search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.73k stars 978 forks source link

[Policy]: Configure Azure Arc enabled Kubernetes clusters to install extensions #1681

Open ReneRebsdorf opened 5 months ago

ReneRebsdorf commented 5 months ago

Policy Definition or Initiative

Initiative

Built-in/Custom

Custom

Built-in policy definition or initiative ID

ALZInit-Deploy-Arc-Extensions

Custom policy definition or initiative description

Deploy extensions to Azure Arc enabled Kubernetes clusters

Policies in initiative:

Scope

Landing Zones

Default Assignment

Comments/thoughts

No response

Springstone commented 5 months ago

@ReneRebsdorf Thanks for sharing your issue. It is a reasonable request, but can be complex to implement in complex environments, which is why we are not currently deploying by default.

Will investigate adding an option to configure additional "Arc" related settings in future release streams.

ReneRebsdorf commented 5 months ago

As with most governance items in Azure; these topics can be hard to know whether they are configured correctly from a governance perspective

Which I personally find to be the primary value of CAF; know how to have a good compliance, and omitting Arc is a significant "oversight", purposefully or not. If it is not desired as a default, I would at least recommend highlighting it, either through exemptions or other means

My 2 cents 😊

Springstone commented 5 months ago

@ReneRebsdorf you're not wrong, it is potentially complex to govern Arc-enabled resources (agents, etc). We're proposing a new section, that is all about enabling on-prem Arc-enabled features.