I am looking into creating a custom Azure policy for AKS deployments. There is a bunch of built in policies available: https://learn.microsoft.com/en-us/azure/aks/policy-reference but I have not found one that suits this particular case.
We want to check that each pod is running with 2 replicas. To do this I have just used an existing built in policy as template. Deploying it as a custom policy with a rego script that just denies everything works OK when I have the following policyRule:
"policyRule": {
"if": {
"field": "type",
"in": [
"Microsoft.Kubernetes/connectedClusters",
"Microsoft.ContainerService/managedClusters"
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"templateInfo": {
"sourceType": "PublicURL",
"url": "<regoscript that denies everything>"
},
"apiGroups": [
""
],
"kinds": [
"Pod"
],
"excludedNamespaces": "[parameters('excludedNamespaces')]",
"namespaces": "[parameters('namespaces')]",
"labelSelector": "[parameters('labelSelector')]",
"values": {
"excludedContainers": "[parameters('excludedContainers')]",
"excludedImages": "[parameters('excludedImages')]"
}
}
}
}
However, once I change the
"kinds": [
"Pod"
],
to
"kinds": [
"Deployment"
],
It stops doing anything. The rego script prints the raw object that it receives, so it does not seem like Deployment is matching anything logic wise. Why is that so? Deployment should be a valid object in k8s: https://kubernetes.io/docs/concepts/overview/working-with-objects/#required-fields
We worked this out in the OPA Slack, but for posterity: the apiGroups attribute has to include apps when kinds contain a Deployment.