Skip to content

[confcom] Windows support for the tooling#9783

Open
MahatiC wants to merge 30 commits intoAzure:mainfrom
MahatiC:latest-windows-support
Open

[confcom] Windows support for the tooling#9783
MahatiC wants to merge 30 commits intoAzure:mainfrom
MahatiC:latest-windows-support

Conversation

@MahatiC
Copy link
Copy Markdown

@MahatiC MahatiC commented Apr 14, 2026

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

General Guidelines

  • Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
  • Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
  • My extension version conforms to the Extension version schema

For new extensions:

About Extension Publish

There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update src/index.json automatically.
You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify src/index.json.

DomAyre and others added 25 commits October 15, 2025 17:07
@DomAyre
Support windows platform images
2cc50f9
@DomAyre
Pull specific versions of integrity-vhd instead of latest
acf0de5
@DomAyre
Set version to be wcow
cce8274
@DomAyre
Make version compliant
6f94642
@DomAyre
Make the policy windows shaped
88dae8a
@DomAyre
Support --debug-mode
261d815
@DomAyre
Make lib a module
7633693
@DomAyre
Only add platform flag on windows
5a4707f
@micromaomao
Merge branch 'main' into tingmao/windows-platform-support
4f3c176
@micromaomao
Use updated integrity-vhd for fixed C-WCOW policy gen
8952513
@micromaomao
Support windows images also in the new "containers from_image" command
413707d
@micromaomao
[confcom]: acipolicygen: Fix missing platform field in generated poli…
d9c63da 
…cy config for vn2
@MahatiC @micromaomao
Update tooling to consume json
59627ed
@MahatiC @micromaomao
Bump framework version for windows
28eec7d
@MahatiC @micromaomao
Update dll requirements
358bd33 
And add a fix to framework for rw_mount
@MahatiC @micromaomao
Bump confcom version 2.0.0 and pick v2.0 dmverity-vhd release
2efb197
@micromaomao
Merge branch 'main' into HEAD
631c766
@micromaomao
[confcom] Update policy api version for "new style" command too
a8acdb9
@micromaomao
[confcom] Make the to-be-released version 2.0.0b1 instead of an actua…
8889074 
…l 2.0.0

Suggested-by: Ken Gordon <kegordo@microsoft.com>
@micromaomao
Update azext_confcom/data/README
ace2f50
@micromaomao
Update all sample policies to the new api version and add the rw_moun…
53bf34b 
…t_device enforcement point

This fixes unit tests
@micromaomao
Remove misleading comment
c47d62d 
This is not, in fact, where parameters and variables are populated. That happens
in the constructor for AciPolicy.
@micromaomao
[confcom] Fix trying to fetch image with a name containing unresolved…
393e97d 
… parameters/variables
@MahatiC
[confcom] Fix lint errors
ef8c8cd
@MahatiC
[confcom] Add --platform commandline option
608d129
@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd bot commented Apr 14, 2026

Validation for Breaking Change Starting...

Thanks for your contribution!

@azure-client-tools-bot-prd
Copy link
Copy Markdown

azure-client-tools-bot-prd bot commented Apr 14, 2026

Hi @MahatiC,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 14, 2026

Azure Pipelines:
2 pipeline(s) require an authorized user to comment /azp run to run.

@MahatiC MahatiC changed the title Latest windows support [confcom] Windows support for the tooling Apr 14, 2026
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 14, 2026

Azure Pipelines:
2 pipeline(s) require an authorized user to comment /azp run to run.

@yonzhan
Copy link
Copy Markdown
Collaborator

yonzhan commented Apr 14, 2026

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 14, 2026

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 14, 2026

Hi @MahatiC

⚠️ Release Requirements

Module: confcom

  • ⚠️ Please update VERSION to be 1.9.0 in src/confcom/setup.py
  • ⚠️ Remove azext.isPreview: true in azext_metadata.json for confcom

Notes

@github-actions github-actions bot added the release-version-block Updates do not qualify release version rules. NOTE: please do not edit it manually. label Apr 14, 2026
@MahatiC MahatiC force-pushed the latest-windows-support branch from 8910a7d to fa1c0e2 Compare April 15, 2026 21:38
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 15, 2026

Azure Pipelines:
2 pipeline(s) require an authorized user to comment /azp run to run.

1 similar comment
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 15, 2026

Azure Pipelines:
2 pipeline(s) require an authorized user to comment /azp run to run.

@MahatiC MahatiC force-pushed the latest-windows-support branch from 3b54c39 to 53515f9 Compare April 15, 2026 22:44
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 15, 2026

Azure Pipelines:
2 pipeline(s) require an authorized user to comment /azp run to run.

@yonzhan yonzhan requested a review from necusjz April 16, 2026 04:24
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 16, 2026

Azure Pipelines:
2 pipeline(s) require an authorized user to comment /azp run to run.

@MahatiC MahatiC force-pushed the latest-windows-support branch from 4676ca8 to f3e726c Compare April 16, 2026 07:40
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 16, 2026

Azure Pipelines:
2 pipeline(s) require an authorized user to comment /azp run to run.

@MahatiC MahatiC marked this pull request as ready for review April 16, 2026 08:29
Copilot AI review requested due to automatic review settings April 16, 2026 08:29
@azure-pipelines
Copy link
Copy Markdown

azure-pipelines bot commented Apr 16, 2026

Azure Pipelines:
2 pipeline(s) require an authorized user to comment /azp run to run.

Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Windows container support to the confcom extension tooling by introducing a --platform switch (linux/amd64 vs windows/amd64), updating policy generation templates, and extending layer hashing to support Windows CIM-based flows.

Changes:

  • Introduce --platform across policy generation entrypoints and propagate platform into container definitions/policy serialization.
  • Update dmverity-vhd integration to v2.0 and adjust layer hashing/parsing to support Windows outputs (including mounted_cim).
  • Bump policy API version references to 0.11.0 and update samples/docs accordingly.

Reviewed changes

Copilot reviewed 177 out of 178 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
src/confcom/setup.py Bump extension version to 2.0.0b1 (preview).
src/confcom/HISTORY.rst Add 2.0.0b1 release notes for Windows support.
src/confcom/README.md Document platform support and Windows requirements.
src/confcom/azext_confcom/azext_metadata.json Mark extension as preview.
src/confcom/azext_confcom/_params.py Add --platform (linux/amd64, windows/amd64) to policy generation.
src/confcom/azext_confcom/_help.py Document --platform usage and clarify containers-from-image --platform meaning (aci/vn2).
src/confcom/azext_confcom/custom.py Thread platform through CLI entrypoints to policy generation and containers-from-image plumbing.
src/confcom/azext_confcom/security_policy.py Add platform-aware policy boilerplate, platform validation, debug-mode exec selection, and Windows layer support (mounted_cim).
src/confcom/azext_confcom/template_util.py Augment image info with detected platform; attempt multi-platform pulls.
src/confcom/azext_confcom/rootfs_proxy.py Upgrade dmverity-vhd URLs/hashes and parse JSON output including Windows mounted_cim.
src/confcom/azext_confcom/config.py Add Windows rego policy template and Windows debug mode settings; support mounted_cim field.
src/confcom/azext_confcom/container.py Add platform tracking to container images and emit platform-specific policy JSON (Linux vs Windows fields).
src/confcom/azext_confcom/lib/images.py Add multi-platform pull helpers and pass --platform to hashing binary.
src/confcom/azext_confcom/lib/containers.py Add platform into container definitions and disambiguate aci/vn2 vs image platform.
src/confcom/azext_confcom/lib/defaults.py Provide platform-specific debug-mode exec process defaults.
src/confcom/azext_confcom/lib/policy.py Bump default api_version to 0.11.0.
src/confcom/azext_confcom/lib/serialization.py Add rw_mount_device binding in serialized rego output.
src/confcom/azext_confcom/data/internal_config.json Bump API version and add Windows debug mode config.
src/confcom/azext_confcom/data/customer_rego_policy.txt Add rw_mount_device binding to Linux rego boilerplate template.
src/confcom/azext_confcom/data/customer_rego_policy_windows.txt Add Windows-specific rego boilerplate template.
src/confcom/azext_confcom/data/README Clarify “old style” vs new policy model locations.
src/confcom/azext_confcom/docs/policy_enforcement_points.md Update example API version and add rw_mount_device binding.
src/confcom/azext_confcom/README.md Update example API version and add rw_mount_device binding.
src/confcom/azext_confcom/sample_policy.md Add rw_mount_device binding to sample policy doc.
src/confcom/azext_confcom/command/containers_from_image.py Rename internal arg to aci_or_vn2 to disambiguate “platform”.
src/confcom/azext_confcom/command/containers_from_vn2.py Update call to containers-from-image helper with new arg name.
src/confcom/azext_confcom/tests/latest/test_confcom_scenario.py Adjust context-manager nesting for assertRaises(SystemExit) test.
src/confcom/azext_confcom/tests/latest/test_confcom_image.py Ensure invalid-image policy generation is asserted inside assertRaises.
src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py Update containers-from-image call to new aci_or_vn2 argument name.
src/confcom/samples/policies/allow_all.rego Bump sample API version to 0.11.0.
src/confcom/samples/sample-policy-output.rego Add a sample policy output file.
src/confcom/samples/aci/minimal/arm_template.json Embed updated base64 policy output in sample ARM template.
src/confcom/samples/aci/volume_mounts/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mounts/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mounts/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mount_secret/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mount_secret/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/variables/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/variables/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/variables/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/variables/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/variables/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_user/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_group/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_drop/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/multi_containers/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/multi_containers/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/multi_containers/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/multi_container_groups/policy.rego Bump API version and add rw_mount_device binding (multi-group example).
src/confcom/samples/aci/multi_container_groups/policy_debug.rego Bump API version and add rw_mount_device binding (multi-group example).
src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego Bump API version and add rw_mount_device binding (multi-group example).
src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding (multi-group example).
src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding (multi-group example).
src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding (multi-group example).
src/confcom/samples/aci/minimal/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/minimal/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/minimal/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/minimal/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy_allow_all/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/environment_variables/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/environment_variables/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/environment_variables/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables_override/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables_override/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables_override/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/container_group_profiles/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/container_group_profiles/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/container_group_profiles/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/conflicting_variables/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/conflicting_variables/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/conflicting_variables/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/command/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/command/policy_debug.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/command/policy_disable_stdio.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/command/policy_exclude_default_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/command/policy_fragment.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/aci/command/policy_infrastructure_svn.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/basic_command_args/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/configmap_secret_env/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/fieldref_env/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/init_and_lifecycle/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/multi_container/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/privileged_container/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/read_only_mounts/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/resourcefieldref_env/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/seccomp_profile/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/security_context_merge/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/signals/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/special_env_regex/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/volume_claim_templates/policy.rego Bump API version and add rw_mount_device binding.
src/confcom/samples/vn2/workload_identity/policy.rego Bump API version and add rw_mount_device binding.

Comment thread src/confcom/azext_confcom/security_policy.py
Comment on lines +696 to +723
if image is None:
try:
image = client.images.pull(image_name, platform=platform)
except (docker_module.errors.ImageNotFound, docker_module.errors.NotFound):
eprint(
f'Image "{image_name}" is not found. '
f'Please check the image name and repository.'
)
except docker_module.errors.APIError as e:
error_msg = str(e).lower()
if "not supported" in error_msg or "no matching manifest" in error_msg:
eprint(
f'Image "{image_name}" could not be pulled for platform "{platform}". '
f'Docker Desktop must be in the correct container mode '
f'(Linux containers for linux/amd64, '
f'Windows containers for windows/amd64).'
)
else:
eprint(
f'Image "{image_name}" could not be pulled for platform '
f'"{platform}": {e}'
)

detected = f"{image.attrs.get('Os')}/{image.attrs.get('Architecture')}"
if detected != platform:
eprint(
f'Image "{image_name}" has platform "{detected}", '
f'which does not match the specified platform "{platform}".'
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

validate_image_platform can dereference image even when the image couldn't be found/pulled. In the ImageNotFound/NotFound and APIError branches, the function only prints an error and continues, leaving image as None and then accessing image.attrs (will raise at runtime). After failing to get/pull the image, return/raise (or call sys.exit(1)) before computing detected, and ensure the APIError branch also exits on failure.

Copilot uses AI. Check for mistakes.
Comment thread src/confcom/azext_confcom/security_policy.py Outdated
Comment on lines +152 to +153
else:
assert self._platform == image_platform, "All images must have the same platform"
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AciPolicy.__init__ uses an assert to enforce that all images share the same platform. Asserts can be stripped with Python optimizations and they surface as an AssertionError rather than a user-friendly CLI error. Please replace this with explicit validation that raises a proper CLI/validation error (or calls eprint + exits) with actionable guidance.

Suggested change
else:
assert self._platform == image_platform, "All images must have the same platform"
elif self._platform != image_platform:
container_id = c.get(config.POLICY_FIELD_CONTAINERS_ID, "<unknown>")
eprint(
"All images must use the same platform. "
f'Expected platform "{self._platform}" but container "{container_id}" '
f'uses "{image_platform}". Update the container image platforms so they '
'all match, or omit the "platform" field to use the default '
'"linux/amd64".'
)

Copilot uses AI. Check for mistakes.
Comment thread src/confcom/azext_confcom/security_policy.py
pretty_print_func(self._allow_runtime_logging),
pretty_print_func(self._allow_environment_variable_dropping),
)

Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

_add_rego_boilerplate now has Linux/Windows branches but falls through without returning anything if _platform is neither (returns None). Even if the CLI currently restricts choices, it’s safer to explicitly raise ValueError/eprint+exit for unsupported platforms so callers don’t later fail with confusing TypeErrors.

Suggested change
raise ValueError("Unsupported platform for rego boilerplate: {}".format(self._platform))

Copilot uses AI. Check for mistakes.
Comment thread src/confcom/azext_confcom/container.py Outdated
mounts=mounts,
allow_elevated=allow_elevated,
extraEnvironmentRules=[],
platform=container_json["platform"],
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ContainerImage.from_json accesses container_json["platform"], which will raise KeyError for older input.json/policy files that don’t include this field. To preserve backward compatibility, use container_json.get("platform", "linux/amd64") (or infer from policy) instead of requiring the key.

Suggested change
platform=container_json["platform"],
platform=container_json.get("platform", "linux/amd64"),

Copilot uses AI. Check for mistakes.
Comment thread src/confcom/HISTORY.rst Outdated
===============

2.0.0b1
+++++
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reStructuredText heading underline for 2.0.0b1 is shorter than the heading text, which can render incorrectly in RST. Please adjust the underline length to match the version string (consistent with other entries like 1.8.0).

Suggested change
+++++
+++++++

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@necusjz necusjz Awaiting requested review from necusjz

At least 1 approving review is required to merge this pull request.

Assignees

@necusjz necusjz

Labels

release-version-block Updates do not qualify release version rules. NOTE: please do not edit it manually.

Projects

None yet

Milestone

May 2026 (2026-05-05)

Development

Successfully merging this pull request may close these issues.

6 participants

@MahatiC @yonzhan @necusjz @DomAyre @micromaomao