Apply Azure Policy to Azure Red Hat Openshift ( ARO )

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Azure Policy supports arc enabled kubernetes cluster with both build-in and custom policies to ensure kubernetes resources are compliant. This article demonstrates how to make Azure Redhat Openshift cluster compliant with azure policy.

Prerequisites

• Azure CLI
• Openshift CLI
• Azure Openshift Cluster (ARO Cluster)

Deploy Azure Policy

• Deploy Azure Arc and Enable Azure Policy Add-on

• Verify Azure Arc and Azure Policy Add-on

Demo a simple policy

This policy will allow only images from a specific registry.

• Open Azure Portal Policy Services
• Click on Assign Policy
• Select the subscription and ARO cluster resource group as the scope
• Select “Kubernetes cluster containers should only use allowed images” in the “policy definition” field
• Click Next -> fill out namespace inclusion as [“test-policy”] -> Allowed Registry Regex as “index.docker.io.+$”
• Save the result. The policy will take effect after around 30 minutes.

• Policy Engine denies images from quay.io

References

• Azure Policy Overview
• Azure Arc-enabled kubernetes
• Understand Azure Policy for Kubernetes
• Azure Arc-enabled kubernetes built-in policy