[Feature Request] Blocking pods/exec and pods/attach functionality requires a small change to operations field of ValidatingWebHookConfiguration gatekeeper-validating-webhook-configuration in Azure Policy addon

[Speeddymon]

Is your feature request related to a problem? Please describe.
I want to have an Azure Policy which blocks the usage of kubectl exec and kubectl attach to AKS resources.

This is pretty well documented in upstream Gatekeeper issue 1056

We can implement the policy in our clusters but it will have no effect.

The validating webhook gatekeeper-validating-webhook-configuration in AKS with Azure Policy addon has the webhook rules.operations field set to only apply to CREATE and UPDATE operations, but in order to block pods/exec and pods/attach, the operations would need to also include CONNECT.

Describe the solution you'd like
Since I cannot configure the Gatekeeper validating webhook configuration in Azure Policy, I wanted to feature request for the addition of CONNECT to the webhook rules.operations field.

Describe alternatives you've considered
I opened a support ticket in the Azure Portal and they referred me here

Additional context
N/A

[Speeddymon]

Is it possible to get this update made? It's not a difficult thing to implement and testing should be straightforward.

[Speeddymon]

Thank you

[anlandu]

@Speeddymon CONNECT ops should already be enabled in AKS release 1025/policy addon version 1.8. What region are your clusters in? You can cross-reference the region against the AKS releases link to determine whether you should have received it yet

[Speeddymon]

Thank you, I admit I hadn't checked again lately because there was no update here. I will check and confirm.

[Speeddymon]

Thanks for your response, I've confirmed I can see CONNECT under the operations and pods/exec and pods/attach under the resources. Hence I am closing this issue.