From 026c57c8dc86fd5efa3c5317c3d84e41dc4ead7f Mon Sep 17 00:00:00 2001 From: Kevin Rowlandson Date: Wed, 4 Aug 2021 12:06:17 +0100 Subject: [PATCH 1/4] Fix naming for lzsManagementGroup variable Fix value for sqlEncryptionPolicyAssignment variable --- eslzArm/eslzArm.json | 39 +++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 8a9afcc136..4af83ed666 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -581,7 +581,7 @@ "managementManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').management)]", "connectivityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').connectivity)]", "identityManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').identity)]", - "lzsManaegmentGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').lzs)]", + "lzsManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').lzs)]", "corpManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').corp)]", "onlineManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').online)]" }, @@ -607,8 +607,7 @@ "ascConfigPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASCConfigPolicyAssignment.json')]", "azVmMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json')]", "azVmssMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json')]", - "azBackupLzPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]", - "azBackupIdentityPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]", + "azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]", "azPolicyForAksPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]", "aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]", "aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]", @@ -624,7 +623,7 @@ "storageHttpsPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json')]", "subnetNsgPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json')]", "sqlAuditPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json')]", - "sqlEncryptionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json')]", + "sqlEncryptionPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json')]", "ddosPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json')]", "corpVnetPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeering.json')]", "corpVwanPeering": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/vnetPeeringVwan.json')]", @@ -1919,7 +1918,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').azBackupLzPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" @@ -1928,7 +1927,7 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').azBackupLzPolicyAssignment]" + "uri": "[variables('deploymentUris').azVmBackupPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { @@ -1946,7 +1945,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').ddosLzPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').ddosDeploymentName)]" @@ -1976,7 +1975,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').azPolicyForAksPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" @@ -2003,7 +2002,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').aksPrivEscalationPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" @@ -2027,7 +2026,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').aksPrivilegedPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" @@ -2051,7 +2050,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').aksHttpsPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" @@ -2075,7 +2074,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').tlsSslPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", @@ -2103,7 +2102,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').ipFwPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", @@ -2156,7 +2155,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').rdpFromInternetPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", @@ -2184,7 +2183,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').storageHttpsPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", @@ -2209,7 +2208,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').subnetNsgPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]", @@ -2237,7 +2236,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').sqlAuditPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" @@ -2264,7 +2263,7 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "[variables('deploymentNames').sqlEncryptionPolicyDeploymentName]", - "scope": "[variables('scopes').lzsManaegmentGroup]", + "scope": "[variables('scopes').lzsManagementGroup]", "location": "[deployment().location]", "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').policyDeploymentName)]" @@ -2303,7 +2302,7 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').azBackupLzPolicyAssignment]" + "uri": "[variables('deploymentUris').azVmBackupPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { @@ -3320,7 +3319,7 @@ "mode": "Incremental", "templateLink": { "contentVersion": "1.0.0.0", - "uri": "[variables('deploymentUris').azBackupLzPolicyAssignment]" + "uri": "[variables('deploymentUris').azVmBackupPolicyAssignment]" }, "parameters": { "topLevelManagementGroupPrefix": { From fa7f898c1b3c073ef20af79c79ebbc0de080b76b Mon Sep 17 00:00:00 2001 From: Kevin Rowlandson Date: Wed, 4 Aug 2021 12:06:53 +0100 Subject: [PATCH 2/4] Update name and description --- .../DENY-AksPrivEscalationPolicyAssignment.json | 2 +- .../policyAssignments/DENY-AksPrivilegedPolicyAssignment.json | 2 +- .../DENY-SubnetWithoutNsgPolicyAssignment.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json index f3e13e0782..85b95a6845 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json @@ -16,7 +16,7 @@ "denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99" }, "policyAssignmentNames": { - "denyAksNoPrivEsc": "Deny-Priv-Esc-AKS", + "denyAksNoPrivEsc": "Deny-Priv-Escalation-AKS", "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "displayName": "Kubernetes clusters should not allow container privilege escalation" } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json index 033f6bdcf7..cc07f25347 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json @@ -16,7 +16,7 @@ "denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4" }, "policyAssignmentNames": { - "denyAksPriv": "Deny-Privileged-AKS", + "denyAksPriv": "Deny-Priv-Containers-AKS", "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "displayName": "Kubernetes cluster should not allow privileged containers" } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json index 62386bb0cc..f507d57fdf 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-SubnetWithoutNsgPolicyAssignment.json @@ -23,7 +23,7 @@ }, "policyAssignmentNames": { "denySubnetWithoutNsg": "Deny-Subnet-Without-Nsg", - "description": "This policy denies the creation of a subsnet with out an Network Security Group. NSG help to protect traffic across subnet-level.", + "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets.", "displayName": "Subnets should have a Network Security Group" } }, From d4553abd8b3761d64fcb76dd4c1e1efa8d9a742b Mon Sep 17 00:00:00 2001 From: Kevin Rowlandson Date: Wed, 4 Aug 2021 12:07:30 +0100 Subject: [PATCH 3/4] Replace invalid whitespace character --- .../adventureworks/armTemplates/auxiliary/policies.json | 2 +- docs/reference/contoso/armTemplates/auxiliary/policies.json | 2 +- .../reference/treyresearch/armTemplates/auxiliary/policies.json | 2 +- docs/reference/wingtip/armTemplates/auxiliary/policies.json | 2 +- .../managementGroupTemplates/policyDefinitions/policies.json | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/reference/adventureworks/armTemplates/auxiliary/policies.json b/docs/reference/adventureworks/armTemplates/auxiliary/policies.json index 0699a35c29..1fc396dfa9 100644 --- a/docs/reference/adventureworks/armTemplates/auxiliary/policies.json +++ b/docs/reference/adventureworks/armTemplates/auxiliary/policies.json @@ -20173,7 +20173,7 @@ "Disabled" ], "metadata": { - "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." } }, diff --git a/docs/reference/contoso/armTemplates/auxiliary/policies.json b/docs/reference/contoso/armTemplates/auxiliary/policies.json index 0699a35c29..1fc396dfa9 100644 --- a/docs/reference/contoso/armTemplates/auxiliary/policies.json +++ b/docs/reference/contoso/armTemplates/auxiliary/policies.json @@ -20173,7 +20173,7 @@ "Disabled" ], "metadata": { - "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." } }, diff --git a/docs/reference/treyresearch/armTemplates/auxiliary/policies.json b/docs/reference/treyresearch/armTemplates/auxiliary/policies.json index 0699a35c29..1fc396dfa9 100644 --- a/docs/reference/treyresearch/armTemplates/auxiliary/policies.json +++ b/docs/reference/treyresearch/armTemplates/auxiliary/policies.json @@ -20173,7 +20173,7 @@ "Disabled" ], "metadata": { - "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." } }, diff --git a/docs/reference/wingtip/armTemplates/auxiliary/policies.json b/docs/reference/wingtip/armTemplates/auxiliary/policies.json index 0699a35c29..1fc396dfa9 100644 --- a/docs/reference/wingtip/armTemplates/auxiliary/policies.json +++ b/docs/reference/wingtip/armTemplates/auxiliary/policies.json @@ -20173,7 +20173,7 @@ "Disabled" ], "metadata": { - "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." } }, diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index b465ac7e05..ae57164bc4 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -16281,7 +16281,7 @@ "Disabled" ], "metadata": { - "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", + "displayName": "Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)", "description": "Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk." } }, From f6d021f48cbebe9e445f75311a8685427f2164b3 Mon Sep 17 00:00:00 2001 From: Kevin Rowlandson Date: Wed, 11 Aug 2021 09:06:38 +0100 Subject: [PATCH 4/4] Revert Policy Assignment names --- .../DENY-AksPrivEscalationPolicyAssignment.json | 2 +- .../policyAssignments/DENY-AksPrivilegedPolicyAssignment.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json index 85b95a6845..f3e13e0782 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json @@ -16,7 +16,7 @@ "denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99" }, "policyAssignmentNames": { - "denyAksNoPrivEsc": "Deny-Priv-Escalation-AKS", + "denyAksNoPrivEsc": "Deny-Priv-Esc-AKS", "description": "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "displayName": "Kubernetes clusters should not allow container privilege escalation" } diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json index cc07f25347..033f6bdcf7 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json @@ -16,7 +16,7 @@ "denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4" }, "policyAssignmentNames": { - "denyAksPriv": "Deny-Priv-Containers-AKS", + "denyAksPriv": "Deny-Privileged-AKS", "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", "displayName": "Kubernetes cluster should not allow privileged containers" }