Built-in Policy Release 3d9b970a (#1389)

Co-authored-by: Azure Policy Bot <[email protected]>

built-in-policies/policyDefinitions/Azure Government/Kubernetes/BlockNakedPods.json

@@ -5,10 +5,10 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs",
     "metadata": {
-      "version": "3.1.0",
+      "version": "3.2.0",
       "category": "Kubernetes"
     },
-    "version": "3.1.0",
+    "version": "3.2.0",
     "parameters": {
       "effect": {
         "type": "String",
@@ -116,6 +116,7 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
+          "source": "Original",
           "templateInfo": {
             "sourceType": "PublicURL",
             "url": "https://store.policy.azure.us/kubernetes/block-naked-pods/v1/template.yaml"
@@ -133,6 +134,7 @@
       }
     },
     "versions": [
+      "3.2.0",
       "3.1.0"
     ]
   },

built-in-policies/policyDefinitions/Azure Government/Kubernetes/CannotEditIndividualNodes.json

@@ -5,11 +5,11 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks.",
     "metadata": {
-      "version": "1.0.4-preview",
+      "version": "1.1.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.0.4-preview",
+    "version": "1.1.0-preview",
     "parameters": {
       "effect": {
         "type": "String",
@@ -108,14 +108,25 @@
         "metadata": {
           "displayName": "Allowed Users",
           "description": "Users that are allowed by deployment safeguards to modify node labels on individual nodes."
-        }
+        },
+        "defaultValue": [
+          "nodeclient",
+          "system:serviceaccount:kube-system:aci-connector-linux",
+          "system:serviceaccount:kube-system:node-controller",
+          "acsService",
+          "aksService",
+          "system:serviceaccount:kube-system:cloud-node-manager"
+        ]
       },
       "allowedGroups": {
         "type": "Array",
         "metadata": {
           "displayName": "Allowed Groups",
           "description": "Groups that are allowed by deployment safeguards to modify node labels on individual nodes."
-        }
+        },
+        "defaultValue": [
+          "system:node"
+        ]
       }
     },
     "policyRule": {
@@ -147,6 +158,7 @@
       }
     },
     "versions": [
+      "1.1.0-PREVIEW",
       "1.0.4-PREVIEW",
       "1.0.3-PREVIEW"
     ]

built-in-policies/policyDefinitions/Cache/RedisCacheEnterprise_PrivateEndpoint_DINE.json

@@ -4,9 +4,9 @@
     "description": "Private endpoints let you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis Enterprise resources, you can reduce data leakage risks. Learn more at: https://aka.ms/redis/privateendpoint.",
     "metadata": {
       "category": "Cache",
-      "version": "1.0.0"
+      "version": "1.1.0"
     },
-    "version": "1.0.0",
+    "version": "1.1.0",
     "policyType": "BuiltIn",
     "mode": "Indexed",
     "parameters": {
@@ -46,7 +46,7 @@
             "equals": "Approved"
           },
           "roleDefinitionIds": [
-            "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17"
+            "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
           ],
           "deployment": {
             "properties": {
@@ -123,7 +123,7 @@
                                   "properties": {
                                     "privateLinkServiceId": "[parameters('serviceId')]",
                                     "groupIds": [
-                                      "redisCache"
+                                      "redisEnterprise"
                                     ],
                                     "requestMessage": "autoapprove"
                                   }
@@ -155,6 +155,7 @@
       }
     },
     "versions": [
+      "1.1.0",
       "1.0.0"
     ]
   },

built-in-policies/policyDefinitions/Kubernetes/BlockNakedPods.json

@@ -5,16 +5,17 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Block usage of naked Pods. Naked Pods will not be rescheduled in the event of a node failure. Pods should be managed by Deployment, Replicset, Daemonset or Jobs",
     "metadata": {
-      "version": "2.2.0",
+      "version": "2.3.0",
       "category": "Kubernetes"
     },
-    "version": "2.2.0",
+    "version": "2.3.0",
     "parameters": {
       "source": {
         "type": "String",
         "metadata": {
           "displayName": "Source",
-          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+          "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones.",
+          "deprecated": true
         },
         "defaultValue": "Original",
         "allowedValues": [
@@ -137,7 +138,7 @@
       "then": {
         "effect": "[parameters('effect')]",
         "details": {
-          "source": "[parameters('source')]",
+          "source": "Original",
           "warn": "[parameters('warn')]",
           "templateInfo": {
             "sourceType": "PublicURL",
@@ -156,6 +157,7 @@
       }
     },
     "versions": [
+      "2.3.0",
       "2.2.0",
       "2.1.0"
     ]

built-in-policies/policyDefinitions/Kubernetes/CannotEditIndividualNodes.json

@@ -5,11 +5,11 @@
     "mode": "Microsoft.Kubernetes.Data",
     "description": "Cannot Edit Individual Nodes. Users should not edit individual nodes. Please edit node pools. Modifying individual nodes can lead to inconsistent settings, operational challenges, and potential security risks.",
     "metadata": {
-      "version": "1.2.0-preview",
+      "version": "1.3.0-preview",
       "category": "Kubernetes",
       "preview": true
     },
-    "version": "1.2.0-preview",
+    "version": "1.3.0-preview",
     "parameters": {
       "source": {
         "type": "String",
@@ -129,14 +129,25 @@
         "metadata": {
           "displayName": "Allowed Users",
           "description": "Users that are allowed by deployment safeguards to modify node labels on individual nodes."
-        }
+        },
+        "defaultValue": [
+          "nodeclient",
+          "system:serviceaccount:kube-system:aci-connector-linux",
+          "system:serviceaccount:kube-system:node-controller",
+          "acsService",
+          "aksService",
+          "system:serviceaccount:kube-system:cloud-node-manager"
+        ]
       },
       "allowedGroups": {
         "type": "Array",
         "metadata": {
           "displayName": "Allowed Groups",
           "description": "Groups that are allowed by deployment safeguards to modify node labels on individual nodes."
-        }
+        },
+        "defaultValue": [
+          "system:node"
+        ]
       }
     },
     "policyRule": {
@@ -170,6 +181,7 @@
       }
     },
     "versions": [
+      "1.3.0-PREVIEW",
       "1.2.0-PREVIEW",
       "1.1.1-PREVIEW",
       "1.1.0-PREVIEW",