You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/deployment-safeguards.md
+16-16Lines changed: 16 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -69,21 +69,21 @@ az provider register --namespace Microsoft.ContainerService
69
69
70
70
## Deployment safeguards policies
71
71
72
-
The following table lists the policies that become active when you enable deployment safeguards. You can see the [currently available deployment safeguards][deployment-safeguards-list] in the Azure portal as an Azure Policy definition, or view them at [Azure Policy built-in definitions for Azure Kubernetes Service][Azure-Policy-built-in-definition-docs]. The intention behind this collection is to create a common and generic list of best practices applicable to most users and use cases.
73
-
74
-
| Deployment safeguard policies |
75
-
|--------------|
76
-
|[Preview]: Cannot Edit Individual Nodes |
77
-
| Kubernetes cluster containers CPU and memory resource limits shouldn't exceed the specified limits |
78
-
|[Preview]: Must Have Anti Affinity Rules Set |
79
-
|[Preview]: No AKS Specific Labels |
80
-
| Kubernetes cluster containers should only use allowed images |
81
-
|[Preview]: Reserved System Pool Taints |
82
-
| Ensure cluster containers have readiness or liveness probes configured |
83
-
| Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass |
84
-
|[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present |
85
-
|[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets |
86
-
|[Preview]: Kubernetes cluster services should use unique selectors |
72
+
The following table lists the policies that become active when you enable deployment safeguards and the Kubernetes resource that they will target. You can see the [currently available deployment safeguards][deployment-safeguards-list] in the Azure portal as an Azure Policy definition, or view them at [Azure Policy built-in definitions for Azure Kubernetes Service][Azure-Policy-built-in-definition-docs]. The intention behind this collection is to create a common and generic list of best practices applicable to most users and use cases.
73
+
74
+
| Deployment safeguard policies | Kubernetes resource that is targeted |
75
+
|--------------|--------------|
76
+
|[Preview]: Cannot Edit Individual Nodes | Node |
77
+
| Kubernetes cluster containers CPU and memory resource limits shouldn't exceed the specified limits | Pod |
78
+
|[Preview]: Must Have Anti Affinity Rules Set | Deployment, StatefulSet, ReplicationController, ReplicaSet |
79
+
|[Preview]: No AKS Specific Labels | Deployment, StatefulSet, Replicaset |
80
+
| Kubernetes cluster containers should only use allowed images | Pod |
81
+
|[Preview]: Reserved System Pool Taints | Node |
82
+
| Ensure cluster containers have readiness or liveness probes configured | Pod |
83
+
| Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass | StorageClass |
84
+
|[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present | Pod |
85
+
|[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets | Deployment, ReplicaSet, StatefulSet |
86
+
|[Preview]: Kubernetes cluster services should use unique selectors | Service |
87
87
88
88
If you would like to submit an idea or request for deployment safeguards, open an issue in the [AKS GitHub repository][aks-gh-repo] and add `[deployment safeguards request]` to the beginning of the title.
89
89
@@ -177,7 +177,7 @@ When switching deployment safeguard levels, you may need to wait up to 15 minute
177
177
178
178
#### Why did my deployment resource get admitted even though it wasn't following best practices?
179
179
180
-
Deployment safeguards enforce best practice standards through Azure Policy controls and has policies that validate against pods and deployments. To evaluate and enforce cluster components (that is, pods, namespaces), Azure Policy extends [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/). Gatekeeper enforcement also currently operates in a [`fail-open` model](https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed/#considerations). As there's no guarantee that Gatekeeper will respond to our networking call, we make sure that in that case, the validation is skipped so that the deny doesn't block your deployments.
180
+
Deployment safeguards enforce best practice standards through Azure Policy controls and has policies that validate against Kubernetes resources. To evaluate and enforce cluster components, Azure Policy extends [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/). Gatekeeper enforcement also currently operates in a [`fail-open` model](https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed/#considerations). As there's no guarantee that Gatekeeper will respond to our networking call, we make sure that in that case, the validation is skipped so that the deny doesn't block your deployments.
181
181
182
182
To learn more, see [workload validation in Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/docs/workload-resources/).
0 commit comments