Fri. Dec 27th, 2024

What is Azure Policy?

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.

Specifically, some useful governance actions you can enforce with Azure Policy include:

  • Ensuring your team deploys Azure resources only to allowed regions
  • Enforcing the consistent application of taxonomic tags
  • Requiring resources to send diagnostic logs to a Log Analytics workspace

It’s important to recognize that with the introduction of Azure Arc, you can extend your policy-based governance across different cloud providers and even to your local datacenters.

Today we’re going to make sure our Kubernetes environment are compatible with our policy

First you need to connect your existing kubernetes cluster to Azure Arc

Prerequisites

In addition to these prerequisites, be sure to meet all network requirements for Azure Arc-enabled Kubernetes.

The latest version of Azure CLI.

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

The latest version of connectedk8s Azure CLI extension, installed by running the following command:

az extension add –name connectedk8s

Register providers for Azure Arc-enabled Kubernetes

Enter the following commands:

az provider register –namespace Microsoft.Kubernetes

az provider register –namespace Microsoft.KubernetesConfiguration

az provider register –namespace Microsoft.ExtendedLocation

Connect an existing Kubernetes cluster

Run the following command to connect your cluster. This command deploys the Azure Arc agents to the cluster and installs Helm v. 3.6.3 to the .azure folder of the deployment machine. This Helm 3 installation is only used for Azure Arc, and it doesn’t remove or change any previously installed versions of Helm on the machine.

az connectedk8s connect –name K8sCluster –resource-group rgname

 Note

After onboarding the cluster, it takes around 5 to 10 minutes for the cluster metadata (cluster version, agent version, number of nodes, etc.) to surface on the overview page of the Azure Arc-enabled Kubernetes resource in Azure portal.

When browsing through your cluster, you need to create a service account to access your resources. Follow the following steps to do that.

With the kubeconfig file pointing to the apiserver of your Kubernetes cluster, run this command to create a service account. This example creates the service account in the default namespace, but you can substitute any other namespace for default.

kubectl create serviceaccount auth-user -n default

Create ClusterRoleBinding to grant this service account the appropriate permissions on the cluster. If you used a different namespace in the first command, substitute it here for default.

kubectl create clusterrolebinding auth-user-binding –clusterrole cluster-admin –serviceaccount default:auth-user

Create a service account token:

kubectl apply -f – <<EOF

apiVersion: v1

kind: Secret

metadata:

  name: auth-user-secret

  annotations:

    kubernetes.io/service-account.name: auth-user

type: kubernetes.io/service-account-token

EOF

TOKEN=$(kubectl get secret auth-user-secret -o jsonpath='{$.data.token}’ | base64 -d | sed ‘s/$/\n/g’)

Get the token to output to console.

You’ve completed the first step In onboarding your cluster to Azure Arc and authentication to your cluster.

The next part is to create and policy and assign it to your resource group containing your cluster.

Create a policy assignment.

  1. Sign in to the Azure portal.
  2. Search for policy and select it from the list.
  1. Select Assignments on the Policy pane.
  1. Select Assign Policy from the Policy Assignments pane.
  2. On the Assign Policy pane Basics tab configure the following options:
fieldAction
ScopeUse the ellipsis (…) and then select a subscription and a resource group. Then choose Select to apply the scope.
ExclusionsOptional and isn’t used in this example.
Policy definitionSelect the ellipsis to open the list of available definitions.
Available DefinitionsSearch the policy definitions list for Audit VMs that do not use managed disks definition, select the policy, and select Add.
Assignment nameBy default uses the name of the selected policy. You can change it but for this example, use the default name.
DescriptionOptional to provide details about this policy assignment.
Policy enforcementDefaults to Enabled. For more information, go to enforcement mode.
Assigned byDefaults to who is signed in to Azure. This field is optional and custom values can be entered.

Select Next to view each tab for AdvancedParameters, and Remediation

The policy assignment shows resources that aren’t compliant with a Compliance state of Non-compliant. To get more details, select the policy assignment name to view the Resource Compliance.

When a condition is evaluated against your existing resources and found true, then those resources are marked as non-compliant with the policy. The following table shows how different policy effects work with the condition evaluation for the resulting compliance state. Although you don’t see the evaluation logic in the Azure portal, the compliance state results are shown. The compliance state result is either compliant or non-compliant.

After a while the policy should run and should be non-compliant since we are deploying pods to the default namespace.

One thought on “Configure Azure Policy with On-prem Kubernetes Cluster”

Leave a Reply

Your email address will not be published. Required fields are marked *