Reading Time: 4 minutes
Follow by Email

Azure Kubernetes Service (AKS) introduces Deployment Safeguards, a feature designed to enforce Kubernetes best practices through Azure Policy controls. This guide provides a step-by-step walkthrough on how to set up and leverage Deployment Safeguards for more secure and compliant Kubernetes deployments.

Understanding Deployment Safeguards

Deployment Safeguards are designed to enforce Kubernetes best practices through Azure Policy controls within your AKS cluster. This feature offers a dual-level configuration:

Warning: Generates warning messages in the code terminal for non-compliant cluster configurations, alerting you without blocking the request.

Enforcement: Ensures only compliant configurations are deployed by denying any that don’t meet the best practices.

Upon configuring Deployment Safeguards, they programmatically assess your clusters for compliance at creation or update time, providing aggregated compliance information across your workloads via Azure Policy’s compliance dashboard.

To fully leverage Deployment Safeguards, it’s crucial to understand the policies that govern this feature. Below is a table detailing each policy and the Kubernetes resource it targets.

Deployment Safeguard PolicyTargeted Kubernetes Resource
[Preview]: Cannot Edit Individual NodesNode
Kubernetes cluster containers CPU and memory resource limits shouldn’t exceed specified limitsPod
[Preview]: Must Have Anti Affinity Rules SetDeployment, StatefulSet, ReplicationController, ReplicaSet
[Preview]: No AKS Specific LabelsDeployment, StatefulSet, Replicaset
Kubernetes cluster containers should only use allowed imagesPod
[Preview]: Reserved System Pool TaintsNode
Ensure cluster containers have readiness or liveness probes configuredPod
Kubernetes clusters should use Container Storage Interface (CSI) driver StorageClassStorageClass
[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are presentPod
[Preview]: Kubernetes cluster should implement accurate Pod Disruption BudgetsDeployment, ReplicaSet, StatefulSet
[Preview]: Kubernetes cluster services should use unique selectorsService

Refer to this table as you plan and execute your deployments to ensure they align with Azure’s best practices for security and efficiency.

Getting Ready: Prerequisites

Before we jump into the how-to, ensure you’ve got the following ready to go:

Azure Policy Add-on for AKS: This needs to be enabled for Deployment Safeguards to work their magic.

AKS-Preview Extension (v2.0.0b1 or later): This is crucial for accessing the latest and greatest features in AKS.

FAQs: Navigating Common Concerns

Delayed Warnings and Enforcement: It may take up to 35 minutes for Azure Policy to sync with your cluster when enabled for the first time. Additionally, switching between Warning and Enforcement levels could take up to 15 minutes to take effect.

Deployments Admitted Despite Non-compliance: Due to the fail-open model of Gatekeeper enforcement, there might be instances where deployments not following best practices are still admitted. This is designed to ensure that deployments are not unduly blocked due to validation skips.

How to Set Up Deployment Safeguards

Here’s your step-by-step guide to getting Deployment Safeguards up and running:

Step 1: Install the AKS-Preview CLI Extension

First things first, let’s get the necessary CLI extension installed and updated.

To install:

To update (making sure you’re on the latest version):

Step 2: Register for Deployment Safeguards Preview

Next up, you’ll need to register the SafeguardsPreview feature flag. This might take a few minutes to reflect as ‘Registered’.

To register:

Check the registration status:

Once registered, refresh your resource provider registration with:

Step 3: Enable Deployment Safeguards on Your AKS Cluster

With the setup out of the way, it’s time to enable Deployment Safeguards for your cluster.

For a new cluster, specify the safeguards level upon creation:

To update an existing cluster, simply set the safeguards level:

Step 4: Excluding Namespaces (Optional)

Need some namespaces to fly under the radar? Exclude them from Deployment Safeguards like so:

Step 5: Verifying Compliance

After deploying your resources, verify your cluster’s compliance via your CLI, terminal, or the Azure Policy dashboard in the Azure portal. This will ensure your cluster is adhering to the best practices safeguarded by your new settings.

After about 35 minutes we can try a test using the below command:

If you have enabled Deployment Safeguards with warning you will recieve a Warning for each failed policy, but the object will still deploy. If you chose Enforcement then the object would not have been deployed.

Wrapping Up

Deployment Safeguards are your first line of defence against the common pitfalls of Kubernetes deployments. By implementing these steps, you’re not just deploying; you’re deploying with confidence. Remember, while warnings are helpful, enforcement ensures your deployments are not just compliant but consistent and secure.

Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *