使用 Azure Policy 审核 Azure 容器注册表的合规性Audit compliance of Azure container registries using Azure Policy

Azure Policy 是 Azure 中的一项服务,用于创建、分配和管理策略。Azure Policy is a service in Azure that you use to create, assign, and manage policies. 这些策略将在整个资源中强制实施不同的规则和效果,使这些资源符合公司标准和服务级别协议。These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

本文介绍适用于 Azure 容器注册表的内置策略。This article introduces built-in policies for Azure Container Registry. 可以使用这些策略来审核新的和现有的注册表的合规性。Use these policies to audit new and existing registries for compliance.

可以免费使用 Azure Policy。There are no charges for using Azure Policy.

内置策略定义Built-in policy definitions

以下内置策略定义特定于 Azure 容器注册表:The following built-in policy definitions are specific to Azure Container Registry:

名称Name 说明Description 效果Effect(s) 版本Version GitHubGitHub
容器注册表应使用客户托管密钥 (CMK) 进行加密Container Registries should be encrypted with a Customer-Managed Key (CMK) 审核未通过客户托管密钥 (CMK) 启用加密的容器注册表。Audit Container Registries that do not have encryption enabled with Customer-Managed Keys (CMK). 有关 CMK 加密的详细信息,请访问:https://docs.azure.cn/container-registry/container-registry-customer-managed-keysFor more information on CMK encryption, please visit: https://docs.azure.cn/container-registry/container-registry-customer-managed-keys. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview 链接Link
容器注册表不得允许无限制的网络访问Container Registries should not allow unrestricted network access 审核容器注册表,这些注册表默认情况下未配置任何网络(IP 或 VNET)规则,因此允许所有网络访问。Audit Container Registries that do not have any Network (IP or VNET) Rules configured and allow all network access by default. 如果容器注册表至少有一个 IP/防火墙规则或配置了虚拟网络,则会将其视为合规。Container Registries with at least one IP / Firewall rule or configured virtual network will be deemed compliant. 有关容器注册表网络规则的详细信息,请访问:https://docs.azure.cn/container-registry/container-registry-vnetFor more information on Container Registry Network rules, please visit: https://docs.azure.cn/container-registry/container-registry-vnet. Audit、DisabledAudit, Disabled 1.0.0-preview1.0.0-preview 链接Link

另请参阅内置网络策略定义:容器注册表应使用虚拟网络服务终结点See also the built-in network policy definition: Container Registry should use a virtual network service endpoint.

分配策略Assign policies

备注

在分配或更新某个策略后,需要花费一些时间才会将分配应用到所定义作用域中的资源。After you assign or update a policy, it takes some time for the assignment to be applied to resources in the defined scope. 请查看有关策略评估触发器的信息。See information about policy evaluation triggers.

查看策略合规性Review policy compliance

可以使用 Azure 门户、Azure 命令行工具或 Azure Policy SDK 来访问策略分配生成的合规性信息。Access compliance information generated by your policy assignments using the Azure portal, Azure command-line tools, or the Azure Policy SDKs. 有关详细信息,请参阅获取 Azure 资源的合规性数据For details, see Get compliance data of Azure resources.

有多种可能的原因会导致资源不合规。When a resource is non-compliant, there are many possible reasons. 若要确定原因或查找导致问题的变更,请参阅确定不合规情况To determine the reason or to find the change responsible, see Determine non-compliance.

门户中的策略合规性:Policy compliance in the portal:

  1. 选择“所有服务” ,然后搜索“策略”。Select All services, and search for Policy.

  2. 选择“合规性”。Select Compliance.

  3. 将筛选器用于限制合规性状态,或用于搜索策略。Use the filters to limit compliance states or to search for policies.

    门户中的策略合规性

  4. 选择一个策略来查看聚合合规性详细信息和事件。Select a policy to review aggregate compliance details and events. 然后,根据需要选择一个适用于资源合规性的特定注册表。If desired, then select a specific registry for resource compliance.

Azure CLI 中的策略合规性Policy compliance in the Azure CLI

也可使用 Azure CLI 来获取合规性数据。You can also use the Azure CLI to get compliance data. 例如,在 CLI 中使用 az policy assignment list 命令获取已应用的 Azure 容器注册表策略的策略 ID:For example, use the az policy assignment list command in the CLI to get the policy IDs of the Azure Container Registry policies that are applied:

az policy assignment list --query "[?contains(displayName,'Container Registries')].{name:displayName, ID:id}" --output table

示例输出:Sample output:

Name                                                                                   ID
------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------
Container Registries should not allow unrestricted network access           /subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/b4faf132dc344b84ba68a441
Container Registries should be encrypted with a Customer-Managed Key (CMK)  /subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/cce1ed4f38a147ad994ab60a

然后运行 az policy state list,以便返回特定策略 ID 下所有资源的 JSON 格式合规性状态:Then run az policy state list to return the JSON-formatted compliance state for all resources under a specific policy ID:

az policy state list \
  --resource <policyID>

也可运行 az policy state list,以便返回特定注册表资源(例如 myregistry)的 JSON 格式合规性状态:Or run az policy state list to return the JSON-formatted compliance state of a specific registry resource, such as myregistry:

az policy state list \
 --resource myregistry \
 --namespace Microsoft.ContainerRegistry \
 --resource-type registries \
 --resource-group myresourcegroup

后续步骤Next steps