devopsguide.in

AKS 23 -What Is Azure Policy for Kubernetes?

Azure Policy for Kubernetes allows you to enforce governance rules directly on your AKS clusters. It integrates Azure Policy with Kubernetes admission control, so you can audit, deny, or enforce specific configurations on Kubernetes resources.

✅ Benefits

FeatureBenefit
GovernanceEnforce organizational standards across clusters.
SecurityPrevent risky configurations (e.g., privileged containers).
ComplianceEnsure workloads meet regulatory and internal policies.
VisibilityAudit policy compliance across clusters.

Examples of What You Can Enforce

  • Only allow images from trusted registries.
  • Require resource limits (cpu, memory) on containers.
  • Deny privileged containers.
  • Enforce labels or annotations on deployments.
  • Restrict usage of host networking or hostPath volumes.

How to Use Azure Policy for Kubernetes

1. Enable Azure Policy Add-on in AKS

az aks enable-addons \
  --addons azure-policy \
  --name <cluster-name> \
  --resource-group <rg-name>

This installs the Gatekeeper admission controller in your cluster, which enforces policies.

Assign Policies via Azure Portal or CLI

You can use built-in policies or create custom policies.

Example: Enforce Resource Limits

az policy assignment create \
  --name "enforce-resource-limits" \
  --scope "/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.ContainerService/managedClusters/<cluster-name>" \
  --policy "policy-definition-id"

Integration with GitOps

Azure Policy works well with GitOps tools like Flux or ArgoCD, ensuring that policy enforcement is part of your CI/CD pipeline.

Leave a Reply

Your email address will not be published. Required fields are marked *