AzPolicyAdvertizer

last sync: 2025-Jun-20 17:23:43 UTC

Ensure cluster containers have readiness or liveness probes configured

Azure BuiltIn Policy definition

-Source
+ Azure Portal
-Display name
+Ensure cluster containers have readiness or liveness probes configured
-Id
+                        b1a9997f-2883-4f12-bdff-2280f99b5915
-Version
+.3.0
  Details on versioning
-Versioning
+                        Versions supported for Versioning: 3
3.3.0
3.2.0
3.1.0
                         Built-in Versioning [Preview]
-Category
+Kubernetes
 Microsoft Learn
-Description
+This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.
-Cloud environments
+AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
-Available in AzUSGov
+The Policy is available in AzureUSGovernment cloud. Version: '4.2.0'
 Repository: Azure-Policy b1a9997f-2883-4f12-bdff-2280f99b5915
-Mode
+Microsoft.Kubernetes.Data
-Type
+BuiltIn
-Preview
+                False
-Deprecated
+False
-Effect
+                Default
Audit

                Allowed
Audit, Deny, Disabled
-RBAC role(s)
+                            none
-Rule aliases
+                none
-Rule resource types
+                IF (2)

                                    Microsoft.ContainerService/managedClusters
                    Microsoft.Kubernetes/connectedClusters
-Compliance
+                    Not a Compliance control
-Initiatives usage
+Rows: 1-2 / 2
Records: Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators: 
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more
TableFilter v0.7.3
https://www.tablefilter.com/
©2015-2025 Max GuglielmiClose
?
 Page  of 1
                            
                                

                                    Initiative DisplayName
                                    Initiative Id
                                    Initiative Category
                                    State
                                    Type
                                    polSet in AzUSGov
                                
                            
                            
                                [Preview]: Deployment safeguards should help guide developers towards AKS recommended best practices
                                c047ea8e-9c78-49b2-958b-37e56d291a44
                                Kubernetes
                                Preview                                     BuiltIn
                                    true
                            
                            
                                Enforce recommended guardrails for Kubernetes
                                Enforce-Guardrails-Kubernetes
                                Kubernetes
                                GA                                     ALZ
                                    
                            
                        
No results
-Initiative DisplayName
+polSet in AzUSGov
-[Preview]: Deployment safeguards should help guide developers towards AKS recommended best practices
+true
-Enforce recommended guardrails for Kubernetes
+ALZ
-History
+                                Date/Time (UTC ymd) (i)
                                Change type
                                Change detail
                            
                                                    
                                2024-08-09 18:17:47
                                change
                                Minor (3.2.0 > 3.3.0)
                            
                            
                                2024-02-20 22:44:08
                                change
                                Minor (3.1.0 > 3.2.0)
                            
                            
                                2023-05-01 17:41:52
                                change
                                Minor (3.0.1 > 3.1.0)
                            
                            
                                2022-10-21 16:42:13
                                change
                                Patch (3.0.0 > 3.0.1)
                            
                            
                                2022-09-19 17:41:40
                                change
                                Major (2.0.0 > 3.0.0)
                            
                            
                                2022-06-17 16:31:08
                                change
                                Major (1.1.0 > 2.0.0)
                            
                            
                                2022-04-29 18:06:01
                                change
                                Minor (1.0.0 > 1.1.0)
                            
                            
                                2022-02-04 18:25:37
                                add
                                b1a9997f-2883-4f12-bdff-2280f99b5915
-Date/Time (UTC ymd) (i)
+Change detail
--08-09 18:17:47
+Minor (3.2.0 > 3.3.0)
--02-20 22:44:08
+Minor (3.1.0 > 3.2.0)
--05-01 17:41:52
+Minor (3.0.1 > 3.1.0)
--10-21 16:42:13
+Patch (3.0.0 > 3.0.1)
--09-19 17:41:40
+Major (2.0.0 > 3.0.0)
--06-17 16:31:08
+Major (1.1.0 > 2.0.0)
--04-29 18:06:01
+Minor (1.0.0 > 1.1.0)
--02-04 18:25:37
+b1a9997f-2883-4f12-bdff-2280f99b5915
-JSON compare
+    "policyType": "BuiltIn",
@@ -3,22 +3,31 @@
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
     "metadata": {
-        "version": "3.2.0",
         "category": "Kubernetes"
     },
     "parameters": {
         "warn": {
             "type": "Boolean",
             "metadata": {
                 "displayName": "Warn",
                 "description": "Whether or not to return warnings back to the user in the kubectl cli"
             },
-            "allowedValues": [
-                true,
-                false
-            ],
             "defaultValue": false
         },
         "effect": {
             "type": "String",
@@ -154,8 +163,9 @@
         },
         "then": {
             "effect": "[parameters('effect')]",
             "details": {
                 "warn": "[parameters('warn')]",
                 "templateInfo": {
                     "sourceType": "PublicURL",
                     "url": "https://store.policy.core.windows.net/kubernetes/container-enforce-probes/v2/template.yaml"
     "policyType": "BuiltIn",
     "mode": "Microsoft.Kubernetes.Data",
     "description": "This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
     "metadata": {
+        "version": "3.3.0",
         "category": "Kubernetes"
     },
     "parameters": {
+        "source": {
+            "type": "String",
+            "metadata": {
+                "displayName": "Source",
+                "description": "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
+            },
+            "allowedValues": [
+                "All",
+                "Generated",
+                "Original"
+            ],
+            "defaultValue": "Original"
+        },
         "warn": {
             "type": "Boolean",
             "metadata": {
                 "displayName": "Warn",
                 "description": "Whether or not to return warnings back to the user in the kubectl cli"
             },
             "defaultValue": false
         },
         "effect": {
             "type": "String",
         },
         "then": {
             "effect": "[parameters('effect')]",
             "details": {
+                "source": "[parameters('source')]",
                 "warn": "[parameters('warn')]",
                 "templateInfo": {
                     "sourceType": "PublicURL",
                     "url": "https://store.policy.core.windows.net/kubernetes/container-enforce-probes/v2/template.yaml"
-JSON
+                                api-version=2021-06-01

                                  EPAC
                                
                            
                        
                        
                            
                                {7 itemsdisplayName: "Ensure cluster containers have readiness or liveness probes configured",
policyType: "BuiltIn",
mode: "Microsoft.Kubernetes.Data",
description: "This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
metadata: {2 itemsversion: "3.3.0",
category: "Kubernetes"
},
parameters: {9 itemssource: {4 itemstype: "String",
metadata: {2 itemsdisplayName: "Source",
description: "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
},
allowedValues: [3 items"All",
"Generated",
"Original"
],
defaultValue: "Original"
},
warn: {3 itemstype: "Boolean",
metadata: {2 itemsdisplayName: "Warn",
description: "Whether or not to return warnings back to the user in the kubectl cli"
},
defaultValue: false
},
effect: {4 itemstype: "String",
metadata: {3 itemsdisplayName: "Effect",
description: "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy.",
portalReview: true
},
allowedValues: [3 items"Audit",
"Deny",
"Disabled"
],
defaultValue: "Audit"
},
excludedNamespaces: {3 itemstype: "Array",
metadata: {2 itemsdisplayName: "Namespace exclusions",
description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design. "azure-extensions-usage-system" is optional to remove."
},
defaultValue: [4 items"kube-system",
"gatekeeper-system",
"azure-arc",
"azure-extensions-usage-system"
]
},
namespaces: {3 itemstype: "Array",
metadata: {2 itemsdisplayName: "Namespace inclusions",
description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
defaultValue: []
},
labelSelector: {4 itemstype: "Object",
metadata: {2 itemsdisplayName: "Kubernetes label selector",
description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
defaultValue: {},
schema: {4 itemsdescription: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
type: "object",
properties: {2 itemsmatchLabels: {4 itemsdescription: "matchLabels is a map of {key,value} pairs.",
type: "object",
additionalProperties: {1 itemtype: "string"
},
minProperties: 1
},
matchExpressions: {4 itemsdescription: "matchExpressions is a list of values, a key, and an operator.",
type: "array",
items: {4 itemstype: "object",
properties: {3 itemskey: {2 itemsdescription: "key is the label key that the selector applies to.",
type: "string"
},
operator: {3 itemsdescription: "operator represents a key's relationship to a set of values.",
type: "string",
enum: [4 items"In",
"NotIn",
"Exists",
"DoesNotExist"
]
},
values: {3 itemsdescription: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
type: "array",
items: {1 itemtype: "string"
}
}
},
required: [2 items"key",
"operator"
],
additionalProperties: false
},
minItems: 1
}
},
additionalProperties: false
}
},
requiredProbes: {3 itemstype: "Array",
metadata: {3 itemsdisplayName: "Required probes list",
description: "The list of probes that are required to be defined on a container. Kubernetes currently supports 'livenessProbe', 'readinessProbe', and 'startupProbe'.",
portalReview: true
},
defaultValue: [2 items"readinessProbe",
"livenessProbe"
]
},
excludedContainers: {3 itemstype: "Array",
metadata: {2 itemsdisplayName: "Containers exclusions",
description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces."
},
defaultValue: []
},
excludedImages: {3 itemstype: "Array",
metadata: {3 itemsdisplayName: "Image exclusions",
description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.",
portalReview: true
},
defaultValue: []
}
},
policyRule: {2 itemsif: {2 itemsfield: "type",
in: [2 items"Microsoft.Kubernetes/connectedClusters",
"Microsoft.ContainerService/managedClusters"
]
},
then: {2 itemseffect: "[parameters('effect')]",
details: {9 itemssource: "[parameters('source')]",
warn: "[parameters('warn')]",
templateInfo: {2 itemssourceType: "PublicURL",
url: "https://store.policy.core.windows.net/kubernetes/container-enforce-probes/v2/template.yaml"
},
apiGroups: [1 item""
],
kinds: [1 item"Pod"
],
excludedNamespaces: "[parameters('excludedNamespaces')]",
namespaces: "[parameters('namespaces')]",
labelSelector: "[parameters('labelSelector')]",
values: {3 itemsenforceProbes: "[parameters('requiredProbes')]",
excludedContainers: "[parameters('excludedContainers')]",
excludedImages: "[parameters('excludedImages')]"
}
}
}
}
}
                                 api-version=2021-06-01

                                  EPAC
                                 {7 itemsdisplayName: "Ensure cluster containers have readiness or liveness probes configured",
policyType: "BuiltIn",
mode: "Microsoft.Kubernetes.Data",
description: "This policy enforces that all pods have a readiness and/or liveness probes configured. Probe Types can be any of tcpSocket, httpGet and exec. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.",
metadata: {2 itemsversion: "3.3.0",
category: "Kubernetes"
},
parameters: {9 itemssource: {4 itemstype: "String",
metadata: {2 itemsdisplayName: "Source",
description: "The source k8s object for constraint evaluation. 'Original' means only evaluate against the specific GroupVersionKind specified in the policy definition. 'Generated' means only evaluate against k8s objects generated by Gatekeeper ExpansionTemplates. 'All' means evaluate against both the original object and any generated ones."
},
allowedValues: [3 items"All",
"Generated",
"Original"
],
defaultValue: "Original"
},
warn: {3 itemstype: "Boolean",
metadata: {2 itemsdisplayName: "Warn",
description: "Whether or not to return warnings back to the user in the kubectl cli"
},
defaultValue: false
},
effect: {4 itemstype: "String",
metadata: {3 itemsdisplayName: "Effect",
description: "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy.",
portalReview: true
},
allowedValues: [3 items"Audit",
"Deny",
"Disabled"
],
defaultValue: "Audit"
},
excludedNamespaces: {3 itemstype: "Array",
metadata: {2 itemsdisplayName: "Namespace exclusions",
description: "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces "kube-system", "gatekeeper-system" and "azure-arc" are always excluded by design. "azure-extensions-usage-system" is optional to remove."
},
defaultValue: [4 items"kube-system",
"gatekeeper-system",
"azure-arc",
"azure-extensions-usage-system"
]
},
namespaces: {3 itemstype: "Array",
metadata: {2 itemsdisplayName: "Namespace inclusions",
description: "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces."
},
defaultValue: []
},
labelSelector: {4 itemstype: "Object",
metadata: {2 itemsdisplayName: "Kubernetes label selector",
description: "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources."
},
defaultValue: {},
schema: {4 itemsdescription: "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.",
type: "object",
properties: {2 itemsmatchLabels: {4 itemsdescription: "matchLabels is a map of {key,value} pairs.",
type: "object",
additionalProperties: {1 itemtype: "string"
},
minProperties: 1
},
matchExpressions: {4 itemsdescription: "matchExpressions is a list of values, a key, and an operator.",
type: "array",
items: {4 itemstype: "object",
properties: {3 itemskey: {2 itemsdescription: "key is the label key that the selector applies to.",
type: "string"
},
operator: {3 itemsdescription: "operator represents a key's relationship to a set of values.",
type: "string",
enum: [4 items"In",
"NotIn",
"Exists",
"DoesNotExist"
]
},
values: {3 itemsdescription: "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.",
type: "array",
items: {1 itemtype: "string"
}
}
},
required: [2 items"key",
"operator"
],
additionalProperties: false
},
minItems: 1
}
},
additionalProperties: false
}
},
requiredProbes: {3 itemstype: "Array",
metadata: {3 itemsdisplayName: "Required probes list",
description: "The list of probes that are required to be defined on a container. Kubernetes currently supports 'livenessProbe', 'readinessProbe', and 'startupProbe'.",
portalReview: true
},
defaultValue: [2 items"readinessProbe",
"livenessProbe"
]
},
excludedContainers: {3 itemstype: "Array",
metadata: {2 itemsdisplayName: "Containers exclusions",
description: "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces."
},
defaultValue: []
},
excludedImages: {3 itemstype: "Array",
metadata: {3 itemsdisplayName: "Image exclusions",
description: "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.",
portalReview: true
},
defaultValue: []
}
},
policyRule: {2 itemsif: {2 itemsfield: "type",
in: [2 items"Microsoft.Kubernetes/connectedClusters",
"Microsoft.ContainerService/managedClusters"
]
},
then: {2 itemseffect: "[parameters('effect')]",
details: {9 itemssource: "[parameters('source')]",
warn: "[parameters('warn')]",
templateInfo: {2 itemssourceType: "PublicURL",
url: "https://store.policy.core.windows.net/kubernetes/container-enforce-probes/v2/template.yaml"
},
apiGroups: [1 item""
],
kinds: [1 item"Pod"
],
excludedNamespaces: "[parameters('excludedNamespaces')]",
namespaces: "[parameters('namespaces')]",
labelSelector: "[parameters('labelSelector')]",
values: {3 itemsenforceProbes: "[parameters('requiredProbes')]",
excludedContainers: "[parameters('excludedContainers')]",
excludedImages: "[parameters('excludedImages')]"
}
}
}
}
}