Azure Policy Refresh

[ckittel]

Refreshing our Azure Policy assignments. This PR will not address adding custom in-cluster policies.

Changes:

• No longer building tenant resource IDs for policy definitions by hand, now using built-in tenantResourceId() function
• Added Gatekeeper constraint names to bicep file for easy cross referencing
• included flux-system as it's coming from an extension in more excludedNamespaces on policy assignments
• went from audit -> Audit and deny -> Deny to align with the defaults better.
• Documented all known policy violations
• Updated API versions related to Azure Policy assignments
• Populated description on all Azure Policy assignments
• Ensure take() is applied to all policy names to prevent a long RG name breaking the assignment name
• Updated the following previously applied Azure Policy for Kubernetes policy assignments:
  • K8sAzureContainerAllowedImages
    • Added proper RegEx escaping for . in the allow list
    • Removed azurearcfork8s.azurecr.io/azurearcflux/images/stable/.+$ as those flux images are now sourced from MCR.
  • K8sAzureContainerLimits
    • No longer including cluster-baseline-settings
    • Updated limits to match cluster workload requirements.
  • K8sAzureReadOnlyRootFilesystem
    • Moved from Audit to Deny
    • Added specific exceptions for the cluster's workloads
• Assigned the following built-in Azure Policy for Kubernetes policies:
  • K8sAzureHostFilesystem (Deny)
  • K8sAzureExternalIPs (Deny)
  • K8sAzureBlockEndpointEditDefaultRole (Audit)
  • K8sAzureBlockDefault (Audit)
• Assigned the following built-in Azure Policy policies:
  • Authorized IP ranges should be defined on Kubernetes Services
  • Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
  • Role-Based Access Control (RBAC) should be used on Kubernetes Services
  • Azure Kubernetes Service Clusters should use managed identities
  • Container registries should have anonymous authentication disabled
  • Container registries should have local admin account disabled

Unrelated changes bundled in this PR:

• variable reduction in bicep template when references would have worked.
• fixed all bicep warnings (fixes: cluster-stamp.bicep produces some warnings on deployment #314)
• Removed some empty dependsOn: []

[ferantivero]

w00t nicely done @ckittel, a few comments below to be discussed.

[ferantivero]

w00t great additions @ckittel LGTM 🚀