Support enable/disable of Azure Policy on AKS via ARM template

Azure / AKS

Azure Kubernetes Service

https://azure.github.io/AKS/

1.95k stars 305 forks source link

Support enable/disable of Azure Policy on AKS via ARM template #1079

Closed flamingboo closed 4 years ago

flamingboo commented 5 years ago

I see Azure Policy is available in preview: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/rego-for-aks

However, the only option to enable to it is through Azure CLI (as per above link) using addon.

Is there a way to implement this via ARM template ... like oms agent or http application routing addson:

addonProfiles": { "omsagent": { "enabled": "[parameters('enableOMS')]", "config": { "logAnalyticsWorkspaceResourceID": "[parameters('workSpaceId')]" } }, "httpApplicationRouting": { "enabled": "[parameters('enableHttpIngress')]" }

Thx Dan

What happened:

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

Kubernetes version (use kubectl version):
Size of cluster (how many worker nodes are in the cluster?)
General description of workloads in the cluster (e.g. HTTP microservices, Java app, Ruby on Rails, machine learning, etc.)
Others:

jluk commented 5 years ago

@flamingboo not currently as it's in a limited preview state. Setting this as a feature ask and will feed this into the preview feedback.

jluk commented 5 years ago

FYI @ritazh / @LizMS for discussion in next meetings

flamingboo commented 4 years ago

@julk I cannot see the option of enable /disable Azure Policy in ARM template of AKS API 2020-01-01. Is this still on the roadmap?

jluk commented 4 years ago

@flamingboo this should be doable today, thanks for raising this back up. Could you give this a try?

It's not in the ARM reference because the addonprofile isn't captured in there.

{

  "properties": {

    "mode": "incremental",

    "template": {

      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

      "contentVersion": "1.0.0.0",

      "parameters": {

        "clusterName": {

          "type": "string"

        },

        "clusterLocation": {

          "type": "string"

        },

        "clusterVersion": {

          "type": "string"

        }

      },

      "resources": [

        {

          "name": "[parameters('clusterName')]",

          "type": "Microsoft.ContainerService/managedClusters",

          "location": "[parameters('clusterLocation')]",

          "apiVersion": "2020-01-01",

          "properties": {

            "id": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName'))]",

            "kubernetesVersion": "[parameters('clusterVersion')]",

            "addonProfiles": {

              "azurepolicy": {

                "enabled": true

              }

            }

          }

        }

      ]

    },

    "parameters": {

      "clusterName": {

        "value": "[field('name')]"

      },

      "clusterLocation": {

        "value": "[field('location')]"

      },

      "clusterVersion": {

        "value": "[field('Microsoft.ContainerService/managedClusters/kubernetesVersion')]"

      }

    }

  }

}

flamingboo commented 4 years ago

@jluk Perfect! I'll ask my team to test this tomorrow. Thanks!

ghost commented 4 years ago

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

ghost commented 4 years ago

This issue will now be closed because it hasn't had any activity for 15 days after stale. flamingboo feel free to comment again on the next 7 days to reopen or open a new issue after that time if you still have a question/issue or suggestion.