Cluster Policies
All Gjensidige's Kubernetes clusters are secured with Azure Policies for AKS. You can find all enabled policies as code in the repo terraform-aks-policies. In general, we follow the "Baseline" profile defined in Kubernetes Pod Security Standards with some selected policies from the "Restricted" profile.
Some important policies to know about as an end user are listed below 🔒
Allowed container images​
In general, only container images from gjensidige.azurecr.io
are allowed in Gjensidige's Kubernetes clusters. In special cases it's possible to whitelist images from other repositories like Docker Hub. The container image whitelist can be found inside the terraform-aks-policies repo.
Required Pod labels​
All pods in Gjensidige's AKS clusters are required to define a set of common labels. These labels are mainly used for cluster governance and are required to ensure consistency and ease of automating governance tasks. The following labels are required:
app
: Application name (a good convention is to use GitHub repo name)environment
: "dev", "test" or "prod"owner
: Application owner, in most cases team namecost-center
: GBS cost centerservice-code
: GBS service code