azurekubernetesazure-policymicrosoft365-defenderazure-defender

Azure Policy Not Reflecting Namespace Exclusions in Azure Kubernetes Cluster


I have an Azure Security Benchmark assigned at the Management Group level.

The Azure Security Benchmark has a policy (/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423) that requires Kubernetes clusters to disable automounting API credentials.

I have an Azure Kubernetes Cluster in the subscription that is part of the above said Management Group on which Azure Security Benchmark is applied, and I'm trying to override the Namespace exclusions to include additional namespaces beyond the default Namespace exclusions list.

My exclusion namespace list is as follows:

[
  "kube-system",
  "gatekeeper-system",
  "azure-arc",
  "azuredefender",
  "mdc",
  "azure-extensions-usage-system",
  "ingress",
  "cert-manager",
  "external-dns",
  "external-secrets"
]

This is compared to the default exclusion namespace list:

[
  "kube-system",
  "gatekeeper-system",
  "azure-arc",
  "azuredefender",
  "mdc",
  "azure-extensions-usage-system"
]

To achieve this, I applied the following policy assignment:

resource "azurerm_resource_policy_assignment" "automounting_allowed_namespaces" {
  name                 = "automounting-allowed-namespaces"
  display_name         = "List of the allowed namespaces for automounting API credentials"
  policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423"
  resource_id          = var.k8s_cluster_id

  parameters = jsonencode({
    excludedNamespaces = {
      value = [
        "kube-system",
        "gatekeeper-system",
        "azure-arc",
        "azuredefender",
        "mdc",
        "azure-extensions-usage-system",
        "ingress",
        "cert-manager",
        "external-dns",
        "external-secrets"
      ]
    }
  })
}

enter image description here

Despite this, I still see these namespaces under the Affected Components in the Azure policy. I have waited for 4 hours after applying this, would it take 24 hours to reflect?

enter image description here

Can anyone help me understand why this is happening and how I can resolve it?

Update: 14 May 2024

As you see below, Kubernetes clusters should disable automounting API credentials policy is a part of the Azure Security Benchmark as well as I have applied the same directly on the AKS resource

enter image description here

Defender in AKS shows 26 PODS are affected without excluding the namespaces that I wanted to exclude using the policy applied at the resource level.

enter image description here

Defender for Cloud shows the same as above (26 PODS are affected)

enter image description here

Azure Security Benchmark compliance shows the same as above (26 PODS are affected)

enter image description here

The Custom policy assignment that I assigned at the AKS resource level excluded all the namespaces as I wanted

enter image description here

I have assigned the custom policy assignment at the AKS resource level, it would not override the Azure Security Benchmark and exclude the namespace as per the custom policy? If not, the only way to achieve this is to update the Azure Security Benchmark Policy to exclude the namespaces? I don't have a permission to update the Azure Security Benchmark policies


Solution

  • As per the blog post - https://www.stefanroth.net/2020/01/17/azure-policy-how-precedence-works/

    If you apply a policy it gets inherited to the child elements like management group, subscription and resource group. If there is a more restrictive policy it will always win independently of the level it has been applied. Meaning, it does not matter if the policy is applied on management group or resource group level. If policies are not conflicting, they will be complementary, which means they will sum up in its effect.