Merge pull request #177269 from nehakulkarni123/patch-1

johne2021 · web-flow · commit 27f9d9d282f1 · 2021-11-04T11:23:15.000-07:00
Arc Policy Extension
diff --git a/articles/governance/policy/concepts/policy-for-kubernetes.md b/articles/governance/policy/concepts/policy-for-kubernetes.md
@@ -40,7 +40,7 @@ To enable and use Azure Policy with your Kubernetes cluster, take the following
 
 1. Configure your Kubernetes cluster and install the add-on:
    - [Azure Kubernetes Service (AKS)](#install-azure-policy-add-on-for-aks)
-   - [Azure Arc enabled Kubernetes](#install-azure-policy-add-on-for-azure-arc-enabled-kubernetes)
+   - [Azure Arc enabled Kubernetes](#install-azure-policy-extension-for-azure-arc-enabled-kubernetes)
    - [AKS Engine](#install-azure-policy-add-on-for-aks-engine)
 
    > [!NOTE]
@@ -71,7 +71,7 @@ The following general limitations apply to the Azure Policy Add-on for Kubernete
   available for the `Microsoft.Kubernetes.Data`
   [Resource Provider mode](./definition-structure.md#resource-provider-modes). Use
   [Component details](../how-to/determine-non-compliance.md#component-details-for-resource-provider-modes).
-- [Exemptions](./exemption-structure.md) aren't supported for
+- Component-level [exemptions](./exemption-structure.md) aren't supported for
   [Resource Provider modes](./definition-structure.md#resource-provider-modes).
 
 The following limitations apply only to the Azure Policy Add-on for AKS:
@@ -126,14 +126,14 @@ must enable the **Microsoft.PolicyInsights** resource providers.
 
 1. You need the Azure CLI version 2.12.0 or later installed and configured. Run `az --version` to
    find the version. If you need to install or upgrade, see
-   [Install the Azure CLI](/cli/azure/install-azure-cli).
+   [Install the Azure CLI](../../../azure-resource-manager/management/resource-providers-and-types.md#azure-cli).
 
 1. Register the resource providers and preview features.
 
    - Azure portal:
 
      Register the **Microsoft.PolicyInsights** resource providers. For steps, see
-     [Resource providers and types](../../../azure-resource-manager/management/resource-providers-and-types.md#azure-portal).
+     [Resource providers and types](../../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).
 
    - Azure CLI:
 
@@ -158,7 +158,7 @@ must enable the **Microsoft.PolicyInsights** resource providers.
    ```
 
 1. Install version _2.12.0_ or higher of the Azure CLI. For more information, see
-   [Install the Azure CLI](/cli/azure/install-azure-cli).
+   [Install the Azure CLI](../../../azure-resource-manager/management/resource-providers-and-types.md#azure-cli).
 
 Once the above prerequisite steps are completed, install the Azure Policy Add-on in the AKS cluster
 you want to manage.
@@ -205,16 +205,158 @@ similar to the following output:
         "identity": null
 }
 ```
+## <a name="install-azure-policy-extension-for-azure-arc-enabled-kubernetes"></a>Install Azure Policy Extension for Azure Arc enabled Kubernetes (preview)
 
-## <a name="install-azure-policy-add-on-for-azure-arc-enabled-kubernetes"></a>Install Azure Policy Add-on for Azure Arc enabled Kubernetes (preview)
+[Azure Policy for Kubernetes](./policy-for-kubernetes.md) makes it possible to manage and report on the compliance state of your Kubernetes clusters from one place.
+
+This article describes how to [create](#create-azure-policy-extension), [show extension status](#show-azure-policy-extension), and [delete](#delete-azure-policy-extension) the Azure Policy for Kubernetes extension.
+
+For an overview of the extensions platform, see [Azure Arc cluster extensions](/azure/azure-arc/kubernetes/conceptual-extensions).
+
+### Prerequisites
+
+> Note: If you have already deployed Azure Policy for Kubernetes on an Azure Arc cluster using Helm directly without extensions, follow the instructions listed to [delete the Helm chart](#remove-the-add-on-from-azure-arc-enabled-kubernetes). Once the deletion is done, you can then proceed.
+1. Ensure your Kubernetes cluster is a supported distribution.
+
+    > Note: Azure Policy for Arc extension is supported on [the following Kubernetes distributions](/azure-arc/kubernetes/conceptual-extensions).
+1. Ensure you have met all the common prerequisites for Kubernetes extensions listed [here](/azure/azure-arc/kubernetes/extensions) including [connecting your cluster to Azure Arc](/azure/azure-arc/kubernetes/quickstart-connect-cluster?tabs=azure-cli).
+
+    > Note: Azure Policy extension is supported for Arc enabled Kubernetes clusters [in these regions](https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc).
+1. Open ports for the Azure Policy extension. The Azure Policy extension uses these domains and ports to fetch policy
+   definitions and assignments and report compliance of the cluster back to Azure Policy.
+
+   |Domain |Port |
+   |---|---|
+   |`data.policy.core.windows.net` |`443` |
+   |`store.policy.core.windows.net` |`443` |
+   |`login.windows.net` |`443` |
+   |`dc.services.visualstudio.com` |`443` |
+
+1. Before installing the Azure Policy extension or enabling any of the service features, your subscription must enable the **Microsoft.PolicyInsights** resource providers.
+    > Note: To enable the resource provider, follow the steps in
+   [Resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types#azure-portal)
+   or run either the Azure CLI or Azure PowerShell command:
+   - Azure CLI
+
+     ```azurecli-interactive
+     # Log in first with az login if you're not using Cloud Shell
+     # Provider register: Register the Azure Policy provider
+     az provider register --namespace 'Microsoft.PolicyInsights'
+     ```
+
+   - Azure PowerShell
+
+     ```azurepowershell-interactive
+     # Log in first with Connect-AzAccount if you're not using Cloud Shell
+    
+     # Provider register: Register the Azure Policy provider
+     Register-AzResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
+     ```
+
+### Create Azure Policy extension
+
+> Note the following for Azure Policy extension creation:
+> - Auto-upgrade is enabled by default which will update Azure Policy extension minor version if any new changes are deployed.
+> - Any proxy variables passed as parameters to `connectedk8s` will be propagated to the Azure Policy extension to support outbound proxy.
+> 
+To create an extension instance, for your Arc enabled cluster, run the following command substituting `<>` with your values:
+
+```console
+az k8s-extension create --cluster-type connectedClusters --cluster-name <CLUSTER_NAME> --resource-group <RESOURCE_GROUP> --extension-type Microsoft.PolicyInsights --name <EXTENSION_INSTANCE_NAME>
+```
+
+#### Example:
+
+```console
+az k8s-extension create --cluster-type connectedClusters --cluster-name my-test-cluster --resource-group my-test-rg --extension-type Microsoft.PolicyInsights --name azurepolicy
+```
+
+#### Example Output:
+
+```
+{
+  "aksAssignedIdentity": null,
+  "autoUpgradeMinorVersion": true,
+  "configurationProtectedSettings": {},
+  "configurationSettings": {},
+  "customLocationSettings": null,
+  "errorInfo": null,
+  "extensionType": "microsoft.policyinsights",
+  "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/my-test-rg/providers/Microsoft.Kubernetes/connectedClusters/my-test-cluster/providers/Microsoft.KubernetesConfiguration/extensions/azurepolicy",
+ "identity": {
+    "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+    "tenantId": null,
+    "type": "SystemAssigned"
+  },
+  "location": null,
+  "name": "azurepolicy",
+  "packageUri": null,
+  "provisioningState": "Succeeded",
+  "releaseTrain": "Stable",
+  "resourceGroup": "my-test-rg",
+  "scope": {
+    "cluster": {
+      "releaseNamespace": "kube-system"
+    },
+    "namespace": null
+  },
+  "statuses": [],
+  "systemData": {
+    "createdAt": "2021-10-27T01:20:06.834236+00:00",
+    "createdBy": null,
+    "createdByType": null,
+    "lastModifiedAt": "2021-10-27T01:20:06.834236+00:00",
+    "lastModifiedBy": null,
+    "lastModifiedByType": null
+  },
+  "type": "Microsoft.KubernetesConfiguration/extensions",
+  "version": "1.1.0"
+}
+```
+
+### Show Azure Policy extension
+
+To check the extension instance creation was successful, and inspect extension metadata, run the following command substituting `<>` with your values:
+
+```console
+az k8s-extension show --cluster-type connectedClusters --cluster-name <CLUSTER_NAME> --resource-group <RESOURCE_GROUP> --name <EXTENSION_INSTANCE_NAME>
+```
+
+#### Example:
+
+```console
+az k8s-extension show --cluster-type connectedClusters --cluster-name my-test-cluster --resource-group my-test-rg --name azurepolicy
+```
+
+#### To validate that the add-on installation was successful and that the azure-policy and gatekeeper pods are running, run the following command:
+
+```console
+kubectl get pods -n kube-system
+```
+
+```console
+kubectl get pods -n gatekeeper-system
+```
+
+### Delete Azure Policy extension
+To delete the extension instance, run the following command substituting `<>` with your values:
+
+```console
+az k8s-extension delete --cluster-type connectedClusters --cluster-name <CLUSTER_NAME> --resource-group <RESOURCE_GROUP> --name <EXTENSION_INSTANCE_NAME>
+```
+
+## <a name="install-azure-policy-add-on-for-azure-arc-enabled-kubernetes"></a>Install Azure Policy Add-on Using Helm for Azure Arc enabled Kubernetes (preview)
+
+> [!NOTE]
+> Azure Policy Add-on Helm model will soon begin deprecation. Please opt for the [Azure Policy Extension for Azure Arc enabled Kubernetes](#install-azure-policy-extension-for-azure-arc-enabled-kubernetes) instead.
 
 Before installing the Azure Policy Add-on or enabling any of the service features, your subscription
 must enable the **Microsoft.PolicyInsights** resource provider and create a role assignment for the
 cluster service principal.
 
 1. You need the Azure CLI version 2.12.0 or later installed and configured. Run `az --version` to
    find the version. If you need to install or upgrade, see
-   [Install the Azure CLI](/cli/azure/install-azure-cli).
+   [Install the Azure CLI](../../../azure-resource-manager/management/resource-providers-and-types.md#azure-cli).
 
 1. To enable the resource provider, follow the steps in
    [Resource providers and types](../../../azure-resource-manager/management/resource-providers-and-types.md#azure-portal)
@@ -328,12 +470,16 @@ kubectl get pods -n gatekeeper-system
 
 ## <a name="install-azure-policy-add-on-for-aks-engine"></a>Install Azure Policy Add-on for AKS Engine (preview)
 
+> Note: Azure Policy Add-on for AKS Engine is soon to begin deprecation. We recommend that you install the [Azure Policy Extension using Arc-enabled Kubernetes](#install-azure-policy-extension-for-azure-arc-enabled-kubernetes) instead.
+
+1. Ensure your Kubernetes cluster is a supported distribution.
+
 Before installing the Azure Policy Add-on or enabling any of the service features, your subscription
 must enable the **Microsoft.PolicyInsights** resource provider and create a role assignment for the
 cluster service principal.
 
 1. You need the Azure CLI version 2.0.62 or later installed and configured. Run `az --version` to
-   find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).
+   find the version. If you need to install or upgrade, see [Install the Azure CLI](../../../azure-resource-manager/management/resource-providers-and-types.md#azure-cli).
 
 1. To enable the resource provider, follow the steps in
    [Resource providers and types](../../../azure-resource-manager/management/resource-providers-and-types.md#azure-portal)
@@ -649,7 +795,7 @@ Constraint templates that start with `k8sazure` are the ones installed by the ad
 ### Get Azure Policy mappings
 
 To identify the mapping between a constraint template downloaded to the cluster and the policy
-definition, use `kubectl get constrainttemplates <TEMPLATE> -o yaml`. The results look similiar to
+definition, use `kubectl get constrainttemplates <TEMPLATE> -o yaml`. The results look similar to
 the following output:
 
 ```yaml
@@ -677,13 +823,13 @@ install on the cluster.
 Once you have the names of the
 [add-on downloaded constraint templates](#view-the-add-on-constraint-templates), you can use the
 name to see the related constraints. Use `kubectl get <constraintTemplateName>` to get the list.
-Constraints installed by the add-on start wtih `azurepolicy-`.
+Constraints installed by the add-on start with `azurepolicy-`.
 
 ### View constraint details
 
 The constraint has details about violations and mappings to the policy definition and assignment. To
 see the details, use `kubectl get <CONSTRAINT-TEMPLATE> <CONSTRAINT> -o yaml`. The results look
-similiar to the following output:
+similar to the following output:
 
 ```yaml
 apiVersion: constraints.gatekeeper.sh/v1beta1
@@ -727,6 +873,13 @@ For more information about troubleshooting the Add-on for Kubernetes, see the
 [Kubernetes section](../troubleshoot/general.md#add-on-for-kubernetes-general-errors)
 of the Azure Policy troubleshooting article.
 
+For Azure Policy extension for Arc extension related issues, please see:
+- [Azure Arc enabled Kubernetes troubleshooting](/azure/azure-arc/kubernetes/troubleshooting#azure-arc-enabled-kubernetes-troubleshooting)
+
+For Azure Policy related issues, please see:
+- [Inspect Azure Policy logs](/azure/governance/policy/concepts/policy-for-kubernetes#logging)
+- [General troubleshooting for Azure Policy on Kubernetes](/azure/governance/policy/troubleshoot/general#add-on-for-kubernetes-general-errors)
+
 ## Remove the add-on
 
 ### Remove the add-on from AKS
