feat(azure-kubernetes): Update constraint spec references to match what Deployment Safeguards enforces#1976
feat(azure-kubernetes): Update constraint spec references to match what Deployment Safeguards enforces#1976NickKeller wants to merge 12 commits intomicrosoft:mainfrom
Conversation
…Uses actual language from the Kubernetes Pod Security Standards spec
NickKeller
requested review from
chandraneel,
gambtho,
jongio and
saikoumudi
as code owners
There was a problem hiding this comment.
Pull request overview
Updates the AKS Automatic readiness skill’s reference material so the documented “constraint spec” and related guidance better reflect what Deployment Safeguards (and PSS-aligned checks) actually enforce.
Changes:
- Removed/condensed outdated constraint entries (e.g., internal HOBO items and the standalone PSS section) and expanded several safeguard checks with PSS-spec language.
- Updated safeguard counts and descriptions (e.g., “21 active policies”) and adjusted related fix guidance.
- Removed the common-fix snippet for
safeguard-no-privilege-escalationand simplified offline-mode instructions in the skill.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| plugin/skills/azure-kubernetes/azure-kubernetes-automatic-readiness/references/constraint-spec-v1.yaml | Reworks/clarifies safeguard entries and removes standalone PSS block; updates headers and adds a new safeguard entry. |
| plugin/skills/azure-kubernetes/azure-kubernetes-automatic-readiness/references/common-fixes.md | Removes the safeguard-no-privilege-escalation fix pattern section. |
| plugin/skills/azure-kubernetes/azure-kubernetes-automatic-readiness/SKILL.md | Updates stated safeguard policy count and simplifies offline-mode evaluation guidance. |
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Most of the earlier review comments were addressed in the follow-up commit (version bump, section-header counts, probe transports, policyId). A few things I still see:
Stale cross-reference in SKILL.md
Line 170 still lists safeguard-no-privilege-escalation under Deterministic fixes, but this PR removes that entry from constraint-spec-v1.yaml. The assessment won't produce a finding for it anymore, so that bullet becomes dead guidance. Either drop the bullet or restore the safeguard in the spec if Automatic still enforces it.
Missing common-fix recipe for safeguard-host-probes
The new safeguard-host-probes entry has no corresponding section in references/common-fixes.md. Other PSS-related safeguards have before/after patterns there; small consistency gap worth closing.
Inline comments for the rest.
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Follow-up on my earlier review. The PSS language updates and field path additions look clean.
A few remaining consistency items:
-
Cluster constraint count mismatch in the YAML header - see inline.
-
Stale numbers in the warning banner (SKILL.md line 249): still says "26 cluster-level constraints, 25 active Deployment Safeguards policies, ...5 Pod Security Baseline policies." With this PR those should be ~23 cluster constraints, 21 safeguard policies, and the standalone PSS section was removed entirely.
-
safeguard-host-probes missing ephemeralContainers field paths - see inline.
-
common-fixes.md host-probes After section still vague - see inline.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
|
||
| - id: safeguard-csi-driver-storage-class | ||
| policyId: 4f3823b6 | ||
| severity: requiresChanges |
There was a problem hiding this comment.
Should this not be required then?
There was a problem hiding this comment.
I don't think I fully understand your question - it's marked as requiresChanges, so it's required to be changed in order to work?
There was a problem hiding this comment.
I think @sabbour is asking: if enforcement: warn means deployments still succeed, should severity stay at requiresChanges? The SKILL.md already calls this one 'informational' (line ~33), so having requiresChanges here sends a conflicting signal to the agent. It'll tell users they must add probes to migrate, but probes aren't actually required for deployment.
There was a problem hiding this comment.
This is for the csi drivers not the probes? It's required to be changed if the manifest is using the not-allowed provisioner.
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Incremental review of the 2 new commits. Count fix (21 -> 23), host-probes example, gRPC capitalization, and safeguard-host-probes cross-reference all look good. One item from my previous review is still open.
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Latest commit addresses my count feedback (26->23 for cluster constraints). There's still a consistency gap between the safeguard counts in SKILL.md vs the constraint-spec - see inline comments.
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Addresses my count feedback - 21 safeguard policies, 23 cluster constraints, and 2 mutators are now consistent between SKILL.md and the constraint spec. 9 best practices + 12 PSS = 21 checks out. Formatting fix (space, period) is clean too.
One thread from @sabbour about safeguard-host-probes severity vs enforcement is still open (line 230 of the constraint spec).
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Seccomp trigger fix is correct - undefined/nil is compliant per the constraint spec, so only patching on Unconfined (or when MCP directs it) makes sense. One cross-reference note inline.
@sabbour's thread on constraint-spec line 230 is still open - worth resolving before merge.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Addresses my feedback from 5 review cycles. Counts are consistent (21 safeguards = 9 best practices + 12 PSS, 2 mutators called out separately, 23 cluster constraints). Seccomp fix guidance won't patch pods that already comply. Common-fixes examples look solid with proper spec context.
Description
Update constraint spec references to match what is actually enforced by Deployment Safeguards. For Pod Security Standards, it uses actual language from the Kubernetes Pod Security Standards spec.
Checklist
cd tests && npm test)npm run test:skills:integration -- <skill>)USE FOR/DO NOT USE FOR/PREFER OVERclauses: confirmed no routing regressions for competing skillsRelated Issues