使用 Azure Policy 限制 Linux VM 上的扩展安装Use Azure Policy to restrict extensions installation on Linux VMs

如果想要阻止在 Linux VM 上使用或安装某些扩展,可以使用 CLI 创建 Azure Policy 定义以限制资源组中的 VM 扩展。If you want to prevent the use or installation of certain extensions on your Linux VMs, you can create an Azure Policy definition using the CLI to restrict extensions for VMs within a resource group.

本教程在 Azure 本地 Shell 中使用 CLI,后者已不断更新到最新版本。This tutorial uses the CLI within the Azure local Shell, which is constantly updated to the latest version. 如果要在本地运行 Azure CLI,则需要安装版本 2.0.26 或更高版本。If you want to run the Azure CLI locally, you need to install version 2.0.26 or later. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建规则文件Create a rules file

若要限制可以安装哪些扩展,需要使用规则来提供用于识别扩展的逻辑。In order to restrict what extensions can be installed, you need to have a rule to provide the logic to identify the extension.

此示例演示了如何通过创建规则文件来拒绝安装“Microsoft.OSTCExtensions”发布的扩展。This example shows you how to deny installing extensions published by 'Microsoft.OSTCExtensions' by creating a rules file. 如果在本地使用 CLI,也可以创建一个本地文件并将路径 (<your_file_path>) 替换为计算机上本地文件的路径。When you are working in CLI locally, you can also create a local file and replace the path (<your_file_path>) with the path to the local file on your machine.

vim <your_file_path>/azurepolicy.rules.json

将以下 .json 的内容复制并粘贴到该文件。Copy and paste the following .json into the file.

{
    "if": {
        "allOf": [
            {
                "field": "type",
                "equals": "Microsoft.OSTCExtensions/virtualMachines/extensions"
            },
            {
                "field": "Microsoft.OSTCExtensions/virtualMachines/extensions/publisher",
                "equals": "Microsoft.OSTCExtensions"
            },
            {
                "field": "Microsoft.OSTCExtensions/virtualMachines/extensions/type",
                "in": "[parameters('notAllowedExtensions')]"
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
}

完成后,按 Esc 键,然后键入 :wq 保存并关闭该文件。When you are done, hit the Esc key and then type :wq to save and close the file.

创建参数文件Create a parameters file

还需要一个参数文件,以创建一个用于传入要阻止的扩展列表的结构。You also need a parameters file that creates a structure for you to use for passing in a list of the extensions to block.

此示例演示如何为 Linux VM 创建参数文件。This example shows you how to create a parameters file for Linux VMs. 如果在本地使用 CLI,也可以创建一个本地文件并将路径 (<your_file_path>) 替换为计算机上本地文件的路径。When you are working in CLI locally, you can also create a local file and replace the path (<your_file_path>) with the path to the local file on your machine.

vim <your_file_path>/azurepolicy.parameters.json

将以下 .json 的内容复制并粘贴到该文件。Copy and paste the following .json into the file.

{
    "notAllowedExtensions": {
        "type": "Array",
        "metadata": {
            "description": "The list of extensions that will be denied. Example: CustomScriptForLinux, VMAccessForLinux etc.",
            "displayName": "Denied extension"
        }
    }
}

完成后,按 Esc 键,然后键入 :wq 保存并关闭该文件。When you are done, hit the Esc key and then type :wq to save and close the file.

创建策略Create the policy

策略定义是用于存储想要使用的配置的对象。A policy definition is an object used to store the configuration that you would like to use. 策略定义使用规则和参数文件定义策略。The policy definition uses the rules and parameters files to define the policy. 使用 az policy definition create 创建策略定义。Create the policy definition using az policy definition create.

在此示例中,规则和参数是在本地 shell 中创建并存储为 .json 文件的文件。In this example, the rules and parameters are the files you created and stored as .json files in your local shell.

az policy definition create \
   --name 'not-allowed-vmextension-linux' \
   --display-name 'Block VM Extensions' \
   --description 'This policy governs which VM extensions that are blocked.' \
   --rules 'azurepolicy.rules.json' \
   --params 'azurepolicy.parameters.json' \
   --mode All

分配策略Assign the policy

此示例使用 az policy assignment create 将策略分配给资源组。This example assigns the policy to a resource group using az policy assignment create. myResourceGroup 资源组中创建的任何 VM 将不能安装适用于 Linux 的 Linux VM 访问扩展或自定义脚本扩展。Any VM created in the myResourceGroup resource group will not be able to install the Linux VM Access or the Custom Script extensions for Linux. 该资源组必须存在,然后才能分配策略。The resource group must exist before you can assign the policy.

使用 az account list 获取你的订阅 ID 以替换示例中的订阅 ID。Use az account list to get your subscription ID to use in place of the one in the example.

az policy assignment create \
   --name 'not-allowed-vmextension-linux' \
   --scope /subscriptions/<subscription Id>/resourceGroups/myResourceGroup \
   --policy "not-allowed-vmextension-linux" \
   --params '{
        "notAllowedExtensions": {
            "value": [
                "VMAccessForLinux",
                "CustomScriptForLinux"
            ]
        }
    }'

测试策略Test the policy

可通过创建新的 VM 并尝试添加新用户来测试策略。Test the policy by creating a new VM and trying to add a new user.

az vm create \
    --resource-group myResourceGroup \
    --name myVM \
    --image UbuntuLTS \
    --generate-ssh-keys

尝试使用 VM 访问扩展创建一个名为 myNewUser 的新用户。Try to create a new user named myNewUser using the VM Access extension.

az vm user update \
  --resource-group myResourceGroup \
  --name myVM \
  --username myNewUser \
  --password 'mynewuserpwd123!'

删除分配Remove the assignment

az policy assignment delete --name 'not-allowed-vmextension-linux' --resource-group myResourceGroup

删除策略Remove the policy

az policy definition delete --name 'not-allowed-vmextension-linux'

后续步骤Next steps

有关详细信息,请参阅 Azure PolicyFor more information, see Azure Policy.