Details of the scenario you tried and the problem that is occurring
As I explained in details in the following issue: kubernetes-sigs/azurefile-csi-driver#3047
The Storage accounts should prevent cross tenant object replication policy prevents creation of compliant Storage Accounts by AKS CSI drivers.
That's probably because the defaults from Azure APIs are compliant and the policy fails when the creation call does not explicitly sets the default allowCrossTenantReplication: false.
The main impact for this is that Azure cutomers using the reommended Azure Policies on their Subscription and trying to use AKS Storage drivers will be blocked as per the likned issue.
Verbose logs showing the problem
Suggested solution to the issue
The policy should take into account the fact that AzureRM API defaults are compliant and pass when the field is not explicitly set.
If policy is Guest Configuration - details about target node
Details of the scenario you tried and the problem that is occurring
As I explained in details in the following issue: kubernetes-sigs/azurefile-csi-driver#3047
The Storage accounts should prevent cross tenant object replication policy prevents creation of compliant Storage Accounts by AKS CSI drivers.
That's probably because the defaults from Azure APIs are compliant and the policy fails when the creation call does not explicitly sets the default
allowCrossTenantReplication: false.The main impact for this is that Azure cutomers using the reommended Azure Policies on their Subscription and trying to use AKS Storage drivers will be blocked as per the likned issue.
Verbose logs showing the problem
Suggested solution to the issue
The policy should take into account the fact that AzureRM API defaults are compliant and pass when the field is not explicitly set.
If policy is Guest Configuration - details about target node