Azure · robga · Sep 19, 2025 · Sep 18, 2025
@@ -0,0 +1,58 @@
+{
+  "properties": {
+    "displayName": "App Service app slots should disable SSH",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Azure App Service allows you to open an SSH session to a container running in the service. This feature should be disabled to ensure that SSH is not inadvertently left open on App Service apps, reducing the risk of unauthorized access. Learn more at: https://aka.ms/app-service-ssh",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "App Service"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Web/sites/slots"
+          },
+          {
+            "anyOf": [
+              {
+                "field": "Microsoft.Web/sites/slots/sshEnabled",
+                "exists": "false"
+              },
+              {
+                "field": "Microsoft.Web/sites/slots/sshEnabled",
+                "notEquals": "false"
+              }
+            ]
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/a88d589f-2b09-4b50-8998-9a4e71d7b746",
+  "name": "a88d589f-2b09-4b50-8998-9a4e71d7b746"
+}
@@ -0,0 +1,58 @@
+{
+  "properties": {
+    "displayName": "App Service apps should disable SSH",
+    "policyType": "BuiltIn",
+    "mode": "Indexed",
+    "description": "Azure App Service allows you to open an SSH session to a container running in the service. This feature should be disabled to ensure that SSH is not inadvertently left open on App Service apps, reducing the risk of unauthorized access. Learn more at: https://aka.ms/app-service-ssh",
+    "metadata": {
+      "version": "1.0.0",
+      "category": "App Service"
+    },
+    "version": "1.0.0",
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "allOf": [
+          {
+            "field": "type",
+            "equals": "Microsoft.Web/sites"
+          },
+          {
+            "anyOf": [
+              {
+                "field": "Microsoft.Web/sites/sshEnabled",
+                "exists": "false"
+              },
+              {
+                "field": "Microsoft.Web/sites/sshEnabled",
+                "notEquals": "false"
+              }
+            ]
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    },
+    "versions": [
+      "1.0.0"
+    ]
+  },
+  "id": "/providers/Microsoft.Authorization/policyDefinitions/25255ddf-ef4f-4283-975a-5590ad111bba",
+  "name": "25255ddf-ef4f-4283-975a-5590ad111bba"
+}
@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Cannot Edit Individual Nodes",
+    "displayName": "Cannot Edit Individual Nodes",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks.",
     "metadata": {
-      "version": "1.2.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.2.1",
+      "category": "Kubernetes"
     },
-    "version": "1.2.0-preview",
+    "version": "1.2.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -181,6 +180,7 @@
       }
     },
     "versions": [
+      "1.2.1",
       "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.4-PREVIEW",

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Kubernetes cluster container images must include the preStop hook",
+    "displayName": "Kubernetes cluster container images must include the preStop hook",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Requires that container images include a preStop hook to gracefully terminate processes during pod shutdowns.",
     "metadata": {
-      "version": "1.1.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.1.1",
+      "category": "Kubernetes"
     },
-    "version": "1.1.0-preview",
+    "version": "1.1.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -155,6 +154,7 @@
       }
     },
     "versions": [
+      "1.1.1",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present",
+    "displayName": "Kubernetes cluster containers should only pull images when image pull secrets are present",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Restrict containers' image pulls to enforce the presence of ImagePullSecrets, ensuring secure and authorized access to images within a Kubernetes cluster",
     "metadata": {
-      "version": "1.1.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.1.1",
+      "category": "Kubernetes"
     },
-    "version": "1.1.0-preview",
+    "version": "1.1.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -156,6 +155,7 @@
       }
     },
     "versions": [
+      "1.1.1",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"
     ]

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Kubernetes cluster container images should not include latest image tag",
+    "displayName": "Kubernetes cluster container images should not include latest image tag",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Requires that container images do not use the latest tag in Kubernetes, it is a best practice to ensure reproducibility, prevent unintended updates, and facilitate easier debugging and rollbacks by using explicit and versioned container images.",
     "metadata": {
-      "version": "2.0.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "2.0.1",
+      "category": "Kubernetes"
     },
-    "version": "2.0.0-preview",
+    "version": "2.0.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -152,6 +151,7 @@
       }
     },
     "versions": [
+      "2.0.1",
       "2.0.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Must Have Anti Affinity Rules or Topology Spread Constraints Set",
+    "displayName": "Must Have Anti Affinity Rules or Topology Spread Constraints Set",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "This policy ensures that pods are scheduled on different nodes within the cluster. By enforcing anti-affinity rules or pod topology spread constraints, availability is maintained even if one of the nodes becomes unavailable. Pods will continue to run on other nodes, enhancing resilience.",
     "metadata": {
-      "version": "1.1.1-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.1.2",
+      "category": "Kubernetes"
     },
-    "version": "1.1.1-preview",
+    "version": "1.1.2",
     "parameters": {
       "source": {
         "type": "String",
@@ -155,8 +154,8 @@
       }
     },
     "versions": [
+      "1.1.2",
       "1.1.1-PREVIEW",
-      "1.1.0-PREVIEW",
       "1.0.2-PREVIEW",
       "1.0.1-PREVIEW"
     ]

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Sets maxUnavailable pods to 1 for PodDisruptionBudget resources",
+    "displayName": "Sets maxUnavailable pods to 1 for PodDisruptionBudget resources",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting your max unavailable pod value to 1 ensures that your application or service is available during a disruption",
     "metadata": {
-      "version": "1.2.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.2.1",
+      "category": "Kubernetes"
     },
-    "version": "1.2.0-preview",
+    "version": "1.2.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -68,6 +67,7 @@
       }
     },
     "versions": [
+      "1.2.1",
       "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Sets readOnlyRootFileSystem in the Pod spec to true if it is not set.",
+    "displayName": "Sets readOnlyRootFileSystem in the Pod spec to true if it is not set.",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem",
     "metadata": {
-      "version": "1.2.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.2.1",
+      "category": "Kubernetes"
     },
-    "version": "1.2.0-preview",
+    "version": "1.2.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -68,6 +67,7 @@
       }
     },
     "versions": [
+      "1.2.1",
       "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set.",
+    "displayName": "Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set.",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Setting readOnlyRootFileSystem to true increases security by preventing containers from writing into the root filesystem. This works only for linux containers.",
     "metadata": {
-      "version": "1.2.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.2.1",
+      "category": "Kubernetes"
     },
-    "version": "1.2.0-preview",
+    "version": "1.2.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -68,6 +67,7 @@
       }
     },
     "versions": [
+      "1.2.1",
       "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"

@@ -1,15 +1,14 @@
 {
   "properties": {
-    "displayName": "[Preview]: Restricts the CriticalAddonsOnly taint to just the system pool.",
+    "displayName": "Restricts the CriticalAddonsOnly taint to just the system pool.",
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "To avoid eviction of user apps from user pools and maintain separation of concerns between the user and system pools, the 'CriticalAddonsOnly' taint should not be applied to user pools.",
     "metadata": {
-      "version": "1.2.0-preview",
-      "category": "Kubernetes",
-      "preview": true
+      "version": "1.2.1",
+      "category": "Kubernetes"
     },
-    "version": "1.2.0-preview",
+    "version": "1.2.1",
     "parameters": {
       "source": {
         "type": "String",
@@ -68,6 +67,7 @@
       }
     },
     "versions": [
+      "1.2.1",
       "1.2.0-PREVIEW",
       "1.1.0-PREVIEW",
       "1.0.0-PREVIEW"