Recently, I've been tasked to work with Azure Policy and I wanted to create some custom policies. The one I'm doing now is to check if the Azure Keyvault Driver is installed in an AkS enviroment.
So far I've got this:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerService/ManagedClusters"
},
{
"field": "Microsoft.ContainerService/ManagedClusters/addonProfiles/azureKeyvaultSecretsProvider",
"exists": true
},
{
"field": "Microsoft.ContainerService/ManagedClusters/addonProfiles/azureKeyvaultSecretsProvider/enabled",
"equals": true
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Deny, Audit or Disabled the execution of the Policy",
"portalReview": true
},
"allowedValues": [
"AuditIfNotExists",
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
}
}
Basically, the code does 3 things. It checks the resource is a Managed Cluster, then it checks that the AzureKeyvaultSecretsProvider exists within the addonProfiles, and finally it checks that the property enabled is true so we know that the AzureKeyvaultSecretsProvided is configured.
However, I keep getting an error saying that "azureKeyvaultSecretsProvider" property does not exist within the Microsoft.ContainerService resources.
Any idea on how to work this out? I thought the code would work with no issues since I used another Kubernetes policy as a template.
Also, the property do exist since I've checked my test AKS JSON and copied the property name directly from the resource.
I've tried double checking Microsoft documentation about how AKS works with Keyvaults and also checked the documentation about the structure of the Bicep thing for Managed Clusters.
The one thing I noticed is that in the Managed Clusters JSON documentation it mentions the "addonProfiles" parameter but it does not give more information about what are the possible parameters that can be stored inside.
There is no alias for azureKeyvaultSecretsProvider.
Please open a CSS ticket at https://azure.microsoft.com/support/create-ticket to request new aliases.
Only for:
Microsoft.ContainerService/managedClusters/addonProfiles.azurePolicy.enabled Microsoft.ContainerService/managedClusters/addonProfiles.omsagent.enabled
Furthermore, the properties does not contain a '/' but a '.' like this (if they existed):
"Microsoft.ContainerService/ManagedClusters/addonProfiles.azureKeyvaultSecretsProvider" "Microsoft.ContainerService/ManagedClusters/addonProfiles.azureKeyvaultSecretsProvider.enabled"
My guess to why you cannot use it, is because it is fairly new and has been overlooked? https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-akv-secrets-provider?wt.mc_id=MVP_323223
You can always find the aliases that be used in Azure Policy by using this PowerShell command:
Get-AzPolicyAlias -NamespaceMatch Microsoft.ContainerService | where ResourceType -like 'ManagedClusters*' | Select-Object -ExpandProperty 'Aliases' | Select name