You can think of a Kubernetes cluster like a personal cloud platform. Much like you have the need to create policies on your public cloud (ex. Azure Policy), you probably should apply policies on your Kubernetes clusters. For example, you may want to deny the creation of Pods with privileged access, except in certain namespaces. In this step you'll enable Azure Policy for AKS, which is built on the Open Policy Agent - Gatekeeper project.
Make sure the following are complete before setting up ingress.
- Cluster is provisioned and accessible via 'kubectl'
- App Deployment is complete
- Azure Policy for AKS must be enabled on the cluster
- Creation of privileged pods should be blocked for all namespaces except kube-system, gatekeeper-system and azure-arc
- The scope of the policy assignment should be only the resource group where the AKS cluster is deployed
- Enable Policy on the AKS Cluster
- Apply the privileged pod policy at the cluster level
- Test the policy is operating as expected
Useful links: