You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/azure/azure-kubernetes/extensions/deployment-safeguards-in-azure-kubernetes-service.md
+28-4Lines changed: 28 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,8 @@
1
1
---
2
2
title: Troubleshooting Guide: Deployment Safeguards in Azure Kubernetes (AKS)
3
3
description: Provides a solution to issues related to deployment safeguards in Azure Kubernetes Service (AKS).
4
-
ms.date: 07/15/2025
5
-
ms.reviewer: v-liuamson
4
+
ms.date: 07/18/2025
5
+
ms.reviewer: v-liuamson; v-gsitser
6
6
ms.service: azure-kubernetes-service
7
7
ms.custom: sap:Extensions, Policies and Add-Ons
8
8
---
@@ -49,12 +49,36 @@ To disable deployment safeguards entirely, run the following command:
49
49
### Why can I turn on Deployment Safeguards without Azure Policy permissions?
50
50
51
51
Deployment Safeguards uses Azure Policy as an implementation detail. To turn on Deployment Safeguards on an AKS cluster, you don't have to have the
52
-
correct permissions to assign or delete Azure Policies.
52
+
correct permissions to assign or delete Azure Policies. All that is required are permissions to the AKS Contributor role.
53
53
54
54
### Why does my deployment resource get admitted even though it doesn\'t follow best practices?
55
55
56
56
Deployment safeguards enforce best practice standards through Azure Policy controls. It has policies that validate against Kubernetes resources. To evaluate and enforce cluster components, Azure Policy extends [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/). Gatekeeper enforcement also currently operates in a [fail-open model](https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed/#considerations). There are no guarantees that Gatekeeper will respond to our networking call. Therefore, we make sure that the validation doesn't run in such cases so that the denial doesn't block your deployments.
57
57
58
+
## Common error scenarios
59
+
60
+
When configuring or using Deployment Safeguards, you may encounter error messages in the following situations:
61
+
62
+
### Configuration-related errors
63
+
64
+
-**Resource group locked**: The managed cluster's resource group has a resource lock that prevents modifications required for Deployment Safeguards.
65
+
66
+
-**Suspended subscription**: The Azure subscription containing the AKS cluster is in a suspended state.
67
+
68
+
-**Cluster in deleting state**: You cannot configure Deployment Safeguards on a cluster that is currently being deleted.
69
+
70
+
-**Unsupported Kubernetes version**: The managed cluster is running a Kubernetes version earlier than 1.25, which is not supported by Deployment Safeguards.
71
+
72
+
### Input validation errors
73
+
74
+
-**Invalid namespace exclusion format**: Excluded namespaces must follow Kubernetes naming conventions. Values like `ns1,ns2` are not valid - use proper Kubernetes regex patterns.
75
+
76
+
-**Invalid enforcement level**: The enforcement level must be either `Warn` or `Enforce`. Other values will result in a validation error.
77
+
78
+
-**Malformed configuration parameters**: Other invalid input parameters will trigger specific validation warnings based on the configuration being applied.
79
+
80
+
**Recommended action**: Review the specific warning message and correct the configuration issue before retrying the operation.
81
+
58
82
## Additional tips
59
83
60
84
- All safeguard policies are bundled. They can't be individually toggled.
@@ -63,4 +87,4 @@ Deployment safeguards enforce best practice standards through Azure Policy contr
63
87
64
88
## Contact us for help
65
89
66
-
If you have questions or need help, [create a support request](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview?DMC=troubleshoot), or ask [Azure community support](https://learn.microsoft.com/answers/products/azure?product=all). You can also submit product feedback to [Azure feedback community](https://feedback.azure.com/d365community).
90
+
If you have questions or need help, [create a support request](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview?DMC=troubleshoot), or ask [Azure community support](https://learn.microsoft.com/answers/products/azure?product=all). You can also submit product feedback to [Azure feedback community](https://feedback.azure.com/d365community).
0 commit comments