I am unable to use "az aks command invoke" because the policy at https://store.policy.core.windows.net/kubernetes/container-no-privilege-escalation/v3/template.yaml is preventing privilege escalation. I get the following error when I try it
(KubernetesOperationError) Failed to run command in managed cluster due to kubernetes failure. details: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev3noprivilegeescalatio-adff37e713cffbf58639] Privilege escalation container is not allowed: init-command
[azurepolicy-k8sazurev3noprivilegeescalatio-adff37e713cffbf58639] Privilege escalation container is not allowed: user-command
Code: KubernetesOperationError
Message: Failed to run command in managed cluster due to kubernetes failure. details: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev3noprivilegeescalatio-adff37e713cffbf58639] Privilege escalation container is not allowed: init-command
[azurepolicy-k8sazurev3noprivilegeescalatio-adff37e713cffbf58639] Privilege escalation container is not allowed: user-command
Is this an expected ramification of having the AKS built in policies applied?
It is expected az aks command invoke not to work if the policy to prevent privilege escalation containers is applied.
If you have specific Azure Policies, that can result in az aks command invoke to fail, because that may not allow specific configuration of the command-<ID> pod.
It is recommended to exempt the aks-command namespace for the associated Azure Policies which do not allow the pod creation.
You can do that by accessing Azure Portal -> Policy -> Assignments -> identify the assignment(s) and access them -> Edit assignment -> Parameters -> uncheck “Only show parameters that need input or review” box -> add “aks-command” under “Namespace exclusions”.
Alternatively, you can check “command-” pod’s configuration and adjust the policy accordingly (if it’s not a built-in one).