-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
ASC_EnableIpRanges_KubernetesService_Audit.json
61 lines (61 loc) · 1.88 KB
/
ASC_EnableIpRanges_KubernetesService_Audit.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
{
"properties": {
"displayName": "Authorized IP ranges should be defined on Kubernetes Services",
"policyType": "BuiltIn",
"mode": "All",
"description": "Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.",
"metadata": {
"version": "2.0.1",
"category": "Security Center"
},
"version": "2.0.1",
"parameters": {
"effect": {
"type": "string",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.ContainerService/managedClusters"
},
{
"field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges",
"exists": "false"
},
{
"anyOf": [
{
"field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster",
"exists": "false"
},
{
"field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster",
"equals": "false"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"2.0.1"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
"name": "0e246bcf-5f6f-4f87-bc6f-775d4712c7ea"
}