Azure 容器注册表的 Azure Policy 内置定义Azure Policy built-in definitions for Azure Container Registry

此页是 Azure 容器注册表的 Azure Policy 内置策略定义的索引。This page is an index of Azure Policy built-in policy definitions for Azure Container Registry. 有关其他服务的其他 Azure Policy 内置定义,请参阅 Azure Policy 内置定义For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

每个内置策略定义链接(指向 Azure 门户中的策略定义)的名称。The name of each built-in policy definition links to the policy definition in the Azure portal. 使用“版本”列中的链接查看 Azure Policy GitHub 存储库上的源。Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure 容器注册表Azure Container Registry

名称Name
(Azure 门户)(Azure portal)
说明Description 效果Effect(s) 版本Version
(GitHub)(GitHub)
容器注册表应使用客户托管密钥 (CMK) 进行加密Container Registries should be encrypted with a Customer-Managed Key (CMK) 审核未通过客户托管密钥 (CMK) 启用加密的容器注册表。Audit Container Registries that do not have encryption enabled with Customer-Managed Keys (CMK). 有关 CMK 加密的详细信息,请访问:https://aka.ms/acr/CMKFor more information on CMK encryption, please visit: https://aka.ms/acr/CMK. Audit、DisabledAudit, Disabled 1.0.01.0.0
容器注册表不得允许无限制的网络访问Container Registries should not allow unrestricted network access 审核容器注册表,这些注册表默认情况下未配置任何网络(IP 或 VNET)规则,因此允许所有网络访问。Audit Container Registries that do not have any Network (IP or VNET) Rules configured and allow all network access by default. 如果容器注册表至少有一个 IP/防火墙规则或配置了虚拟网络,则会将其视为合规。Container Registries with at least one IP / Firewall rule or configured virtual network will be deemed compliant. 有关容器注册表网络规则的详细信息,请访问:https://aka.ms/acr/vnetFor more information on Container Registry Network rules, please visit: https://aka.ms/acr/vnet. Audit、DisabledAudit, Disabled 1.0.01.0.0
容器注册表应使用专用链接Container Registries should use private links 审核没有达到“至少有一个已批准的专用终结点连接”标准的容器注册表。Audit Container Registries that do not have at least one approved private endpoint connection. 虚拟网络中的客户端可以安全地访问通过专用链接获得专用终结点连接的资源。Clients in a virtual network can securely access resources that have private endpoint connections through private links. 有关详细信息,请访问:https://aka.ms/acr/private-linkFor more information, visit: https://aka.ms/acr/private-link. Audit、DisabledAudit, Disabled 1.0.01.0.0
容器注册表应使用虚拟网络服务终结点Container Registry should use a virtual network service endpoint 此策略审核任何未配置为使用虚拟网络服务终结点的容器注册表。This policy audits any Container Registry not configured to use a virtual network service endpoint. Audit、DisabledAudit, Disabled 1.0.01.0.0

后续步骤Next steps