Source
Display name
[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present.
Id
42ba1d72-e90f-42f8-bf99-5a1351eed2b1 Copy Id Copy resourceId
Version
1.3.0-preview
Versioning
Versions supported for Versioning: 5
Category
Kubernetes
Description
Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.
Cloud environments
AzureCloud = true
Available in AzUSGov
The Policy is available in AzureUSGovernment cloud. Version: '1.2.0-preview'42ba1d72-e90f-42f8-bf99-5a1351eed2b1
Mode
Microsoft.Kubernetes.Data
Type
BuiltIn
Preview
True
Deprecated
False
Effect
Default Allowed
RBAC role(s)
none
Rule aliases
none
Rule resource types
IF (1)
Compliance
Not a Compliance control
Initiatives usage
Records: 10 25 100 200 Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
< ,
<= ,
> ,
>= ,
= ,
* ,
! ,
{ ,
} ,
|| ,
&& ,
[empty] ,
[nonempty] ,
rgx: Learn more ? Page 1 of 1
Clear Kubernetes Clear Preview Clear BuiltIn
Initiative DisplayName
Initiative Id
Initiative Category
State
Type
polSet in AzUSGov
[Preview]: Deployment safeguards should help guide developers towards AKS recommended best practices
c047ea8e-9c78-49b2-958b-37e56d291a44 Kubernetes
Preview BuiltIn
true
No results
History
Date/Time (UTC ymd) (i)
Change type
Change detail
2025-04-22 16:46:02
change
Minor, suffix remains equal (1.2.0-preview > 1.3.0-preview)
2024-08-09 18:17:47
change
Minor, suffix remains equal (1.1.1-preview > 1.2.0-preview)
2024-04-22 16:32:55
change
Patch, suffix remains equal (1.1.0-preview > 1.1.1-preview)
2024-04-12 17:45:57
change
Minor, suffix remains equal (1.0.0-preview > 1.1.0-preview)
2024-04-08 17:52:20
add
42ba1d72-e90f-42f8-bf99-5a1351eed2b1
JSON compareHide
compare mode:
side-by-side
line-by-line
version left: 1.2.0-preview 1.1.1-preview 1.1.0-preview 1.0.0-preview version right: 1.3.0-preview 1.2.0-preview 1.1.1-preview 1.1.0-preview 1.0.0-preview
@@ -3,9 +3,9 @@
3
"policyType": "BuiltIn",
4
"mode": "Microsoft.Kubernetes.Data",
5
"description": "Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.",
6
"metadata": {
7
-
"version": "1.2.0-preview",
8
"category": "Kubernetes",
9
"preview": true
10
},
11
"parameters": {
@@ -45,8 +45,16 @@
45
"kube-system",
46
"gatekeeper-system",
47
"azure-arc"
48
]
49
}
50
},
51
"policyRule": {
52
"if": {
@@ -60,8 +68,9 @@
60
"mutationInfo": {
61
"sourceType": "PublicURL",
62
"url": "https://store.policy.core.windows.net/kubernetes/mutate-resource-cpu-limits/v1/mutation.yaml"
63
},
64
"excludedNamespaces": "[parameters('excludedNamespaces')]"
65
}
66
}
67
}
3
"policyType": "BuiltIn",
4
"mode": "Microsoft.Kubernetes.Data",
5
"description": "Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster.",
6
"metadata": {
7
+
"version": "1.3 .0-preview",
8
"category": "Kubernetes",
9
"preview": true
10
},
11
"parameters": {
45
"kube-system",
46
"gatekeeper-system",
47
"azure-arc"
48
]
49
+
},
50
+
"namespaces": {
51
+
"type": "Array",
52
+
"metadata": {
53
+
"displayName": "Namespace inclusions",
54
+
"description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
55
+
},
56
+
"defaultValue": []
57
}
58
},
59
"policyRule": {
60
"if": {
68
"mutationInfo": {
69
"sourceType": "PublicURL",
70
"url": "https://store.policy.core.windows.net/kubernetes/mutate-resource-cpu-limits/v1/mutation.yaml"
71
},
72
+
"namespaces": "[parameters('namespaces')]",
73
"excludedNamespaces": "[parameters('excludedNamespaces')]"
74
}
75
}
76
}
JSON
api-version=2021-06-01 Copy definition Copy definition 4 EPAC EPAC
{ 7 items displayName: "[Preview]: Sets Kubernetes cluster containers CPU limits to default values in case not present." , policyType: "BuiltIn" , mode: "Microsoft.Kubernetes.Data" , description: "Setting container CPU limits to prevent resource exhaustion attacks in a Kubernetes cluster." , metadata: { 3 items version: "1.3.0-preview" , category: "Kubernetes" , preview: true } , parameters: { 4 items source: { 4 items type: "String" , metadata: { 2 items displayName: "Source" , description: "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones." } , allowedValues: [ 3 items "All" , "Generated" , "Original" ] , defaultValue: "Original" } , effect: { 4 items type: "String" , metadata: { 3 items displayName: "Effect" , description: "'Mutate' modifies a non-compliant resource to be compliant when creating or updating. 'Disabled' turns off the policy." , portalReview: true } , allowedValues: [ 2 items ] , defaultValue: "Mutate" } , excludedNamespaces: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace exclusions" , description: "List of Kubernetes namespaces to exclude from policy evaluation." } , defaultValue: [ 3 items "kube-system" , "gatekeeper-system" , "azure-arc" ] } , namespaces: { 3 items type: "Array" , metadata: { 2 items displayName: "Namespace inclusions" , description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." } , defaultValue : [] } } , policyRule: { 2 items if: { 2 items field: "type" , equals: "Microsoft.ContainerService/managedClusters" } , then: { 2 items effect: "[parameters('effect')]" , details: { 4 items source: "[parameters('source')]" , mutationInfo: { 2 items sourceType: "PublicURL" , url: "https://store.policy.core.windows.net/kubernetes/mutate-resource-cpu-limits/v1/mutation.yaml" } , namespaces: "[parameters('namespaces')]" , excludedNamespaces: "[parameters('excludedNamespaces')]" } } } }
