How to manipulate azure policies on the basis of cluster roles in AKS

[smartaquarius10]

Team,

In kubernetes, we can take the benefit of cluster role and rolebindings to bifurcate the pod security policies as per the privileges of admin and non-admin users.

In Azure kubernetes, if we apply any azure policy for eg. not allowing privilege pods then it will restrict all the users including admins as well.

How to control this restriction in Azure policies because PSP in AKS are deprecated and it is mandatory to use Azure policies now onwards.

Thank you

[ritazh]

Thank you for the feedback @smartaquarius10! Do you mind opening an issue in https://github.com/open-policy-agent/gatekeeper-library/issues? As PSP is moving from v1 to v2 design, there are some recommended practices around user-based exemptions. Let's talk about the tradeoffs and alternatives to fit your use case in the gatekeeper-library repo with other community members.

[smartaquarius10]

@ritazh Sure Rita. Will do that. Thanks for the info. I have opened this issue in the suggested repository.

Should I close the issue here?

[smartaquarius10]

@ritazh , Hello Rita. Hope you're doing well.

Is there any other repository or community portal where I can ask this question because its been 3 days and I have not received any reply on that repository.

I have to convert the AKS to a shared resource for which psp's are required and Admin vs non-admin bifurcation is necessary. But, as per my understanding, the current architecture of Azure policies is not adhering to this role based segregation which is definitely a need.

Please let me know if you can share any other contacts. Thank you. Take care.

[ritazh]

@smartaquarius10 Thanks for opening the other issue. Let’s continue the discussion in Gatekeeper as it applies to K8s PSP v2 guidance as well as Gatekeepr policies. Feel free to close this issue here.

[smartaquarius10]

Thanks

[ritazh]

@RamyasreeChakka can you pls help @smartaquarius10 with the issue raised open-policy-agent/gatekeeper-library#78 (comment) regarding how to apply labelSelector to builtin policies? Seems we are missing docs around this new feature.

[nreisch]

Addressing this comment : open-policy-agent/gatekeeper-library#78 (comment)

Hi @smartaquarius10, although it may be hard to parse, the schema tab in the assignment UI shows the expected format. In this case try adding matchExpressions like the following:

• @ritazh / @RamyasreeChakka

[smartaquarius10]

@ritazh , @nreisch , Thank you so much. Will try that right now. Take care.

Regards
Tanul