Skip to content

[AKS] az aks safeguards: Add pod security standards support to AKS deployment safeguards commands #32432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yanzhudd merged 21 commits into from
Nov 22, 2025
Merged

[AKS] az aks safeguards: Add pod security standards support to AKS deployment safeguards commands #32432

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
aa32630
Add Pod Security Standards support to aks safeguards commands
ShantingLiu Nov 17, 2025
b8dc512
Move PSS changes to 2.80.0 section in HISTORY.rst
ShantingLiu Nov 17, 2025
2f65d14
Update safeguards test for 2025-05-02-preview API and flattened prope…
ShantingLiu Nov 17, 2025
ed6c121
Fix breaking change and AAZ undefined check
ShantingLiu Nov 17, 2025
7fccc7e
Add pre-existence check for safeguards create command
ShantingLiu Nov 18, 2025
f769549
Re-record safeguards test with pre-existence check
ShantingLiu Nov 18, 2025
fb633ec
Fix style issues and datetime deprecation warning in safeguards
ShantingLiu Nov 18, 2025
f2e3baf
Restore -c/--cluster options and add PSS level support to safeguards …
ShantingLiu Nov 18, 2025
a2ac7a0
Fix trailing whitespace in custom.py
ShantingLiu Nov 18, 2025
89eaa71
Update example descriptions to use first-person imperative verbs
ShantingLiu Nov 18, 2025
046432f
Remove client_flatten flag from safeguards properties and update test…
ShantingLiu Nov 18, 2025
8d2a2b1
Add backward compatibility for resource IDs without leading slash and…
ShantingLiu Nov 18, 2025
cce3a0b
Fix trailing whitespace in custom.py
ShantingLiu Nov 18, 2025
285d886
Move pre-existence check logic from AAZ-generated file to custom class
ShantingLiu Nov 18, 2025
c269565
Fix linter: remove f-string without interpolation
ShantingLiu Nov 18, 2025
b632f66
Update aks safeguards commands to use 2025-07-01 GA API
ShantingLiu Nov 19, 2025
55c43a9
Remove preview flags and update to GA API version for safeguards
ShantingLiu Nov 19, 2025
fe0d854
Fix test recording: replace real subscription ID with placeholder
ShantingLiu Nov 20, 2025
262e3c3
Regenerate AAZ files with GA API and fix custom override
ShantingLiu Nov 21, 2025
195d348
Scrub subscription IDs in test recording
ShantingLiu Nov 21, 2025
cf8d8cc
Remove unnecessary _args_schema = None from safeguards custom classes
ShantingLiu Nov 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 26 additions & 17 deletions src/azure-cli/azure/cli/command_modules/acs/aaz/latest/aks/safeguards/_create.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,18 @@ class Create(AAZCommand):

:example: Create a DeploymentSafeguards resource at Warn level with ignored namespaces
az aks safeguards create -g rg1 -n mc1 --excluded-ns ns1 ns2 --level Warn

:example: Create a DeploymentSafeguards resource at Warn level with Pod Security Standards level set to Baseline
az aks safeguards create --managed-cluster /subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1 --level Warn --pss-level Baseline

:example: Create a DeploymentSafeguards resource with PSS level set to Restricted using -g/-n pattern
az aks safeguards create -g rg1 -n cluster1 --level Enforce --pss-level Restricted
"""

_aaz_info = {
"version": "2025-04-01",
"version": "2025-07-01",
"resources": [
["mgmt-plane",
"/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-04-01"],
["mgmt-plane", "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-07-01"],
]
}

Expand All @@ -55,7 +60,7 @@ def _build_arguments_schema(cls, *args, **kwargs):
_args_schema.managed_cluster = AAZStrArg(
options=["-c", "--cluster", "--managed-cluster"],
help="The fully qualified Azure Resource manager identifier of the Managed Cluster.",
required=False,
required=True,
)

# define Arg Group "Properties"
Expand All @@ -72,6 +77,12 @@ def _build_arguments_schema(cls, *args, **kwargs):
help="The deployment safeguards level. Possible values are Warn and Enforce",
enum={"Enforce": "Enforce", "Warn": "Warn"},
)
_args_schema.pss_level = AAZStrArg(
options=["--pss-level"],
arg_group="Properties",
help="The pod security standards level",
enum={"Baseline": "Baseline", "Privileged": "Privileged", "Restricted": "Restricted"},
Comment thread
ShantingLiu marked this conversation as resolved.
)

excluded_namespaces = cls._args_schema.excluded_namespaces
excluded_namespaces.Element = AAZStrArg()
Expand All @@ -91,17 +102,15 @@ def post_operations(self):
pass

def _output(self, *args, **kwargs):
result = self.deserialize_output(
self.ctx.vars.instance, client_flatten=True)
result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True)
return result

class DeploymentSafeguardsCreate(AAZHttpOperation):
CLIENT_TYPE = "MgmtClient"

def __call__(self, *args, **kwargs):
request = self.make_request()
session = self.client.send_request(
request=request, stream=False, **kwargs)
session = self.client.send_request(request=request, stream=False, **kwargs)
if session.http_response.status_code in [202]:
return self.client.build_lro_polling(
self.ctx.args.no_wait,
Expand Down Expand Up @@ -152,7 +161,7 @@ def url_parameters(self):
def query_parameters(self):
parameters = {
**self.serialize_query_param(
"api-version", "2025-04-01",
"api-version", "2025-07-01",
required=True,
),
}
Expand All @@ -175,20 +184,17 @@ def content(self):
_content_value, _builder = self.new_content_builder(
self.ctx.args,
typ=AAZObjectType,
typ_kwargs={
"flags": {"required": True, "client_flatten": True}}
typ_kwargs={"flags": {"required": True, "client_flatten": True}}
)
_builder.set_prop("properties", AAZObjectType)

properties = _builder.get(".properties")
if properties is not None:
properties.set_prop("excludedNamespaces",
AAZListType, ".excluded_namespaces")
properties.set_prop("level", AAZStrType, ".level", typ_kwargs={
"flags": {"required": True}})
properties.set_prop("excludedNamespaces", AAZListType, ".excluded_namespaces")
properties.set_prop("level", AAZStrType, ".level", typ_kwargs={"flags": {"required": True}})
properties.set_prop("podSecurityStandardsLevel", AAZStrType, ".pss_level")

excluded_namespaces = _builder.get(
".properties.excludedNamespaces")
excluded_namespaces = _builder.get(".properties.excludedNamespaces")
if excluded_namespaces is not None:
excluded_namespaces.set_elements(AAZStrType, ".")

Expand Down Expand Up @@ -238,6 +244,9 @@ def _build_schema_on_200_201(cls):
properties.level = AAZStrType(
flags={"required": True},
)
properties.pod_security_standards_level = AAZStrType(
serialized_name="podSecurityStandardsLevel",
)
properties.provisioning_state = AAZStrType(
serialized_name="provisioningState",
flags={"read_only": True},
Expand Down
8 changes: 4 additions & 4 deletions src/azure-cli/azure/cli/command_modules/acs/aaz/latest/aks/safeguards/_delete.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,9 @@ class Delete(AAZCommand):
"""

_aaz_info = {
"version": "2025-04-01",
"version": "2025-07-01",
"resources": [
["mgmt-plane", "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-04-01"],
["mgmt-plane", "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-07-01"],
]
}

Expand All @@ -52,7 +52,7 @@ def _build_arguments_schema(cls, *args, **kwargs):
_args_schema.managed_cluster = AAZStrArg(
options=["-c", "--cluster", "--managed-cluster"],
help="The fully qualified Azure Resource manager identifier of the Managed Cluster.",
required=False,
required=True,
)
return cls._args_schema

Expand Down Expand Up @@ -134,7 +134,7 @@ def url_parameters(self):
def query_parameters(self):
parameters = {
**self.serialize_query_param(
"api-version", "2025-04-01",
"api-version", "2025-07-01",
required=True,
),
}
Expand Down
18 changes: 9 additions & 9 deletions src/azure-cli/azure/cli/command_modules/acs/aaz/latest/aks/safeguards/_list.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,9 @@ class List(AAZCommand):
"""

_aaz_info = {
"version": "2025-04-01",
"version": "2025-07-01",
"resources": [
["mgmt-plane",
"/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards", "2025-04-01"],
["mgmt-plane", "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards", "2025-07-01"],
]
}

Expand All @@ -52,7 +51,7 @@ def _build_arguments_schema(cls, *args, **kwargs):
_args_schema.managed_cluster = AAZStrArg(
options=["-c", "--cluster", "--managed-cluster"],
help="The fully qualified Azure Resource manager identifier of the Managed Cluster.",
required=False,
required=True,
)
return cls._args_schema

Expand All @@ -70,8 +69,7 @@ def post_operations(self):
pass

def _output(self, *args, **kwargs):
result = self.deserialize_output(
self.ctx.vars.instance.value, client_flatten=True)
result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True)
next_link = self.deserialize_output(self.ctx.vars.instance.next_link)
return result, next_link

Expand All @@ -80,8 +78,7 @@ class DeploymentSafeguardsList(AAZHttpOperation):

def __call__(self, *args, **kwargs):
request = self.make_request()
session = self.client.send_request(
request=request, stream=False, **kwargs)
session = self.client.send_request(request=request, stream=False, **kwargs)
if session.http_response.status_code in [200]:
return self.on_200(session)

Expand Down Expand Up @@ -116,7 +113,7 @@ def url_parameters(self):
def query_parameters(self):
parameters = {
**self.serialize_query_param(
"api-version", "2025-04-01",
"api-version", "2025-07-01",
required=True,
),
}
Expand Down Expand Up @@ -186,6 +183,9 @@ def _build_schema_on_200(cls):
properties.level = AAZStrType(
flags={"required": True},
)
properties.pod_security_standards_level = AAZStrType(
serialized_name="podSecurityStandardsLevel",
)
properties.provisioning_state = AAZStrType(
serialized_name="provisioningState",
flags={"read_only": True},
Expand Down
22 changes: 11 additions & 11 deletions src/azure-cli/azure/cli/command_modules/acs/aaz/latest/aks/safeguards/_show.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,18 +17,17 @@
class Show(AAZCommand):
"""Show Deployment Safeguards Configuration for a Managed Cluster

:example: Gets a DeploymentSafeguard resource by managed cluster id
:example: Get a DeploymentSafeguard resource by managed cluster id
az aks safeguards show --managed-cluster subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1

:example: Gets a DeploymentSafeguard resource with resourceGroup and clusterName arguments
:example: Get a DeploymentSafeguard resource with resourceGroup and clusterName arguments
az aks safeguards show -g rg1 -n cluster1
"""

_aaz_info = {
"version": "2025-04-01",
"version": "2025-07-01",
"resources": [
["mgmt-plane",
"/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-04-01"],
["mgmt-plane", "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-07-01"],
]
}

Expand All @@ -51,7 +50,7 @@ def _build_arguments_schema(cls, *args, **kwargs):
_args_schema.managed_cluster = AAZStrArg(
options=["-c", "--cluster", "--managed-cluster"],
help="The fully qualified Azure Resource manager identifier of the Managed Cluster.",
required=False,
required=True,
)
return cls._args_schema

Expand All @@ -69,17 +68,15 @@ def post_operations(self):
pass

def _output(self, *args, **kwargs):
result = self.deserialize_output(
self.ctx.vars.instance, client_flatten=True)
result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True)
return result

class DeploymentSafeguardsGet(AAZHttpOperation):
CLIENT_TYPE = "MgmtClient"

def __call__(self, *args, **kwargs):
request = self.make_request()
session = self.client.send_request(
request=request, stream=False, **kwargs)
session = self.client.send_request(request=request, stream=False, **kwargs)
if session.http_response.status_code in [200]:
return self.on_200(session)

Expand Down Expand Up @@ -114,7 +111,7 @@ def url_parameters(self):
def query_parameters(self):
parameters = {
**self.serialize_query_param(
"api-version", "2025-04-01",
"api-version", "2025-07-01",
required=True,
),
}
Expand Down Expand Up @@ -173,6 +170,9 @@ def _build_schema_on_200(cls):
properties.level = AAZStrType(
flags={"required": True},
)
properties.pod_security_standards_level = AAZStrType(
serialized_name="podSecurityStandardsLevel",
)
properties.provisioning_state = AAZStrType(
serialized_name="provisioningState",
flags={"read_only": True},
Expand Down
Loading
Loading