Xinhe Li

icon indicating an email [email protected]

icon company Microsoft icon location Shanghai

Results 15 comments of Xinhe Li

Discuss: Policies support various parameter values for different containers

My personal opinion is not to add such map-structure parameter. Because it is sort of like the policy is one duplicated configuration of cluster and it will improve the usage...

Container images should be deployed from trusted registries only: Query should be done on Image ID instead of Image

``` - containerID: containerd://21053c86855ad16dfbe7a759f45225f7ec523e120e983e29d2c8aa8289a5cab7 image: docker.io/rancher/local-path-provisioner:v0.0.14 imageID: sha256:e422121c9c5f97623245b7e600eeb5e223ee623f21fa04da985ae71057d8d70b ``` imageID will not always show the registry of docker.io. It will cause confusion if the unstable function

Container images should be deployed from trusted registries only: Query should be done on Image ID instead of Image

Thx for the suggestion and idea. Currently will not adopt the suggestion because it cannot abosolutely solve the docker.io missing and will casue some usage confusions

Improve ACR (azurecr.io) example regex

@RamyasreeChakka I think I already pick up this change in internal repo https://github.com/Azure/azure-policy/blob/914cf50c1bb326c0540b4b06df3f6d762b11a88c/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json#L108

'IngressHttpsOnly: Policy should support “networking.k8s.io/v1" API'

Currently, azure policy does not support check two linked k8s resource together. (reading the ingressClass when validating ingress). It may need a long term change for it. For a short...

'IngressHttpsOnly: Policy should support “networking.k8s.io/v1" API'

ingressClassName in fact can be customer defined. You can also name the ingress class as nginx1, nginx2. Or maybe name other ingress controller's ingress class as nginx. But as you...

Missing categories in Built-in AKS Diagnostic Log

@nehakulkarni123 the categories are not added in Mooncake and Fairfax. However the policy is under AllEnvironment. Need to wait until sovereign cloud release

ContainerAllowedCapabilities: Adding any capability to allowedCapabilities list, makes it available to be used by ALL containers

Hi @AshutoshNirkhe , sorry for late response. Here is another workaround is to assign multiple policies. For example, policy1: allowedCapabilites: [""], excludedContainers: ["app1", "app2"] policy2: allowedCapabilites: ["SYS_PTRACE"], labelSelector: {{ label...

ContainerAllowedCapabilities: Adding any capability to allowedCapabilities list, makes it available to be used by ALL containers

Correct. One policy definition can be assigned multiple times with different parameter values.

ContainerAllowedCapabilities: Adding any capability to allowedCapabilities list, makes it available to be used by ALL containers

Hi @AshutoshNirkhe recently we added one more parameter named imageExclusion. It will use image tag prefix to exclude container. for example `["myregistry.acr.io/repo/image:*"]` This parameter is more recommended than name-based exclusion....