ghost
commented
3 years ago Hi MarkTopping, AKS bot here :wave: Thank you for posting on the AKS Repo, I'll do my best to get a kind human from the AKS team to assist you.
I might be just a bot, but I'm told my suggestions are normally quite good, as such: 1) If this case is urgent, please open a Support Request so that our 24/7 support team may help you faster. 2) Please abide by the AKS repo Guidelines and Code of Conduct. 3) If you're having an issue, could it be described on the AKS Troubleshooting guides or AKS Diagnostics? 4) Make sure your subscribed to the AKS Release Notes to keep up to date with all that's new on AKS. 5) Make sure there isn't a duplicate of this issue already reported. If there is, feel free to close this one and '+1' the existing issue. 6) If you have a question, do take a look at our AKS FAQ. We place the most common ones there!
somejfn
miwithro
krupakar1329
ericsuhong
nehakulkarni123
theadzik
charleswool
I'd like to request/suggest a feature whereby Azure Policy (or similar) can modify inbound K8s manifests as to satisfy admission controller policies.
The primary rational and example I can give for requesting this is driven by the SecurityContext sections for Pod and Container specs. In a company which has a strong security posture we require these sections of the deployment manifest to be present. The settings within this section are largely the concern of our Operations team; but the deployment manifests are managed by the application development teams which by enlarge to not understand the settings within and (arguably) should not have to lay their eyes upon them. 99% of the time we certainly don't want them to change them. Yet without the correct SecurityContext settings their deployments will fail so it places a burden upon them.
If Azure Policies could be used to mutate/enrich inbound deployment manifests then we could omit the SecurityContext settings from the many deployment manifests, make life easier for application teams & help them to fall into the pit of success; and control the settings centrally and from a single location.
I'm sure there would be other use cases for such behavior such as injecting a private image repository url, default resource limits, required annotations, env vars for things like Proxy settings.
Apologies if I've missed a previous request for similar or completely misunderstood what can be achieved. More than happy to be educated if I can achieve this functionality already.
Thanks