +168,8 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
+          "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/enforce-apparmor-profile/v3/template.yaml"
@@ -169,6 +192,7 @@
       }
     },
     "versions": [
+      "7.2.0",
       "7.1.1"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Kubernetes/SELinux.json

@@ -1,15 +1,36 @@
 {
   "properties": {
-    "displayName": "Kubernetes cluster pods and containers should only use allowed SELinux options",
+    "displayName": "Kubernetes cluster pods and containers should follow SELinux security standards",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
-    "description": "Pods and containers should only use allowed SELinux options in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.",
+    "description": "This policy enforces Kubernetes Pod Security Standards for SELinux options. Under PSS mode, 'user' and 'role' fields must be empty, and 'type' field must be one of the allowed values. For more information, see https://aka.ms/kubepolicydoc.",
     "metadata": {
-      "version": "8.1.1",
+      "version": "9.0.0",
       "category": "Kubernetes"
     },
-    "version": "8.1.1",
+    "version": "9.0.0",
     "parameters": {
+      "source": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Source",
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+        },
+        "defaultValue": "Original",
+        "allowedValues": [
+          "All",
+          "Generated",
+          "Original"
+        ]
+      },
+      "warn": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Warn",
+          "description": "Whether or not to return warnings back to the user in the kubectl cli"
+        },
+        "defaultValue": false
+      },
       "effect": {
         "type": "String",
         "metadata": {
@@ -104,11 +125,34 @@
           "additionalProperties": false
         }
       },
+      "enforcePSS": {
+        "type": "Boolean",
+        "metadata": {
+          "displayName": "Enforce Pod Security Standards",
+          "description": "When true, enforces Kubernetes Pod Security Standards for SELinux options. Under PSS mode, 'user' and 'role' fields must be undefined or empty, and 'type' field must be one of the allowed values. When false, custom SELinux options can be specified.",
+          "portalReview": true
+        },
+        "defaultValue": false
+      },
+      "allowedSELinuxTypes": {
+        "type": "Array",
+        "metadata": {
+          "displayName": "Allowed SELinux types",
+          "description": "List of allowed SELinux type values. Following PSS, this should typically include container_t, container_init_t, container_kvm_t and for K8s 1.31+ container_engine_t. Empty string is always allowed.",
+          "portalReview": true
+        },
+        "defaultValue": [
+          "container_t",
+          "container_init_t",
+          "container_kvm_t",
+          "container_engine_t"
+        ]
+      },
       "allowedSELinuxOptions": {
         "type": "Object",
         "metadata": {
           "displayName": "Allowed SELinux options",
-          "description": "The allowed configurations for pod and container level SELinux Options. Provide empty options list as input to block everything.",
+          "description": "The allowed configurations for pod and container level SELinux Options. Only used when enforcePSS is false.",
           "portalReview": true
         },
         "defaultValue": {
@@ -166,9 +210,11 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "[parameters('source')]",
+          "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
-            "url": "https://store.policy.azure.us/kubernetes/selinux/v2/template.yaml"
+            "url": "https://store.policy.azure.us/kubernetes/selinux/v3/template.yaml"
           },
           "apiGroups": [
             ""
@@ -180,13 +226,16 @@
           "namespaces": "[parameters('namespaces')]",
           "labelSelector": "[parameters('labelSelector')]",
           "values": {
+            "enforcePSS": "[parameters('enforcePSS')]",
+            "allowedSELinuxTypes": "[parameters('allowedSELinuxTypes')]",
             "allowedSELinuxOptions": "[parameters('allowedSELinuxOptions').options]",
             "excludedImages": "[parameters('excludedImages')]"
           }
         }
       }
     },
     "versions": [
+      "9.0.0",
       "8.1.1"
     ]
   },