Azure Policy definitions deny effect
The deny
effect is used to prevent a resource request that doesn't match defined standards through a policy definition and fails the request.
Deny evaluation
When creating or updating a matched resource in a Resource Manager mode, deny prevents the request before being sent to the Resource Provider. The request is returned as a 403 (Forbidden)
. In the portal, the Forbidden
can be viewed as a deployment status that was prevented by the policy assignment. For a Resource Provider mode, the resource provider manages the evaluation of the resource.
During evaluation of existing resources, resources that match a deny
policy definition are marked as non-compliant.
Deny properties
For a Resource Manager mode, the deny
effect doesn't have any more properties for use in the then
condition of the policy definition.
For a Resource Provider mode of Microsoft.Kubernetes.Data
, the deny
effect has the following subproperties of details
. Use of templateInfo
is required for new or updated policy definitions as constraintTemplate
is deprecated.
templateInfo
(required)- Can't be used with
constraintTemplate
. sourceType
(required)Defines the type of source for the constraint template. Allowed values:
PublicURL
orBase64Encoded
.If
PublicURL
, paired with propertyurl
to provide location of the constraint template. The location must be publicly accessible.Warning
Don't use SAS URIs or tokens in
url
or anything else that could expose a secret.If
Base64Encoded
, paired with propertycontent
to provide the base 64 encoded constraint template.
- Can't be used with
constraint
(optional)- Can't be used with
templateInfo
. - The CRD implementation of the Constraint template. Uses parameters passed via
values
as{{ .Values.<valuename> }}
. In example 2 below, these values are{{ .Values.excludedNamespaces }}
and{{ .Values.allowedContainerImagesRegex }}
.
- Can't be used with
constraintTemplate
(deprecated)- Can't be used with
templateInfo
. - Must be replaced with
templateInfo
when creating or updating a policy definition. - The Constraint template CustomResourceDefinition (CRD) that defines new Constraints. The template defines the Rego logic, the Constraint schema, and the Constraint parameters that are passed via
values
from Azure Policy. For more information, go to Gatekeeper constraints.
- Can't be used with
constraintInfo
(optional)- Can't be used with
constraint
,constraintTemplate
,apiGroups
, orkinds
. - If
constraintInfo
isn't provided, the constraint can be generated fromtemplateInfo
and policy. sourceType
(required)Defines the type of source for the constraint. Allowed values:
PublicURL
orBase64Encoded
.If
PublicURL
, paired with propertyurl
to provide location of the constraint. The location must be publicly accessible.Warning
Don't use SAS URIs or tokens in
url
or anything else that could expose a secret.
- Can't be used with
namespaces
(optional)- An array of Kubernetes namespaces to limit policy evaluation to.
- An empty or missing value causes policy evaluation to include all namespaces, except the ones defined in
excludedNamespaces
.
excludedNamespaces
(required)- An array of Kubernetes namespaces to exclude from policy evaluation.
labelSelector
(required)- An object that includes
matchLabels
(object) andmatchExpression
(array) properties to allow specifying which Kubernetes resources to include for policy evaluation that matched the provided labels and selectors. - An empty or missing value causes policy evaluation to include all labels and selectors, except namespaces defined in
excludedNamespaces
.
- An object that includes
apiGroups
(required when using templateInfo)- An array that includes the API groups to match. An empty array (
[""]
) is the core API group. - Defining
["*"]
for apiGroups is disallowed.
- An array that includes the API groups to match. An empty array (
kinds
(required when using templateInfo)- An array that includes the kind of Kubernetes object to limit evaluation to.
- Defining
["*"]
for kinds is disallowed.
values
(optional)- Defines any parameters and values to pass to the Constraint. Each value must exist in the Constraint template CRD.
Deny example
Example 1: Using the deny
effect for Resource Manager modes.
"then": {
"effect": "deny"
}
Example 2: Using the deny
effect for a Resource Provider mode of Microsoft.Kubernetes.Data
. The additional information in details.templateInfo
declares use of PublicURL
and sets url
to the location of the Constraint template to use in Kubernetes to limit the allowed container images.
"then": {
"effect": "deny",
"details": {
"templateInfo": {
"sourceType": "PublicURL",
"url": "https://store.policy.core.windows.net/kubernetes/container-allowed-images/v1/template.yaml",
},
"values": {
"imageRegex": "[parameters('allowedContainerImagesRegex')]"
},
"apiGroups": [
""
],
"kinds": [
"Pod"
]
}
}
Next steps
- Review examples at Azure Policy samples.
- Review the Azure Policy definition structure.
- Understand how to programmatically create policies.
- Learn how to get compliance data.
- Learn how to remediate non-compliant resources.
- Review Azure management groups.