|
| 1 | +--- |
| 2 | +title: Troubleshooting Guide:Deployment Safeguards in Azure Kubernetes (AKS) |
| 3 | +description: Provides a solution to issues related to deployment safeguards in Azure Kubernetes Service (AKS). |
| 4 | +ms.date: 07/15/2025 |
| 5 | +ms.reviewer: v-liuamson |
| 6 | +ms.service: azure-kubernetes-service |
| 7 | +ms.custom: sap:Extensions, Policies and Add-Ons |
| 8 | +--- |
| 9 | + |
| 10 | +# Troubleshooting Guide: Deployment Safeguards in Azure Kubernetes Service (AKS) |
| 11 | + |
| 12 | +## Overview |
| 13 | + |
| 14 | +Deployment Safeguards in Azure Kubernetes Service (AKS) help enforce Kubernetes best practices using Azure Policy and Gatekeeper. While they offer valuable protection, |
| 15 | +misconfiguration or misunderstanding of their behavior can lead to |
| 16 | +blocked or mutated workloads. This guide helps troubleshoot common |
| 17 | +issues when using Deployment Safeguards in **Warn** or **Enforce** mode. |
| 18 | + |
| 19 | +### 1. Safeguards Not Taking Effect |
| 20 | + |
| 21 | +**Symptoms:** |
| 22 | + |
| 23 | +- You deployed noncompliant resources but saw no warnings or |
| 24 | + enforcement. |
| 25 | + |
| 26 | +- The Azure Policy dashboard shows **Not started** or empty compliance |
| 27 | + status. |
| 28 | + |
| 29 | +**Recommended Actions:** |
| 30 | + |
| 31 | +- Verify Azure Policy add-on is enabled on the cluster: |
| 32 | + |
| 33 | +``` bash |
| 34 | + az aks show \--resource-group \<rg-name\> \--name \<cluster-name\> |
| 35 | + \--query addonProfiles.azurepolicy |
| 36 | +``` |
| 37 | + |
| 38 | +- Check if the namespace is excluded: |
| 39 | + |
| 40 | +``` bash |
| 41 | + az aks safeguards show \--resource-group \<rg-name\> \--name |
| 42 | + \<cluster-name\> |
| 43 | +``` |
| 44 | + |
| 45 | +### 2. Disable Deployment Safeguards |
| 46 | + |
| 47 | +To disable deployment safeguards entirely, you may use the following command: |
| 48 | + |
| 49 | +```bash |
| 50 | + az aks safeguards delete \--resource-group \<rg-name\> \--name |
| 51 | + \<cluster-name\> |
| 52 | +``` |
| 53 | + |
| 54 | +### 3. Why was I able to turn on Deployment Safeguards without Azure Policy permissions? |
| 55 | + |
| 56 | +Deployment Safeguards uses Azure Policy as an implementation detail. To |
| 57 | +turn on Deployment Safeguards on an AKS cluster, you do not need the |
| 58 | +correct permissions to assign or delete Azure Policies. |
| 59 | + |
| 60 | +### 4. Why did my deployment resource get admitted even though it wasn\'t following best practices? |
| 61 | + |
| 62 | +Deployment safeguards enforce best practice standards through Azure |
| 63 | +Policy controls and has policies that validate against Kubernetes |
| 64 | +resources. To evaluate and enforce cluster components, Azure Policy |
| 65 | +extends [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/). |
| 66 | +Gatekeeper enforcement also currently operates in |
| 67 | +a [fail-open model](https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed/#considerations). |
| 68 | +As there\'s no guarantee that Gatekeeper will respond to our networking |
| 69 | +call, we make sure that in that case, the validation is skipped so that |
| 70 | +the deny doesn\'t block your deployments. |
| 71 | + |
| 72 | +## Additional Tips |
| 73 | + |
| 74 | +- All safeguard policies are bundled - they cannot be individually |
| 75 | + toggled. |
| 76 | + |
| 77 | +- Use the [AKS GitHub repo](https://github.com/Azure/AKS/issues) to request new safeguard features. |
| 78 | + |
| 79 | +## Contact us for help |
| 80 | + |
| 81 | +If you have questions or need help, [create a support request](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview?DMC=troubleshoot), |
| 82 | +or ask [Azure community support](https://learn.microsoft.com/answers/products/azure?product=all). You can also submit product feedback to [Azure feedback community](https://feedback.azure.com/d365community). |
0 commit comments