[Policy]: Configure Azure Arc enabled Kubernetes clusters to install extensions

[ReneRebsdorf]

Policy Definition or Initiative

Initiative

Built-in/Custom

Custom

Built-in policy definition or initiative ID

ALZInit-Deploy-Arc-Extensions

Custom policy definition or initiative description

Deploy extensions to Azure Arc enabled Kubernetes clusters

Policies in initiative:

• Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension (708b60a6-d253-4fe0-9114-4be4c00f012c)
• Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension (0adc5395-9169-4b9b-8687-af838d69410a)

Scope

Landing Zones

Default Assignment

• Yes

Comments/thoughts

No response

[Springstone]

@ReneRebsdorf Thanks for sharing your issue. It is a reasonable request, but can be complex to implement in complex environments, which is why we are not currently deploying by default.

Will investigate adding an option to configure additional "Arc" related settings in future release streams.

[ReneRebsdorf]

As with most governance items in Azure; these topics can be hard to know whether they are configured correctly from a governance perspective

Which I personally find to be the primary value of CAF; know how to have a good compliance, and omitting Arc is a significant "oversight", purposefully or not.
If it is not desired as a default, I would at least recommend highlighting it, either through exemptions or other means

My 2 cents 😊

[Springstone]

@ReneRebsdorf you're not wrong, it is potentially complex to govern Arc-enabled resources (agents, etc). We're proposing a new section, that is all about enabling on-prem Arc-enabled features.