Azure Kubernetes 服务的 Azure Policy 内置定义Azure Policy built-in definitions for Azure Kubernetes Service

此页是 Azure Kubernetes 服务的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Azure Kubernetes Service. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.


(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
应在 Kubernetes 服务上定义经授权的 IP 范围Authorized IP ranges should be defined on Kubernetes Services 通过仅向特定范围内的 IP 地址授予 API 访问权限,来限制对 Kubernetes 服务管理 API 的访问。Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. 建议将访问权限限制给已获授权的 IP 范围,以确保只有受允许网络中的应用程序可以访问群集。It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. Audit、DisabledAudit, Disabled
Kubernetes 服务应升级到不易受攻击的 Kubernetes 版本Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version 将 Kubernetes 服务群集升级到更高 Kubernetes 版本,以抵御当前 Kubernetes 版本中的已知漏洞。Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Kubernetes 版本 1.11.9+、1.12.7+、1.13.5+ 和 1.14.0+ 中已修补漏洞 CVE-2019-9946Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ Audit、DisabledAudit, Disabled
应在 Kubernetes 服务中使用基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC) should be used on Kubernetes Services 若要对用户可以执行的操作提供粒度筛选,请使用基于角色的访问控制 (RBAC) 来管理 Kubernetes 服务群集中的权限并配置相关授权策略。To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. Audit、DisabledAudit, Disabled

后续步骤Next steps