Governance Policies Azure Compute AKS - Azure/az-prototype GitHub Wiki
Governance policies for AKS
Domain: azure-compute
| Name | Description |
|---|---|
| AKS with Azure AD RBAC and workload identity | Complete AKS deployment with private cluster, Azure AD RBAC, workload identity, VNet integration, and container monitoring |
| Description | Instead |
|---|---|
| Do not use service principal for AKS identity | Use user-assigned managed identity |
| Do not expose API server publicly | Enable private cluster with enablePrivateCluster = true |
| Do not use kubenet network plugin | Use azure CNI for full VNet integration |
| Do not use pod identity (deprecated) | Use workload identity with OIDC issuer |
- AKS best practices
- AKS private clusters
- AKS workload identity
- AKS Azure AD integration
- WAF: AKS service guide
- Microsoft Defender for Containers
- Azure Policy for AKS
| Check | Severity | Description |
|---|---|---|
| AZ-AKS-001 | Required | Create AKS cluster with Azure AD RBAC, workload identity, private cluster, and managed identity |
| AZ-AKS-002 | Required | Enable OMS agent addon for container monitoring |
| AZ-AKS-003 | Required | Use VNet integration with azure CNI for network policy support |
| AZ-AKS-004 | Recommended | Use Free tier for POC, Standard tier for production |
| AZ-AKS-005 | Recommended | Enable cluster autoscaler on node pools |
| AZ-AKS-006 | Required | Enable Microsoft Defender for Containers on the cluster |
| AZ-AKS-007 | Required | Enable Azure Policy addon for AKS to enforce pod security and compliance |
| AZ-AKS-008 | Recommended | Disable local accounts and enforce Microsoft Entra ID-only authentication |
| AZ-AKS-009 | Recommended | Use availability zones for AKS node pools |
| AZ-AKS-010 | Recommended | Use NAT gateway for clusters with many concurrent outbound connections |
| AZ-AKS-011 | Recommended | Use the AKS uptime SLA (Standard tier) for production-grade clusters |
Create AKS cluster with Azure AD RBAC, workload identity, private cluster, and managed identity
Severity: Required
Rationale: Azure AD RBAC centralizes access control; workload identity eliminates pod-level secrets; private cluster prevents API server exposure; managed identity eliminates service principal credential management
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.ContainerService/managedClusters
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateDnsZones | privatelink.{location}.azmk8s.io | Private DNS zone for AKS private cluster API server resolution |
| Microsoft.Authorization/roleAssignments | Network Contributor | Network Contributor role for AKS identity on the VNet subnet |
Enable OMS agent addon for container monitoring
Severity: Required
Rationale: Container Insights provides CPU, memory, pod health, and log collection for troubleshooting
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.ContainerService/managedClusters
Use VNet integration with azure CNI for network policy support
Severity: Required
Rationale: Azure CNI assigns pod IPs from the VNet, enabling NSGs, network policies, and private endpoint connectivity
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.ContainerService/managedClusters
Use Free tier for POC, Standard tier for production
Severity: Recommended
Rationale: Free tier has limited SLA; Standard provides 99.95% uptime SLA
Agents: cloud-architect, cost-analyst
- Microsoft.ContainerService/managedClusters
Enable cluster autoscaler on node pools
Severity: Recommended
Rationale: Automatically scales nodes based on pod scheduling demand; reduces idle cost
Agents: terraform-agent, bicep-agent, cloud-architect, cost-analyst
- Microsoft.ContainerService/managedClusters
Enable Microsoft Defender for Containers on the cluster
Severity: Required
Rationale: WAF Security: Provides runtime threat detection, vulnerability scanning, and security monitoring for clusters, containers, and applications
Agents: cloud-architect, security-reviewer
- Microsoft.ContainerService/managedClusters
Enable Azure Policy addon for AKS to enforce pod security and compliance
Severity: Required
Rationale: WAF Security: Azure Policy applies at-scale enforcement and safeguards on clusters in a centralized, consistent manner, controlling pod functions and detecting policy violations
Agents: cloud-architect, terraform-agent, bicep-agent, security-reviewer
- Microsoft.ContainerService/managedClusters
Disable local accounts and enforce Microsoft Entra ID-only authentication
Severity: Recommended
Rationale: WAF Security: Disabling local accounts ensures all cluster access flows through Microsoft Entra ID, providing centralized identity and auditable access control
Agents: cloud-architect, terraform-agent, bicep-agent, security-reviewer
- Microsoft.ContainerService/managedClusters
Use availability zones for AKS node pools
Severity: Recommended
Rationale: WAF Reliability: Distributes AKS agent nodes across physically separate datacenters, ensuring nodes continue running even if one zone goes down
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.ContainerService/managedClusters
Use NAT gateway for clusters with many concurrent outbound connections
Severity: Recommended
Rationale: WAF Reliability: NAT Gateway supports reliable egress traffic at scale, avoiding reliability problems from Azure Load Balancer SNAT port exhaustion
Agents: cloud-architect, terraform-agent, bicep-agent
- Microsoft.ContainerService/managedClusters
Use the AKS uptime SLA (Standard tier) for production-grade clusters
Severity: Recommended
Rationale: WAF Reliability: Standard tier provides 99.95% uptime SLA for the Kubernetes API server endpoint, higher availability guarantees than the Free tier
Agents: cloud-architect, cost-analyst
- Microsoft.ContainerService/managedClusters