Updated AKS version to 1.27.9 Azure#2771 Azure#1731 Azure#2570 (Azure#2772)

Author: BernieWhite

data/policy-ignore.json

@@ -44,11 +44,19 @@
   },
   {
     "policyDefinitionIds": [
-      "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d"
+      "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d",
+      "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7"
     ],
     "reason": "Duplicate",
     "value": "Azure.AKS.AzurePolicyAddOn"
   },
+  {
+    "policyDefinitionIds": [
+      "/providers/Microsoft.Authorization/policyDefinitions/5c345cdf-2049-47e0-b8fe-b0e96bc2df35"
+    ],
+    "reason": "Duplicate",
+    "value": "Azure.AKS.AutoUpgrade"
+  },
   {
     "policyDefinitionIds": [
       "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751"

docs/CHANGELOG-v1.md

@@ -42,9 +42,13 @@ What's changed since pre-release v1.35.0-B0030:
     [#2768](https://github.com/Azure/PSRule.Rules.Azure/issues/2768)
     - Fixed `Azure.AppService.PHPVersion` check fails when phpVersion is null.
     - Bumped rule set to `2024_03`.
+  - Updated `Azure.AKS.Version` to use `1.27.9` as the minimum version by @BernieWhite.
+    [#2771](https://github.com/Azure/PSRule.Rules.Azure/issues/2771)
 - General improvements:
   - Quality updates to rule documentation by @BernieWhite.
     [#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)
+  - Additional policies added to default ignore list by @BernieWhite.
+    [#1731](https://github.com/Azure/PSRule.Rules.Azure/issues/1731)
 - Bug fixes:
   - Fixed failed to expand JObject value with invalid key by @BernieWhite.
     [#2751](https://github.com/Azure/PSRule.Rules.Azure/issues/2751)

docs/en/rules/Azure.AKS.AutoUpgrade.md

@@ -1,8 +1,8 @@
 ---
-reviewed: 2021/12/10
+reviewed: 2024-03-25
 severity: Important
 pillar: Operational Excellence
-category: Automation
+category: OE:09 Task automation
 resource: Azure Kubernetes Service
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.AutoUpgrade/
 ---
@@ -22,13 +22,13 @@ To configure auto-upgrades select a release channel instead of the default `none
 The following release channels are available:
 
 - `none` - Disables auto-upgrades.
-The default setting.
+  The default setting.
 - `patch` - Automatically upgrade to the latest supported patch version of the current minor version.
 - `stable` - Automatically upgrade to the latest supported patch release of the recommended minor version.
-This is N-1 of the current AKS non-preview minor version.
+  This is N-1 of the current AKS non-preview minor version.
 - `rapid` - Automatically upgrade to the latest supported patch of the latest support minor version.
 - `node-image` - Automatically upgrade to the latest node image version.
-Normally upgraded weekly.
+  Normally upgraded weekly.
 
 ## RECOMMENDATION
 
@@ -189,10 +189,17 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {
 az aks update -n '<name>' -g '<resource_group>' --auto-upgrade-channel 'stable'
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Azure Kubernetes Service Clusters should enable cluster auto-upgrade](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_Autoupgrade_Cluster_Audit.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/5c345cdf-2049-47e0-b8fe-b0e96bc2df35`
+
 ## LINKS
 
-- [Automation overview](https://learn.microsoft.com/azure/architecture/framework/devops/automation-overview)
-- [Supported Kubernetes versions in Azure Kubernetes Service](https://docs.microsoft.com/azure/aks/supported-kubernetes-versions)
-- [Support policies for Azure Kubernetes Service](https://docs.microsoft.com/azure/aks/support-policies)
-- [Set auto-upgrade channel](https://docs.microsoft.com/azure/aks/upgrade-cluster#set-auto-upgrade-channel)
-- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.containerservice/managedclusters#ManagedClusterAutoUpgradeProfile)
+- [OE:09 Task automation](https://learn.microsoft.com/azure/well-architected/operational-excellence/automate-tasks)
+- [Supported Kubernetes versions in Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/supported-kubernetes-versions)
+- [Support policies for Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/support-policies)
+- [Automatically upgrade an Azure Kubernetes Service (AKS) cluster](https://learn.microsoft.com/azure/aks/auto-upgrade-cluster)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)

docs/en/rules/Azure.AKS.AzurePolicyAddOn.md

@@ -1,7 +1,8 @@
 ---
+reviewed: 2024-03-25
 severity: Important
 pillar: Security
-category: Optimize
+category: SE:08 Hardening resources
 resource: Azure Kubernetes Service
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.AzurePolicyAddOn/
 ---
@@ -41,72 +42,93 @@ For example:
 
 ```json
 {
-    "type": "Microsoft.ContainerService/managedClusters",
-    "apiVersion": "2021-10-01",
-    "name": "[parameters('clusterName')]",
-    "location": "[parameters('location')]",
-    "identity": {
-        "type": "UserAssigned",
-        "userAssignedIdentities": {
-            "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
-        }
+  "type": "Microsoft.ContainerService/managedClusters",
+  "apiVersion": "2024-01-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "identity": {
+    "type": "UserAssigned",
+    "userAssignedIdentities": {
+      "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
+    }
+  },
+  "properties": {
+    "kubernetesVersion": "[parameters('kubernetesVersion')]",
+    "disableLocalAccounts": true,
+    "enableRBAC": true,
+    "dnsPrefix": "[parameters('dnsPrefix')]",
+    "agentPoolProfiles": [
+      {
+        "name": "system",
+        "osDiskSizeGB": 0,
+        "minCount": 3,
+        "maxCount": 5,
+        "enableAutoScaling": true,
+        "maxPods": 50,
+        "vmSize": "Standard_D4s_v5",
+        "type": "VirtualMachineScaleSets",
+        "vnetSubnetID": "[parameters('clusterSubnetId')]",
+        "mode": "System",
+        "osDiskType": "Ephemeral"
+      },
+      {
+        "name": "user",
+        "osDiskSizeGB": 0,
+        "minCount": 3,
+        "maxCount": 20,
+        "enableAutoScaling": true,
+        "maxPods": 50,
+        "vmSize": "Standard_D4s_v5",
+        "type": "VirtualMachineScaleSets",
+        "vnetSubnetID": "[parameters('clusterSubnetId')]",
+        "mode": "User",
+        "osDiskType": "Ephemeral"
+      }
+    ],
+    "aadProfile": {
+      "managed": true,
+      "enableAzureRBAC": true,
+      "adminGroupObjectIDs": "[parameters('clusterAdmins')]",
+      "tenantID": "[subscription().tenantId]"
     },
-    "properties": {
-        "kubernetesVersion": "[parameters('kubernetesVersion')]",
-        "enableRBAC": true,
-        "dnsPrefix": "[parameters('dnsPrefix')]",
-        "agentPoolProfiles": "[variables('allPools')]",
-        "aadProfile": {
-            "managed": true,
-            "enableAzureRBAC": true,
-            "adminGroupObjectIDs": "[parameters('clusterAdmins')]",
-            "tenantID": "[subscription().tenantId]"
-        },
-        "networkProfile": {
-            "networkPlugin": "azure",
-            "networkPolicy": "azure",
-            "loadBalancerSku": "standard",
-            "serviceCidr": "[variables('serviceCidr')]",
-            "dnsServiceIP": "[variables('dnsServiceIP')]",
-            "dockerBridgeCidr": "[variables('dockerBridgeCidr')]"
-        },
-        "autoUpgradeProfile": {
-            "upgradeChannel": "stable"
-        },
-        "addonProfiles": {
-            "httpApplicationRouting": {
-                "enabled": false
-            },
-            "azurepolicy": {
-                "enabled": true,
-                "config": {
-                    "version": "v2"
-                }
-            },
-            "omsagent": {
-                "enabled": true,
-                "config": {
-                    "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
-                }
-            },
-            "kubeDashboard": {
-                "enabled": false
-            },
-            "azureKeyvaultSecretsProvider": {
-                "enabled": true,
-                "config": {
-                    "enableSecretRotation": "true"
-                }
-            }
-        },
-        "podIdentityProfile": {
-            "enabled": true
-        }
+    "networkProfile": {
+      "networkPlugin": "azure",
+      "networkPolicy": "azure",
+      "loadBalancerSku": "standard",
+      "serviceCidr": "[variables('serviceCidr')]",
+      "dnsServiceIP": "[variables('dnsServiceIP')]"
     },
-    "tags": "[parameters('tags')]",
-    "dependsOn": [
-        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
-    ]
+    "apiServerAccessProfile": {
+      "enablePrivateCluster": true,
+      "enablePrivateClusterPublicFQDN": false
+    },
+    "autoUpgradeProfile": {
+      "upgradeChannel": "stable"
+    },
+    "oidcIssuerProfile": {
+      "enabled": true
+    },
+    "addonProfiles": {
+      "azurepolicy": {
+        "enabled": true
+      },
+      "omsagent": {
+        "enabled": true,
+        "config": {
+          "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
+        }
+      },
+      "azureKeyvaultSecretsProvider": {
+        "enabled": true,
+        "config": {
+          "enableSecretRotation": "true"
+        }
+      }
+    }
+  },
+  "dependsOn": [
+    "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
+  ]
 }
 ```
 
@@ -119,9 +141,9 @@ To deploy AKS clusters that pass this rule:
 For example:
 
 ```bicep
-resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
+resource privateCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = {
   location: location
-  name: clusterName
+  name: name
   identity: {
     type: 'UserAssigned'
     userAssignedIdentities: {
@@ -130,9 +152,37 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
   }
   properties: {
     kubernetesVersion: kubernetesVersion
+    disableLocalAccounts: true
     enableRBAC: true
     dnsPrefix: dnsPrefix
-    agentPoolProfiles: allPools
+    agentPoolProfiles: [
+      {
+        name: 'system'
+        osDiskSizeGB: 0
+        minCount: 3
+        maxCount: 5
+        enableAutoScaling: true
+        maxPods: 50
+        vmSize: 'Standard_D4s_v5'
+        type: 'VirtualMachineScaleSets'
+        vnetSubnetID: clusterSubnetId
+        mode: 'System'
+        osDiskType: 'Ephemeral'
+      }
+      {
+        name: 'user'
+        osDiskSizeGB: 0
+        minCount: 3
+        maxCount: 20
+        enableAutoScaling: true
+        maxPods: 50
+        vmSize: 'Standard_D4s_v5'
+        type: 'VirtualMachineScaleSets'
+        vnetSubnetID: clusterSubnetId
+        mode: 'User'
+        osDiskType: 'Ephemeral'
+      }
+    ]
     aadProfile: {
       managed: true
       enableAzureRBAC: true
@@ -145,53 +195,55 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
       loadBalancerSku: 'standard'
       serviceCidr: serviceCidr
       dnsServiceIP: dnsServiceIP
-      dockerBridgeCidr: dockerBridgeCidr
+    }
+    apiServerAccessProfile: {
+      enablePrivateCluster: true
+      enablePrivateClusterPublicFQDN: false
     }
     autoUpgradeProfile: {
       upgradeChannel: 'stable'
     }
+    oidcIssuerProfile: {
+      enabled: true
+    }
     addonProfiles: {
-      httpApplicationRouting: {
-        enabled: false
-      }
       azurepolicy: {
         enabled: true
-        config: {
-          version: 'v2'
-        }
       }
       omsagent: {
         enabled: true
         config: {
           logAnalyticsWorkspaceResourceID: workspaceId
         }
       }
-      kubeDashboard: {
-        enabled: false
-      }
       azureKeyvaultSecretsProvider: {
         enabled: true
         config: {
           enableSecretRotation: 'true'
         }
       }
     }
-    podIdentityProfile: {
-      enabled: true
-    }
   }
-  tags: tags
 }
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d`
+- [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_DINE.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7`
+
 ## NOTES
 
 Azure Policy for AKS clusters is generally available (GA).
 Azure Policy for AKS Engine and Arc enabled Kubernetes are currently in preview.
 
 ## LINKS
 
-- [Governance, risk, and compliance](https://learn.microsoft.com/azure/architecture/framework/security/governance#audit-and-enforce-policy-compliance)
-- [Understand Azure Policy for Kubernetes clusters](https://docs.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes)
-- [Secure your cluster with Azure Policy](https://docs.microsoft.com/azure/aks/use-azure-policy)
-- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)
+- [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources)
+- [Understand Azure Policy for Kubernetes clusters](https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes)
+- [Secure your Azure Kubernetes Service (AKS) clusters with Azure Policy](https://learn.microsoft.com/azure/aks/use-azure-policy)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)

docs/en/rules/Azure.AKS.LocalAccounts.md

@@ -232,9 +232,8 @@ az aks update -n '<name>' -g '<resource_group>' --enable-aad --aad-admin-group-o
 
 To address this issue at runtime use the following policies:
 
-```text
-/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32
-```
+- [Azure Kubernetes Service Clusters should have local authentication methods disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_DisableLocalAccounts_Deny.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32`
 
 ## LINKS