AzInitiativeAdvertizer

last sync: 2025-Oct-31 18:22:44 UTC

Deployment safeguards should help guide developers towards AKS recommended best practices

Azure BuiltIn Policy Initiative (PolicySet)

Source Azure Portal
Display nameDeployment safeguards should help guide developers towards AKS recommended best practices
Idc047ea8e-9c78-49b2-958b-37e56d291a44
Version3.0.0
Details on versioning
Versioning Versions supported for Versioning: 14
3.0.0
2.1.1
2.1.0
2.0.1
2.0.0-preview
1.9.0-preview
1.8.0-preview
1.7.0-preview
1.6.0-preview
1.5.0-preview
1.4.1-preview
1.4.0-preview
1.3.3-preview
1.3.2-preview
Built-in Versioning [Preview]
CategoryKubernetes
Microsoft Learn
DescriptionA collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/deployment-safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc
Cloud environmentsAzureCloud = true
AzureChinaCloud = unknown
AzureUSGovernment = true
Available in AzUSGovThe PolicySet is available in AzureUSGovernment cloud. Version: '3.0.0'
Repository: Azure-Policy c047ea8e-9c78-49b2-958b-37e56d291a44
TypeBuiltIn
DeprecatedFalse
PreviewFalse
Policy-used summary
Policy types Policy states Policy categories
Total Policies: 27
Builtin Policies: 27
Static Policies: 0
GA: 26
Preview: 1
1 categories:
Kubernetes: 27
Policy-used
Policy DisplayName Policy Id Category Version Versioning Effect Roles# Roles State policy in AzUSGov
[Preview]: Kubernetes cluster containers should use only allowed sysctl interfaces 5e5a0673-649e-4d50-bf9d-5a387a4e2081 Kubernetes 1.0.0-preview 1x
1.0.0-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 Preview true
Cannot Edit Individual Nodes 53a4a537-990c-495a-92e0-7c21a465442c Kubernetes 1.3.1 6x
1.3.1, 1.3.0-preview, 1.2.0-preview, 1.1.1-preview, 1.1.0-preview, 1.0.3-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Ensure cluster containers have readiness or liveness probes configured b1a9997f-2883-4f12-bdff-2280f99b5915 Kubernetes 3.3.0 3x
3.3.0, 3.2.0, 3.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes cluster container images should not include latest image tag 021f8078-41a0-40e6-81b6-c6597da9f3ee Kubernetes 2.0.1 4x
2.0.1, 2.0.0-preview, 1.1.0-preview, 1.0.0-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes cluster containers CPU and memory resource requests must be defined 03a4ecdb-0684-4039-be91-2762979e1bc8 Kubernetes 1.0.0-preview 1x
1.0.0-preview		 Default
Deny
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes cluster containers should not share host namespaces 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8 Kubernetes 6.0.0 3x
6.0.0, 5.2.0, 5.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes cluster containers should only use allowed AppArmor profiles 511f5417-5d12-434d-ab2e-816901e72a5e Kubernetes 6.2.1 3x
6.2.1, 6.2.0, 6.1.1		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster containers should only use allowed capabilities c26596ff-4d70-4e6a-9a30-c2506bd2f80c Kubernetes 6.2.0 2x
6.2.0, 6.1.0		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster containers should only use allowed images febd0533-8e55-448f-b837-bd0e06f16469 Kubernetes 9.3.0 4x
9.3.0, 9.2.0, 9.1.1, 9.1.0		 Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster containers should only use allowed ProcMountType f85eb0dd-92ee-40e9-8a76-db25a507d6d3 Kubernetes 8.2.0 2x
8.2.0, 8.1.1		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster containers should only use allowed seccomp profiles 975ce327-682c-4f2e-aa46-b9598289b86c Kubernetes 7.2.0 2x
7.2.0, 7.1.1		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster pod hostPath volumes should only use allowed host paths 098fc59e-46c7-4d99-9b16-64990e543d75 Kubernetes 6.3.0 3x
6.3.0, 6.2.0, 6.1.1		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster pods and containers should follow SELinux security standards e1e6c427-07d9-46ab-9689-bfa85431e636 Kubernetes 8.0.0 3x
8.0.0, 7.2.0, 7.1.1		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes cluster pods and containers should only run with approved user and group IDs f06ddb64-5fa3-4b77-b166-acb36f7f6042 Kubernetes 6.2.0 2x
6.2.0, 6.1.1		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster pods should only use allowed volume types 16697877-1118-4fb1-9b65-9898ec2509ec Kubernetes 5.2.0 2x
5.2.0, 5.1.1		 Default
Audit
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster pods should only use approved host network and port list 82985f06-dc18-4a48-bc1c-b9f4f0098cfe Kubernetes 7.0.0 3x
7.0.0, 6.2.0, 6.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes cluster services should use unique selectors b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01 Kubernetes 1.2.2 5x
1.2.2, 1.2.1-preview, 1.1.1-preview, 1.1.0-preview, 1.0.0-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes cluster should not allow privileged containers 95edb821-ddaf-4404-9732-666045e056b4 Kubernetes 9.2.0 2x
9.2.0, 9.1.0		 Default
Deny
Allowed
audit, Audit, deny, Deny, disabled, Disabled		 0 GA true
Kubernetes cluster Windows containers should not run as ContainerAdministrator 5485eac0-7e8f-4964-998b-a44f4f0c1e75 Kubernetes 1.2.0 2x
1.2.0, 1.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes cluster Windows pods should not run HostProcess containers 077f0ce1-86d6-4058-bc60-de05067e8622 Kubernetes 1.0.0 1x
1.0.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes clusters should not allow container privilege escalation 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99 Kubernetes 8.0.0 3x
8.0.0, 7.2.0, 7.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass 4f3823b6-6dac-4b5a-9c61-ce1afb829f17 Kubernetes 2.3.0 3x
2.3.0, 2.2.0, 2.1.0		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Must Have Anti Affinity Rules or Topology Spread Constraints Set 34c88cd4-5d72-4dbb-bf77-12c3cafe8791 Kubernetes 1.2.2 5x
1.2.2, 1.2.1-preview, 1.1.1-preview, 1.1.0-preview, 1.0.1-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
No AKS Specific Labels a22123bd-b9da-4c86-9424-24903e91fd55 Kubernetes 1.2.1 5x
1.2.1, 1.2.0-preview, 1.1.1-preview, 1.1.0-preview, 1.0.1-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Prints a message if a mutation is applied e24df237-32cb-4a6c-a2f6-85b499cda9f2 Kubernetes 1.2.1 4x
1.2.1, 1.2.0-preview, 1.1.0-preview, 1.0.0-preview		 Default
Audit
Allowed
Audit, Disabled		 0 GA true
Reserved System Pool Taints 48940d92-ff05-449e-9111-e742d9280451 Kubernetes 1.2.1 5x
1.2.1, 1.2.0-preview, 1.1.1-preview, 1.1.0-preview, 1.0.1-preview		 Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA true
Restricts the CriticalAddonsOnly taint to just the system pool. e16d171b-bfe5-4d79-a525-19736b396e92 Kubernetes 1.3.1 5x
1.3.1, 1.3.0-preview, 1.2.0-preview, 1.1.0-preview, 1.0.0-preview		 Default
Mutate
Allowed
Mutate, Disabled		 0 GA true
Roles used No Roles used
History
Date/Time (UTC ymd) (i) Changes
2025-10-14 17:22:46 add Policy Kubernetes cluster pod hostPath volumes should only use allowed host paths (098fc59e-46c7-4d99-9b16-64990e543d75)
add Policy Kubernetes clusters should not allow container privilege escalation (1c6e92c9-99f0-4e55-9cf2-0c234dc48f99)
add Policy Kubernetes cluster pods should only use allowed volume types (16697877-1118-4fb1-9b65-9898ec2509ec)
add Policy Kubernetes cluster pods should only use approved host network and port list (82985f06-dc18-4a48-bc1c-b9f4f0098cfe)
add Policy Kubernetes cluster Windows pods should not run HostProcess containers (077f0ce1-86d6-4058-bc60-de05067e8622)
add Policy Kubernetes cluster containers should only use allowed ProcMountType (f85eb0dd-92ee-40e9-8a76-db25a507d6d3)
add Policy Kubernetes cluster containers should only use allowed seccomp profiles (975ce327-682c-4f2e-aa46-b9598289b86c)
add Policy [Preview]: Kubernetes cluster containers should use only allowed sysctl interfaces (5e5a0673-649e-4d50-bf9d-5a387a4e2081)
add Policy Kubernetes cluster containers should only use allowed AppArmor profiles (511f5417-5d12-434d-ab2e-816901e72a5e)
add Policy Kubernetes cluster containers should only use allowed capabilities (c26596ff-4d70-4e6a-9a30-c2506bd2f80c)
add Policy Kubernetes cluster Windows containers should not run as ContainerAdministrator (5485eac0-7e8f-4964-998b-a44f4f0c1e75)
add Policy Kubernetes cluster containers CPU and memory resource requests must be defined (03a4ecdb-0684-4039-be91-2762979e1bc8)
add Policy Kubernetes cluster containers should not share host namespaces (47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8)
add Policy Kubernetes cluster should not allow privileged containers (95edb821-ddaf-4404-9732-666045e056b4)
add Policy Kubernetes cluster pods and containers should only run with approved user and group IDs (f06ddb64-5fa3-4b77-b166-acb36f7f6042)
add Policy Kubernetes cluster pods and containers should follow SELinux security standards (e1e6c427-07d9-46ab-9689-bfa85431e636)
Version change: '2.1.1' to '3.0.0'
remove Policy Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. (8e875f96-2c56-40ca-86db-b9f6a0be7347)
remove Policy Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. (2ae2f266-ecc3-4d26-82c5-8c3cb7774f45)
remove Policy Sets maxUnavailable pods to 1 for PodDisruptionBudget resources (d77f191e-2338-45d0-b6d4-4ee1c586a192)
remove Policy Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits (e345eecc-fa47-480f-9e88-67dcc122b164)
remove Policy Sets Kubernetes cluster containers CPU limits to default values in case not present. (42ba1d72-e90f-42f8-bf99-5a1351eed2b1)
remove Policy Kubernetes cluster containers should only pull images when image pull secrets are present (12db3749-7e03-4b9f-b443-d37d3fb9f8d9)
remove Policy Kubernetes cluster container images must include the preStop hook (1a3b9003-eac6-4d39-a184-4a567ace7645)
remove Policy Sets Kubernetes cluster containers memory limits to default values in case not present. (5f86d473-38a8-46c9-bdfe-d7fa3b9836bf)
remove Policy [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets (d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d)
2025-09-18 17:22:44 Version change: '2.1.0' to '2.1.1'
2025-09-10 17:22:36 Version change: '2.0.1' to '2.1.0'
remove Policy Deploy Azure Policy Add-on to Azure Kubernetes Service clusters (a8eff44f-8c92-45c3-a3fb-9880802d67a7)
2025-08-13 17:22:31 Version change: '2.0.0-preview' to '2.0.1'
Name change: '[Preview]: Deployment safeguards should help guide developers towards AKS recommended best practices' to 'Deployment safeguards should help guide developers towards AKS recommended best practices'
2025-05-27 20:12:11 add Policy Deploy Azure Policy Add-on to Azure Kubernetes Service clusters (a8eff44f-8c92-45c3-a3fb-9880802d67a7)
Version change: '1.9.0-preview' to '2.0.0-preview'
2024-10-30 18:57:58 add Policy Prints a message if a mutation is applied (e24df237-32cb-4a6c-a2f6-85b499cda9f2)
Version change: '1.8.0-preview' to '1.9.0-preview'
2024-10-15 17:53:51 Version change: '1.7.0-preview' to '1.8.0-preview'
2024-04-17 17:45:34 Version change: '1.6.0-preview' to '1.7.0-preview'
2024-04-11 17:47:35 add Policy Sets readOnlyRootFileSystem in the Pod spec to true if it is not set. (8e875f96-2c56-40ca-86db-b9f6a0be7347)
add Policy Sets readOnlyRootFileSystem in the Pod spec in init containers to true if it is not set. (2ae2f266-ecc3-4d26-82c5-8c3cb7774f45)
add Policy Kubernetes cluster container images should not include latest image tag (021f8078-41a0-40e6-81b6-c6597da9f3ee)
add Policy Kubernetes cluster container images must include the preStop hook (1a3b9003-eac6-4d39-a184-4a567ace7645)
add Policy Sets Kubernetes cluster containers memory limits to default values in case not present. (5f86d473-38a8-46c9-bdfe-d7fa3b9836bf)
add Policy Sets Kubernetes cluster containers CPU limits to default values in case not present. (42ba1d72-e90f-42f8-bf99-5a1351eed2b1)
add Policy Restricts the CriticalAddonsOnly taint to just the system pool. (e16d171b-bfe5-4d79-a525-19736b396e92)
add Policy Sets maxUnavailable pods to 1 for PodDisruptionBudget resources (d77f191e-2338-45d0-b6d4-4ee1c586a192)
Version change: '1.4.1-preview' to '1.6.0-preview'
2024-03-13 20:05:29 Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/deployment-safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc'
2024-03-06 19:15:55 Version change: '1.4.0-preview' to '1.4.1-preview'
2024-02-23 19:01:26 Version change: '1.3.3-preview' to '1.4.0-preview'
2024-02-05 19:34:05 Version change: '1.3.2-preview' to '1.3.3-preview'
2024-01-30 18:39:39 Name change: '[Preview]: AKS Safeguards should help guide developers towards AKS recommended best practices' to '[Preview]: Deployment safeguards should help guide developers towards AKS recommended best practices'
Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Deployment Safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use deployment safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc'
2023-12-07 18:54:02 Version change: '1.3.1-preview' to '1.3.2-preview'
2023-12-05 19:46:52 Name change: '[Preview]: AKS Guardrails should help guide developers towards AKS recommended best practices' to '[Preview]: AKS Safeguards should help guide developers towards AKS recommended best practices'
Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Guardrails to assign this policy initiative: https://aka.ms/aks/guardrails.' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Deployment Safeguards to assign this policy initiative: https://aka.ms/aks/safeguards. Azure Policy Add-On for AKS is a pre-requisite for applying these best practices to your clusters. For instructions on enabling the Azure Policy Add-On, go to aka.ms/akspolicydoc'
2023-11-03 19:40:09 add Policy [Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets (d9e8f2c1-4c5a-4f5c-8b5a-2abf1e9f7b4d)
add Policy Kubernetes cluster services should use unique selectors (b0fdedee-7b9e-4a17-9f5d-5e8e912d2f01)
add Policy Kubernetes cluster containers should only pull images when image pull secrets are present (12db3749-7e03-4b9f-b443-d37d3fb9f8d9)
Version change: '1.2.1-preview' to '1.3.1-preview'
2023-10-11 18:00:02 add Policy Kubernetes clusters should use Container Storage Interface(CSI) driver StorageClass (4f3823b6-6dac-4b5a-9c61-ce1afb829f17)
Version change: '1.1.1-preview' to '1.2.1-preview'
2023-07-28 20:08:16 Version change: '1.1.0-preview' to '1.1.1-preview'
2023-07-24 17:56:15 Description change: 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service' to 'A collection of Kubernetes best practices that are recommended by Azure Kubernetes Service (AKS). For the best experience, use AKS Guardrails to assign this policy initiative: https://aka.ms/aks/guardrails.'
2023-06-08 17:46:29 Version change: '1.0.0-preview' to '1.1.0-preview'
2023-05-10 17:45:01 add Initiative c047ea8e-9c78-49b2-958b-37e56d291a44
JSON compare
compare mode: version left: version right:
JSON
api-version=2023-04-01
EPAC