[Question] Azure Policy blocking AKS Run Command

[k-cogswell]

I'm trying to use the Run Command feature in my AKS cluster but I get the following message:

{"code":"RunCommandBlockedByAzurePolicy","details":null,"message":"Run command is blocked by external resource, please check the error message for more details. details: AKS runCommand feature is blocked by Azure Policy applied to this cluster, to fix this issue you will need to run `kubectl get k8sazurecustomcontainerallowedimages -o yaml` find policy assignment by `azure-policy-assignment-id` annotation, then fix the policy.","subcode":"PodCreateBlockedByAzurePolicy"}

I tried to run the command it suggests:

kubectl get k8sazurecustomcontainerallowedimages -o yaml

but I get a message that this resource type doesn't exist

error: the server doesn't have a resource type "k8sazurecustomcontainerallowedimages"

I thought maybe there was a typo in the suggestion and tried:

kubectl get constrainttemplate k8sazurecustomcontainerallowedimages

but the template was not found.

Question

Is there any other way for me to find which policy is blocking me from using Run Command?

[sjwaight]

Hi @k-cogswell - here's details on why the run command is affected by Policy and how you can exempt the namespace from Policy - run command docs. More of an overview of what Azure Policies can be applied to AKS can be found on the AKS docs on Policy.

[microsoft-github-policy-service]

@az-policy-kube would you be able to assist?

[anlandu]

@k-cogswell It may be a different policy than k8sazurecustomcontainerallowedimages blocking the run command. If you run kubectl get constraints -o wide do you get any results? (May have to run twice)
I can work on adding that to our docs/improving the error messages