|
| 1 | +--- |
| 2 | +title: Deployment Safeguards in Azure Kubernetes (AKS) |
| 3 | +description: Provides a solution to issues related to deployment safeguards in Azure Kubernetes Service (AKS). |
| 4 | +ms.date: 07/18/2025 |
| 5 | +ms.reviewer: v-liuamson; v-gsitser |
| 6 | +ms.service: azure-kubernetes-service |
| 7 | +ms.custom: sap:Extensions, Policies and Add-Ons |
| 8 | +--- |
| 9 | + |
| 10 | +# Deployment Safeguards in Azure Kubernetes Service (AKS) |
| 11 | + |
| 12 | +Deployment Safeguards in Azure Kubernetes Service (AKS) help enforce Kubernetes best practices by using Azure Policy and Gatekeeper. While they offer valuable protection, a misconfiguration or misunderstanding of their behavior can cause blocked or mutated workloads. This guide helps you troubleshoot common issues when you use Deployment Safeguards in **Warn** or **Enforce** mode. |
| 13 | + |
| 14 | +## Frequently asked questions |
| 15 | + |
| 16 | +### Why aren't Deployment Safeguards taking effect? |
| 17 | + |
| 18 | +**Symptoms:** |
| 19 | + |
| 20 | +- You deploy noncompliant resources, but you see no warnings or signs of enforcement. |
| 21 | + |
| 22 | +- The Azure Policy dashboard shows a **Not started** value or an empty compliance status. |
| 23 | + |
| 24 | +**Recommended actions:** |
| 25 | + |
| 26 | +- Verify that the Azure Policy add-on is enabled on the cluster: |
| 27 | + |
| 28 | +``` bash |
| 29 | + az aks show \--resource-group \<rg-name\> \--name \<cluster-name\> |
| 30 | + \--query addonProfiles.azurepolicy |
| 31 | +``` |
| 32 | + |
| 33 | +- Check whether the namespace is excluded: |
| 34 | + |
| 35 | +``` bash |
| 36 | + az aks safeguards show \--resource-group \<rg-name\> \--name |
| 37 | + \<cluster-name\> |
| 38 | +``` |
| 39 | + |
| 40 | +### How can I disable Deployment Safeguards? |
| 41 | + |
| 42 | +To disable deployment safeguards entirely, run the following command: |
| 43 | + |
| 44 | +```bash |
| 45 | + az aks safeguards delete \--resource-group \<rg-name\> \--name |
| 46 | + \<cluster-name\> |
| 47 | +``` |
| 48 | + |
| 49 | +### Why can I turn on Deployment Safeguards without Azure Policy permissions? |
| 50 | + |
| 51 | +Deployment Safeguards uses Azure Policy as an implementation detail. To turn on Deployment Safeguards on an AKS cluster, you don't have to have the |
| 52 | +correct permissions to assign or delete Azure Policies. All that is required are permissions to the AKS Contributor role. |
| 53 | + |
| 54 | +### Why does my deployment resource get admitted even though it doesn\'t follow best practices? |
| 55 | + |
| 56 | +Deployment safeguards enforce best practice standards through Azure Policy controls. It has policies that validate against Kubernetes resources. To evaluate and enforce cluster components, Azure Policy extends [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/). Gatekeeper enforcement also currently operates in a [fail-open model](https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed/#considerations). There are no guarantees that Gatekeeper will respond to our networking call. Therefore, we make sure that the validation doesn't run in such cases so that the denial doesn't block your deployments. |
| 57 | + |
| 58 | +## Common error scenarios |
| 59 | + |
| 60 | +When configuring or using Deployment Safeguards, you may encounter error messages in the following situations: |
| 61 | + |
| 62 | +### Configuration-related errors |
| 63 | + |
| 64 | +- **Resource group locked**: The managed cluster's resource group has a resource lock that prevents modifications required for Deployment Safeguards. |
| 65 | + |
| 66 | +- **Suspended subscription**: The Azure subscription containing the AKS cluster is in a suspended state. |
| 67 | + |
| 68 | +- **Cluster in deleting state**: You cannot configure Deployment Safeguards on a cluster that is currently being deleted. |
| 69 | + |
| 70 | +- **Unsupported Kubernetes version**: The managed cluster is running a Kubernetes version earlier than 1.25, which is not supported by Deployment Safeguards. |
| 71 | + |
| 72 | +### Input validation errors |
| 73 | + |
| 74 | +- **Invalid namespace exclusion format**: Excluded namespaces must follow Kubernetes naming conventions. Values like `ns1,ns2` are not valid - use proper Kubernetes regex patterns. |
| 75 | + |
| 76 | +- **Invalid enforcement level**: The enforcement level must be either `Warn` or `Enforce`. Other values will result in a validation error. |
| 77 | + |
| 78 | +- **Malformed configuration parameters**: Other invalid input parameters will trigger specific validation warnings based on the configuration being applied. |
| 79 | + |
| 80 | +**Recommended action**: Review the specific warning message and correct the configuration issue before retrying the operation. |
| 81 | + |
| 82 | +## Additional tips |
| 83 | + |
| 84 | +- All safeguard policies are bundled. They can't be individually toggled. |
| 85 | + |
| 86 | +- Use the [AKS GitHub repo](https://github.com/Azure/AKS/issues) to request new safeguard features. |
| 87 | + |
| 88 | +## Contact us for help |
| 89 | + |
| 90 | +If you have questions or need help, [create a support request](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview?DMC=troubleshoot), or ask [Azure community support](/answers/products/azure?product=all). You can also submit product feedback to [Azure feedback community](https://feedback.azure.com/d365community). |
0 commit comments