[AKS] Add Pod Security Standards support to Deployment Safeguards and add Safeguards commands to Preview CLI

[ShantingLiu]

---

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

az aks safeguards

General Guidelines

• Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
• Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
• My extension version conforms to the Extension version schema

For new extensions:

• My extension description/summary conforms to the Extension Summary Guidelines.

About Extension Publish

There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update src/index.json automatically.
You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify src/index.json.

---

Description

Adds Pod Security Standards (PSS) level parameter to AKS Deployment Safeguards feature, enabling customers to enforce Kubernetes Pod Security Standards alongside existing safeguards policies.

Changes

• Added --pod-security-standards-level parameter with values: Privileged, Baseline, Restricted
• Implemented az aks safeguards command group with 5 commands:
  • az aks safeguards create - Enable safeguards with PSS support
  • az aks safeguards update - Update safeguards configuration
  • az aks safeguards show - Display current safeguards settings
  • az aks safeguards delete - Remove safeguards
  • az aks safeguards list - List safeguards by cluster
• Supports --excluded-namespaces / --excluded-ns for namespace exclusions
• Added comprehensive help text and examples for all commands
• Added 2 test cases covering full lifecycle and list operations

Testing

• Added comprehensive test coverage in test_aks_commands.py:
  • test_aks_safeguards_create_update_show_delete - Full lifecycle test
  • test_aks_safeguards_list - List functionality test
• Tests will run automatically in PR pipeline and generate cassettes

Files Modified

• _consts.py - Added PSS level constants
• _client_factory.py - Added deployment safeguards client factory
• commands.py - Registered safeguards command group
• _params.py - Added PSS parameter definitions
• _help.py - Added help text and examples
• custom.py - Implemented 5 safeguards command functions
• managed_cluster_decorator.py - Added PSS getter method
• _helpers.py - Updated safeguards profile helper
• test_aks_commands.py - Added test cases

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Hi @ShantingLiu,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[Copilot]

Pull Request Overview

This PR adds support for Pod Security Standards in AKS deployment safeguards. The key enhancement allows users to configure Pod Security Standards levels (Privileged, Baseline, Restricted) alongside existing deployment safeguards functionality.

Key changes:

• Added new --pod-security-standards-level parameter to aks create and aks update commands
• Implemented new aks safeguards command group for CRUD operations on deployment safeguards
• Added swagger definition for the deployment safeguards API

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
wiki.md	Documentation for the AZCLI coding handbook (new file)
src/aks-preview/azext_aks_preview/_consts.py	Added Pod Security Standards level constants
src/aks-preview/azext_aks_preview/_params.py	Added parameter definitions for pod security standards level
src/aks-preview/azext_aks_preview/_help.py	Added help text for new safeguards commands and parameter
src/aks-preview/azext_aks_preview/_helpers.py	Updated safeguards profile setup to include pod security standards level
src/aks-preview/azext_aks_preview/managed_cluster_decorator.py	Added getter for pod security standards level parameter
src/aks-preview/azext_aks_preview/custom.py	Implemented safeguards CRUD command functions
src/aks-preview/azext_aks_preview/commands.py	Registered new safeguards command group
src/aks-preview/azext_aks_preview/_client_factory.py	Added client factory for deployment safeguards
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py	Added live test cases for safeguards commands
deploymentsafeguards.json	Swagger definition for deployment safeguards API

[Copilot]

The import LongRunningOperation is not used in this function. Please remove this unused import to improve code maintainability.

Suggested change

from azure.cli.core.commands import LongRunningOperation

[Copilot]

The variable container_service_client is assigned but never used in this function. Please remove this unused variable assignment.

Suggested change

container_service_client = get_container_service_client(cmd.cli_ctx)

[Copilot]

The import get_container_service_client is not used in this function. Please remove this unused import to improve code maintainability.

Suggested change

from azext_aks_preview._client_factory import get_container_service_client

[Copilot]

Missing docstring for the aks_safeguards_create function. Please add a docstring that describes the function's purpose, parameters, and return value to improve code documentation.

Suggested change

	):
	):
	"""
	Creates a deployment safeguard resource for an AKS cluster.
	Parameters:
	cmd: The CLI command context.
	client: The deployment safeguards client.
	resource_group_name (str, optional): Name of the resource group containing the AKS cluster.
	cluster_name (str, optional): Name of the AKS cluster.
	managed_cluster (str, optional): Resource ID of the managed cluster. If provided, resource_group_name and cluster_name are ignored.
	level (str, optional): The enforcement level for the deployment safeguard.
	excluded_namespaces (list[str], optional): List of namespaces to exclude from the safeguard.
	pod_security_standards_level (str, optional): The Pod Security Standards level to enforce.
	no_wait (bool, optional): If True, do not wait for the long-running operation to finish.
	Returns:
	The result of the create or update operation, or a poller if no_wait is True.
	"""

[Copilot]

Missing docstring for the aks_safeguards_update function. Please add a docstring that describes the function's purpose, parameters, and return value to improve code documentation.

Suggested change

	):
	):
	"""
	Update the deployment safeguards configuration for an AKS cluster.
	Parameters:
	cmd: The CLI command context.
	client: The client to interact with the deployment safeguards resource.
	resource_group_name (str, optional): Name of the resource group containing the cluster.
	cluster_name (str, optional): Name of the AKS cluster.
	managed_cluster (str, optional): Resource ID of the managed cluster.
	level (str, optional): The enforcement level for the safeguards.
	excluded_namespaces (list[str], optional): List of namespaces to exclude from safeguards.
	pod_security_standards_level (str, optional): The pod security standards level to enforce.
	no_wait (bool, optional): If True, do not wait for the operation to complete.
	Returns:
	The result of the begin_create_or_update operation, or a poller if no_wait is True.
	"""

[Copilot]

Missing docstring for the aks_safeguards_show function. Please add a docstring that describes the function's purpose, parameters, and return value to improve code documentation.

Suggested change

	):
	):
	"""
	Show the deployment safeguards configuration for an AKS cluster.
	Parameters:
	cmd: The CLI command context.
	client: The client to use for retrieving the safeguards.
	resource_group_name (str, optional): The name of the resource group containing the cluster.
	cluster_name (str, optional): The name of the AKS cluster.
	managed_cluster (str, optional): The resource ID of the managed cluster.
	Returns:
	The deployment safeguards configuration for the specified AKS cluster.
	Raises:
	RequiredArgumentMissingError: If neither managed_cluster nor both resource_group_name and cluster_name are provided.
	"""

[Copilot]

Missing docstring for the aks_safeguards_delete function. Please add a docstring that describes the function's purpose, parameters, and return value to improve code documentation.

Suggested change

	):
	):
	"""
	Deletes the deployment safeguard configuration for an AKS cluster.
	Parameters:
	cmd: The CLI command context.
	client: The client to use for the operation.
	resource_group_name (str, optional): The name of the resource group containing the cluster.
	cluster_name (str, optional): The name of the AKS cluster.
	managed_cluster (str, optional): The resource ID of the managed cluster. If provided, resource_group_name and cluster_name are ignored.
	no_wait (bool, optional): If True, do not wait for the operation to complete.
	Returns:
	The result of the delete operation, or a poller if no_wait is True.
	"""

[Copilot]

Missing docstring for the aks_safeguards_list function. Please add a docstring that describes the function's purpose, parameters, and return value to improve code documentation.

Suggested change

	):
	):
	"""
	List all safeguards for an Azure Kubernetes Service (AKS) cluster.
	Parameters:
	cmd: The CLI command context.
	client: The client to use for making API calls.
	resource_group_name (str, optional): The name of the resource group containing the cluster.
	cluster_name (str, optional): The name of the AKS cluster.
	managed_cluster (str, optional): The resource ID of the managed cluster.
	Returns:
	The list of safeguard resources for the specified AKS cluster.
	Raises:
	RequiredArgumentMissingError: If neither managed_cluster nor both resource_group_name and cluster_name are provided.
	"""

[Copilot]

The cluster resource ID determination logic is duplicated across all five safeguards functions. Consider extracting this into a helper function to reduce code duplication and improve maintainability.