[Feature] Enable CONNECT operation in gatekeeper validate admission controller

[abha10]

As a security measure, I would like to request a feature to restrict users run kubectl exec in pods, users shouldn't be able to login or execute any commands using kubectl exec.

Possible Solution Gatekeeper validate admission controller provides CONNECT operation, which can be used to create constraints templates which would disallow exec to all pods in a cluster. And since AKS policy extends gatekeeper to apply constraints. By enabling this feature I can add another custom policy which would restrict exec to the pods.

Alternatives available I have also considered using AKS RBAC, but that would completely deny users from the exec. I would still like to let users have ability to run few commands such as "ls", "cat".

Additional context Here is the example of how it can be implemented in kubernetes environment, https://medium.com/@javier-canizalez/policy-enforcement-in-kubernetes-restricting-kubectl-exec-with-gatekeeper-7e99823465c9

[ritazh]

@az-policy-kube Please evaluate this request for Azure builtin policies

[microsoft-github-policy-service[bot]]

@az-policy-kube would you be able to assist?

[microsoft-github-policy-service[bot]]

@az-policy-kube would you be able to assist?