[Question] Azure Policy blocking AKS Run Command

[k-cogswell]

I'm trying to use the Run Command feature in my AKS cluster but I get the following message:

{"code":"RunCommandBlockedByAzurePolicy","details":null,"message":"Run command is blocked by external resource, please check the error message for more details. details: AKS runCommand feature is blocked by Azure Policy applied to this cluster, to fix this issue you will need to run `kubectl get k8sazurecustomcontainerallowedimages -o yaml` find policy assignment by `azure-policy-assignment-id` annotation, then fix the policy.","subcode":"PodCreateBlockedByAzurePolicy"}

I tried to run the command it suggests:

kubectl get k8sazurecustomcontainerallowedimages -o yaml

but I get a message that this resource type doesn't exist

error: the server doesn't have a resource type "k8sazurecustomcontainerallowedimages"

I thought maybe there was a typo in the suggestion and tried:

kubectl get constrainttemplate k8sazurecustomcontainerallowedimages

but the template was not found.

Question

Is there any other way for me to find which policy is blocking me from using Run Command?

[sjwaight]

Hi @k-cogswell - here's details on why the run command is affected by Policy and how you can exempt the namespace from Policy - run command docs. More of an overview of what Azure Policies can be applied to AKS can be found on the AKS docs on Policy.

[anlandu]

@k-cogswell It may be a different policy than k8sazurecustomcontainerallowedimages blocking the run command. If you run kubectl get constraints -o wide do you get any results? (May have to run twice)
I can work on adding that to our docs/improving the error messages

[k-cogswell]

@k-cogswell It may be a different policy than k8sazurecustomcontainerallowedimages blocking the run command. If you run kubectl get constraints -o wide do you get any results? (May have to run twice) I can work on adding that to our docs/improving the error messages

@anlandu , thanks for your reply!

The output is quite large - is there any one of these that you may think is the culprit?

NAME                                                                                                       ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev1blockdefault.constraints.gatekeeper.sh/azurepolicy-k8sazurev1blockdefault-412ab5a03df011a5e8c6   dryrun               2
k8sazurev1blockdefault.constraints.gatekeeper.sh/azurepolicy-k8sazurev1blockdefault-6892fc6757dcb099ba21   dryrun               2

NAME                                                                                                               ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev1ingresshttpsonly.constraints.gatekeeper.sh/azurepolicy-k8sazurev1ingresshttpsonly-2dd1568071d7ed0a4698   dryrun               0
k8sazurev1ingresshttpsonly.constraints.gatekeeper.sh/azurepolicy-k8sazurev1ingresshttpsonly-342a1ef653982249cfcc   dryrun               0
k8sazurev1ingresshttpsonly.constraints.gatekeeper.sh/azurepolicy-k8sazurev1ingresshttpsonly-8056885b0cfedb2a654e   dryrun               0
k8sazurev1ingresshttpsonly.constraints.gatekeeper.sh/azurepolicy-k8sazurev1ingresshttpsonly-ba4a3916785704d4bd5d   dryrun               0
k8sazurev1ingresshttpsonly.constraints.gatekeeper.sh/azurepolicy-k8sazurev1ingresshttpsonly-e73778b81ac75e095057   dryrun               0

NAME                                                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev1serviceallowedports.constraints.gatekeeper.sh/azurepolicy-k8sazurev1serviceallowedports-6a4691b5e32a5813691c   dryrun               32
k8sazurev1serviceallowedports.constraints.gatekeeper.sh/azurepolicy-k8sazurev1serviceallowedports-7d51c7c7dfa603053332   deny                 0
k8sazurev1serviceallowedports.constraints.gatekeeper.sh/azurepolicy-k8sazurev1serviceallowedports-c97654aeef554475f61b   dryrun               32
k8sazurev1serviceallowedports.constraints.gatekeeper.sh/azurepolicy-k8sazurev1serviceallowedports-d15008781572890d749b   dryrun               32
k8sazurev1serviceallowedports.constraints.gatekeeper.sh/azurepolicy-k8sazurev1serviceallowedports-d704e4a5b58708cfea11   deny                 0
k8sazurev1serviceallowedports.constraints.gatekeeper.sh/azurepolicy-k8sazurev1serviceallowedports-f0674848056b803bb01e   dryrun               32
k8sazurev1serviceallowedports.constraints.gatekeeper.sh/azurepolicy-k8sazurev1serviceallowedports-fb34ac8f3e0b80e00663   dryrun               32

NAME                                                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev2blockautomounttoken.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockautomounttoken-16939a3e46de9eaecc20   dryrun               32
k8sazurev2blockautomounttoken.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockautomounttoken-1f1fac6793e21a65710a   deny                 0
k8sazurev2blockautomounttoken.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockautomounttoken-e56017883b24b6499824   dryrun               32

NAME                                                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev2blockhostnamespace.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockhostnamespace-11f9bff6d38a54923bef   deny                 0
k8sazurev2blockhostnamespace.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockhostnamespace-5f11082ae8ce5670b46b   dryrun               0
k8sazurev2blockhostnamespace.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockhostnamespace-759b719efd5a99d32dcf   dryrun               0
k8sazurev2blockhostnamespace.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockhostnamespace-882ce8a0503ad532fd19   dryrun               0
k8sazurev2blockhostnamespace.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockhostnamespace-8cad1922a56c01338b68   deny                 0
k8sazurev2blockhostnamespace.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockhostnamespace-9c4b2c55d26953ab2bfd   dryrun               0
k8sazurev2blockhostnamespace.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockhostnamespace-cecbdf9e9c8fa12e3f59   dryrun               0
k8sazurev2blockhostnamespace.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockhostnamespace-f68e1771321a4e1fd922   dryrun               0
k8sazurev2blockhostnamespace.constraints.gatekeeper.sh/azurepolicy-k8sazurev2blockhostnamespace-fa2f2fca135189cdd835   dryrun               0

NAME                                                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev2containerallowedimages.constraints.gatekeeper.sh/azurepolicy-k8sazurev2containerallowedimag-260ad7ff7a8d0aaaad5b   dryrun               64
k8sazurev2containerallowedimages.constraints.gatekeeper.sh/azurepolicy-k8sazurev2containerallowedimag-37b2fb68b0030df54f1a   dryrun               64
k8sazurev2containerallowedimages.constraints.gatekeeper.sh/azurepolicy-k8sazurev2containerallowedimag-688664c89e9e4e762bb0   deny                 0
k8sazurev2containerallowedimages.constraints.gatekeeper.sh/azurepolicy-k8sazurev2containerallowedimag-86cbaaa0538954cc4139   dryrun               64
k8sazurev2containerallowedimages.constraints.gatekeeper.sh/azurepolicy-k8sazurev2containerallowedimag-bc72a54714790a28721b   dryrun               64
k8sazurev2containerallowedimages.constraints.gatekeeper.sh/azurepolicy-k8sazurev2containerallowedimag-d61914d8cfb2551acf5e   dryrun               64

NAME                                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev2noprivilege.constraints.gatekeeper.sh/azurepolicy-k8sazurev2noprivilege-0ca3854c09b0999b8deb   dryrun               0
k8sazurev2noprivilege.constraints.gatekeeper.sh/azurepolicy-k8sazurev2noprivilege-2cb10002d5dfb2b22461   dryrun               0
k8sazurev2noprivilege.constraints.gatekeeper.sh/azurepolicy-k8sazurev2noprivilege-39fb254087ad687903b5   dryrun               0
k8sazurev2noprivilege.constraints.gatekeeper.sh/azurepolicy-k8sazurev2noprivilege-5104c25ba7466e2e554f   dryrun               0
k8sazurev2noprivilege.constraints.gatekeeper.sh/azurepolicy-k8sazurev2noprivilege-8327b5eafd0fb3e0561d   dryrun               0
k8sazurev2noprivilege.constraints.gatekeeper.sh/azurepolicy-k8sazurev2noprivilege-df1288c3379fafc0b8a1   dryrun               0
k8sazurev2noprivilege.constraints.gatekeeper.sh/azurepolicy-k8sazurev2noprivilege-e89c614fd8a3dc376382   dryrun               0

NAME                                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev2volumetypes.constraints.gatekeeper.sh/azurepolicy-k8sazurev2volumetypes-d512fd9adcd946549106   dryrun               7

NAME                                                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev3allowedcapabilities.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedcapabilities-2c3186b9484639bba33b   dryrun               0
k8sazurev3allowedcapabilities.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedcapabilities-3d27a1ea8d9fc1d3be9f   dryrun               0
k8sazurev3allowedcapabilities.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedcapabilities-49a830ff12bb51fa94a7   dryrun               0
k8sazurev3allowedcapabilities.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedcapabilities-82d3cf90521736866e5f   dryrun               0
k8sazurev3allowedcapabilities.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedcapabilities-9539f53bafdbb4965cd5   dryrun               0
k8sazurev3allowedcapabilities.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedcapabilities-b0e870e97590329222a1   dryrun               0
k8sazurev3allowedcapabilities.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedcapabilities-d47e1cbf502a423ed2e2   dryrun               0

NAME                                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev3allowedseccomp.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedseccomp-22cb8b7c220c20b46cfe   deny                 0
k8sazurev3allowedseccomp.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedseccomp-9b69085b8cd44d26a9ea   dryrun               26
k8sazurev3allowedseccomp.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedseccomp-d9f2bfd8ac87fd1a2f35   deny                 0

NAME                                                                                                                   ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev3allowedusersgroups.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedusersgroups-17a4fa79cc3723a0ddcb   dryrun               0
k8sazurev3allowedusersgroups.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedusersgroups-8e99282b54e26683c164   dryrun               0
k8sazurev3allowedusersgroups.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedusersgroups-a718cd84b2e4a68e6b89   dryrun               0
k8sazurev3allowedusersgroups.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedusersgroups-b4aead4602a3e1f80933   dryrun               42
k8sazurev3allowedusersgroups.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedusersgroups-c32699e28e43d067bc40   dryrun               154
k8sazurev3allowedusersgroups.constraints.gatekeeper.sh/azurepolicy-k8sazurev3allowedusersgroups-f974fc94be58df328942   dryrun               42

NAME                                                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev3containerlimits.constraints.gatekeeper.sh/azurepolicy-k8sazurev3containerlimits-1dba1b0f41d5ea8c4801   deny                 0
k8sazurev3containerlimits.constraints.gatekeeper.sh/azurepolicy-k8sazurev3containerlimits-297ba6b4038947d80558   dryrun               4
k8sazurev3containerlimits.constraints.gatekeeper.sh/azurepolicy-k8sazurev3containerlimits-39521fce98b57c69e1f6   dryrun               124
k8sazurev3containerlimits.constraints.gatekeeper.sh/azurepolicy-k8sazurev3containerlimits-6dc7310ef677e6194c4d   dryrun               4
k8sazurev3containerlimits.constraints.gatekeeper.sh/azurepolicy-k8sazurev3containerlimits-86bbe0e62ed35e264314   dryrun               124
k8sazurev3containerlimits.constraints.gatekeeper.sh/azurepolicy-k8sazurev3containerlimits-ace9411e152ed5b49baa   deny                 0
k8sazurev3containerlimits.constraints.gatekeeper.sh/azurepolicy-k8sazurev3containerlimits-dca7003c9eb8f02702ca   dryrun               124

NAME                                                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev3disallowedcapabilities.constraints.gatekeeper.sh/azurepolicy-k8sazurev3disallowedcapabiliti-84d52dfbc07ddcb1bc77   dryrun               0
k8sazurev3disallowedcapabilities.constraints.gatekeeper.sh/azurepolicy-k8sazurev3disallowedcapabiliti-fcf3f16b52af371f48f4   dryrun               0

NAME                                                                                                             ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev3enforceapparmor.constraints.gatekeeper.sh/azurepolicy-k8sazurev3enforceapparmor-13b176fd0a0c08b5028f   dryrun               0
k8sazurev3enforceapparmor.constraints.gatekeeper.sh/azurepolicy-k8sazurev3enforceapparmor-256f623bc8e1a4107a60   dryrun               0
k8sazurev3enforceapparmor.constraints.gatekeeper.sh/azurepolicy-k8sazurev3enforceapparmor-60009a50e4bd4448bd6d   dryrun               64
k8sazurev3enforceapparmor.constraints.gatekeeper.sh/azurepolicy-k8sazurev3enforceapparmor-8c82b9eb9930739b9b15   dryrun               64
k8sazurev3enforceapparmor.constraints.gatekeeper.sh/azurepolicy-k8sazurev3enforceapparmor-faf1931b348666c865a8   dryrun               64

NAME                                                                                                           ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev3hostfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostfilesystem-12991ea870e0aea80b36   dryrun               21
k8sazurev3hostfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostfilesystem-1f30b3d3c094f68edea3   dryrun               0
k8sazurev3hostfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostfilesystem-28d72187235865cc0e44   dryrun               21
k8sazurev3hostfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostfilesystem-29b71c990972e76f51b1   dryrun               0
k8sazurev3hostfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostfilesystem-815c8c7614a5b6dc099d   dryrun               7
k8sazurev3hostfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostfilesystem-96c82efa390b0d255a11   dryrun               21
k8sazurev3hostfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostfilesystem-9f63cafb94fadb0fb912   dryrun               21
k8sazurev3hostfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostfilesystem-ad913050cfd9024e4545   dryrun               21

NAME                                                                                                                     ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev3hostnetworkingports.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostnetworkingports-04534c45ab3acd8672fd   dryrun               7
k8sazurev3hostnetworkingports.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostnetworkingports-09283fe46c1c5c16ab64   deny                 0
k8sazurev3hostnetworkingports.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostnetworkingports-16ad0d13144376a57dda   dryrun               7
k8sazurev3hostnetworkingports.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostnetworkingports-4c5037582e51b49c3367   dryrun               7
k8sazurev3hostnetworkingports.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostnetworkingports-5baa3884251428e3ee29   dryrun               7
k8sazurev3hostnetworkingports.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostnetworkingports-62610f4aa65856c5d726   dryrun               7
k8sazurev3hostnetworkingports.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostnetworkingports-6bb591daf99d3874fd4e   deny                 0
k8sazurev3hostnetworkingports.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostnetworkingports-89e5a39d9dfef207cc16   dryrun               7
k8sazurev3hostnetworkingports.constraints.gatekeeper.sh/azurepolicy-k8sazurev3hostnetworkingports-ea8ed55dcf031fed2c04   dryrun               7

NAME                                                                                                                        ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev3noprivilegeescalation.constraints.gatekeeper.sh/azurepolicy-k8sazurev3noprivilegeescalatio-03818aa6072d96fc8762   dryrun               6
k8sazurev3noprivilegeescalation.constraints.gatekeeper.sh/azurepolicy-k8sazurev3noprivilegeescalatio-1da0e61adad8e6c4270b   deny                 0
k8sazurev3noprivilegeescalation.constraints.gatekeeper.sh/azurepolicy-k8sazurev3noprivilegeescalatio-3df60f635f1c39351377   dryrun               6
k8sazurev3noprivilegeescalation.constraints.gatekeeper.sh/azurepolicy-k8sazurev3noprivilegeescalatio-5651fe272aab3c532c1a   dryrun               6
k8sazurev3noprivilegeescalation.constraints.gatekeeper.sh/azurepolicy-k8sazurev3noprivilegeescalatio-5ce71491e2765130efb0   dryrun               6
k8sazurev3noprivilegeescalation.constraints.gatekeeper.sh/azurepolicy-k8sazurev3noprivilegeescalatio-6d9ffb87dab7bc36bbf2   dryrun               6
k8sazurev3noprivilegeescalation.constraints.gatekeeper.sh/azurepolicy-k8sazurev3noprivilegeescalatio-986fe1f53ed7c67a9b95   dryrun               6

NAME                                                                                                                         ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
k8sazurev3readonlyrootfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3readonlyrootfilesyst-00a2d19427abf706bbf3   dryrun               8
k8sazurev3readonlyrootfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3readonlyrootfilesyst-0298a90289a73d39cd08   dryrun               8
k8sazurev3readonlyrootfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3readonlyrootfilesyst-150192ddba75e02b7faf   dryrun               8
k8sazurev3readonlyrootfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3readonlyrootfilesyst-4e8ef2a316e31c5a3938   deny                 0
k8sazurev3readonlyrootfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3readonlyrootfilesyst-6f0c45e660ebcc4f5ceb   dryrun               8
k8sazurev3readonlyrootfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3readonlyrootfilesyst-cfd160bb7c6f3d8475d6   deny                 0
k8sazurev3readonlyrootfilesystem.constraints.gatekeeper.sh/azurepolicy-k8sazurev3readonlyrootfilesyst-e8e9442bac09c0bf01d4   dryrun               8

[anlandu]

@k-cogswell I'm guessing it's k8sazurev2containerallowedimages but to be sure, you can send me your cluster's resource ID and a timestamp of an attempt, and I'll take a look at the logs

[k-cogswell]

@k-cogswell I'm guessing it's k8sazurev2containerallowedimages but to be sure, you can send me your cluster's resource ID and a timestamp of an attempt, and I'll take a look at the logs

@anlandu here is the resource id and timestamp of my latest attempt:

/subscriptions/e13dc0d9-8275-4996-a290-5108be5eb3ee/resourcegroups/udf-dev-rg/providers/Microsoft.ContainerService/managedClusters/udf-dev-aks-canadacentral

2025-02-24T19:28:31Z

Thank you for your help with this

[anlandu]

@k-cogswell looks like there are several constraints that blocked the command:
azurepolicy-k8sazurev2blockautomounttoken-1f1fac6793e21a65710a
azurepolicy-k8sazurev3noprivilegeescalatio-1da0e61adad8e6c4270b
azurepolicy-k8sazurev3readonlyrootfilesyst-cfd160bb7c6f3d8475d6
azurepolicy-k8sazurev3readonlyrootfilesyst-4e8ef2a316e31c5a3938
azurepolicy-k8sazurev3allowedseccomp-22cb8b7c220c20b46cfe
azurepolicy-k8sazurev3allowedseccomp-d9f2bfd8ac87fd1a2f35

You may also need an exemption on
azurepolicy-k8sazurev3containerlimits-1dba1b0f41d5ea8c4801
azurepolicy-k8sazurev3containerlimits-ace9411e152ed5b49baa
down the line, for the second admission request after the first one is unblocked by the above constraints

You can look at each constraint's annotation to see the assignment ID for each, then visit that assignment ID in portal to create a temporary exemption or permanent ns/labelSelector-based exclusion depending on your needs.

[anlandu]

Note that the Azure docs linked above are for excluding the initial command passthrough, which gets run in aks-command namespace, however the pod running the command and potentially getting blocked after the first command goes through will be in the default namespace. Will start a thread internally about our docs and improving error message passthrough.

[k-cogswell]

Thank you @anlandu , do you happen to have the name of the image that is being used for the pod in the default namespace?

If I can, I would prefer to create an exemption for that specific image vs an exemption for the entire namespace.

[anlandu]

That depends on the command you're trying to run, I just assumed because I saw an nginx 403 earlier in the logs that the command would involve creating an nginx pod. @k-cogswell

[anlandu]

@k-cogswell I've merged a fix to the error message to have it pass through the list of failures from Gatekeeper, for easier debugging. It should go out in the next release after 20250220 https://releases.aks.azure.com/ Will add a backlog item to make the pod in the aks-command namespace PSS compliant, as well. Thanks for raising this!

[microsoft-github-policy-service]

Action required from @aritraghosh, @julia-yin, @AllenWen-at-Azure

[microsoft-github-policy-service]

Issue needing attention of @Azure/aks-leads

[microsoft-github-policy-service]

This issue has been automatically marked as stale because it has not had any activity for 14 days. It will be closed if no further activity occurs within 7 days of this comment.