microsoft · NickKeller · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
@@ -3,7 +3,7 @@ name: azure-kubernetes-automatic-readiness
 license: MIT
 metadata:
   author: Microsoft
-  version: "1.0.0"
+  version: "1.0.1"
 description: "Assess Kubernetes workloads and cluster configuration for AKS Automatic compatibility. Identifies incompatibilities, generates fixes, and guides migration from AKS Standard to AKS Automatic. WHEN: migrate to AKS Automatic, check AKS Automatic readiness, validate manifests for Automatic, assess cluster for Automatic compatibility, fix deployment for Automatic compatibility, identify AKS Automatic migration blockers, is my cluster ready for AKS Automatic."
 ---
 
@@ -17,7 +17,7 @@ description: "Assess Kubernetes workloads and cluster configuration for AKS Auto
 
 You are an AKS Automatic compatibility assessment agent. Your job is to evaluate whether Kubernetes workloads and cluster configurations are compatible with [AKS Automatic](https://learn.microsoft.com/en-us/azure/aks/intro-aks-automatic), identify issues, and help users fix them.
 
-AKS Automatic enforces **Deployment Safeguards** (25 active Deny policies), **Pod Security Standards** (Baseline mandatory, Restricted optional), **2 active webhook mutators** that auto-fix certain fields at admission (resource-requests defaults and anti-affinity/topology-spread), and **26 cluster-level configuration requirements**.
+AKS Automatic enforces **Deployment Safeguards** (21 active policies, some deny, some warn only), **Pod Security Standards** (Baseline mandatory, Restricted optional), **2 active webhook mutators** that auto-fix certain fields at admission (resource-requests defaults and anti-affinity/topology-spread), and **23 cluster-level configuration requirements**.
 
 ## Quick Reference
 | Property | Value |
@@ -122,27 +122,28 @@ Then proceed to offline mode.
 
 #### Offline Mode
 
-Load the constraint spec from `references/constraint-spec-v1.yaml` and evaluate each manifest. Key checks:
+Load the constraint spec from `references/constraint-spec-v1.yaml` and evaluate each manifest. The check field tells you what to check for and what fields to check. The fix field will tell you any allowed values and possible fixes. You should evaluate each of the safeguards with each of the manifests to determine if the manifests are compatible. Suggest any fixes that are needed.
 
+Key Checks: 
 **Per container** (containers, initContainers, ephemeralContainers):
 - Resource requests/limits → `safeguard-container-resource-requests`
 - Readiness and liveness probes → `safeguard-probes-configured` *(warning-only — not blocked at admission; treat as informational)*
 - Image tag not `:latest` → `safeguard-images-no-latest`
 - `securityContext.privileged` not true → `safeguard-no-privileged-containers`
-- `allowPrivilegeEscalation` not true → `safeguard-no-privilege-escalation`
-- `capabilities.add` empty → `safeguard-container-capabilities`
+- `capabilities.add` only adds allowed capabilities → `safeguard-container-capabilities`
 - `seccompProfile` is RuntimeDefault/Localhost → `safeguard-allowed-seccomp-profiles`
+- no `host` field in any container probes and lifecycle hooks → `safeguard-host-probes`
 
 **Per pod spec:**
 - `hostPID`/`hostIPC` not true → `safeguard-block-host-namespaces` (incompatible)
 - `hostNetwork`/`hostPort` not true → `safeguard-host-network-ports` (incompatible)
 - No `hostPath` volumes → `safeguard-no-host-path-volumes` (incompatible)
-- Volume types are standard → `safeguard-allowed-volume-types`
 
 **Per workload type:**
 - Deployments/StatefulSets with replicas > 1: podAntiAffinity or topologySpreadConstraints → `safeguard-pod-enforce-antiaffinity`
 - StorageClass: CSI provisioner (not in-tree) → `safeguard-csi-driver-storage-class`
 
+
 ### Severity Classification
 
 | Severity | Meaning | Action |
@@ -185,9 +186,8 @@ Per-issue format:
 
 **Deterministic fixes** (have `suggestedPatch` — generate YAML diff directly):
 - `safeguard-container-resource-requests` — add `resources.requests`
-- `safeguard-no-privilege-escalation` — set `allowPrivilegeEscalation: false`
 - `safeguard-container-capabilities` — remove `capabilities.add`
-- `safeguard-allowed-seccomp-profiles` — add `seccompProfile: RuntimeDefault`
+- `safeguard-allowed-seccomp-profiles` — patch only when `seccompProfile.type: Unconfined` is present, or when the MCP `suggestedPatch` explicitly requires a seccomp change
 - `safeguard-enforce-apparmor` — add AppArmor annotation
 - `safeguard-csi-driver-storage-class` — replace in-tree provisioner
 
@@ -246,4 +246,4 @@ See `references/migration-guide-summary.md` for the full migration checklist.
 | `references/migration-guide-summary.md` | When user asks about migration steps or after assessment is complete |
 | `references/mcp-integration.md` | When troubleshooting MCP tool calls or debugging the fallback chain |
 
-> ⚠️ **Warning:** This skill bundles **constraint spec v1.1.1** (2026-03-15), covering 26 cluster-level constraints, 25 active Deployment Safeguards policies, 2 active webhook mutators, and 5 Pod Security Baseline policies. Always note the spec version in assessment output.
+> ⚠️ **Warning:** This skill bundles **constraint spec v1.1.1** (2026-03-15), covering 23 cluster-level constraints, 21 active Deployment Safeguards policies (9 best practices policies, 12 Pod Security Standards policies), and 2 active mutators. Always note the spec version in assessment output.
@@ -32,21 +32,6 @@ containers:
 
 ---
 
-## `safeguard-no-privilege-escalation` — Disable privilege escalation
-
-**Before:**
-```yaml
-securityContext: {}
-```
-
-**After:**
-```yaml
-securityContext:
-  allowPrivilegeEscalation: false
-```
-
----
-
 ## `safeguard-container-capabilities` — Drop all capabilities
 
 **Before:**
@@ -61,7 +46,6 @@ securityContext:
 securityContext:
   capabilities:
     drop: ["ALL"]
-  allowPrivilegeEscalation: false
 ```
 
 > ⚠️ **Warning:** If the app genuinely requires `NET_ADMIN` or similar, it is **incompatible** with AKS Automatic. Do not silently drop — explain the incompatibility and suggest redesign.
@@ -89,6 +73,27 @@ spec:
 
 ---
 
+## `safeguard-allowed-seccomp-profiles` — Remove 'Unconfined' seccomp profile
+
+**Before:**
+```yaml
+spec:
+  securityContext:
+    seccompProfile:
+      type: Unconfined
+  containers:
+    - name: web
+```
+
+**After:**
+```yaml
+spec:
+  containers:
+    - name: web
+```
+
+---
+
 ## `safeguard-enforce-apparmor` — Add AppArmor annotation
 
 **Before:**
@@ -170,6 +175,43 @@ readinessProbe:
 
 ---
 
+## `safeguard-host-probes` — Remove host field in probes and lifecycle hooks
+
+**Before:**
+```yaml
+spec:
+  containers:
+  - name: my-container
+    image: nginx:v1.2.3
+    livenessProbe:
+      httpGet:
+        host: "my-host"
+        path: /healthz
+        port: 8080
+      initialDelaySeconds: 15
+      periodSeconds: 20
+      failureThreshold: 3
+```
+
+**After:**
+Remove the `host` field
+Example:
+```yaml
+spec:
+  containers:
+  - name: my-container
+    image: nginx:v1.2.3
+    livenessProbe:
+      httpGet:
+        path: /healthz
+        port: 8080
+      initialDelaySeconds: 15
+      periodSeconds: 20
+      failureThreshold: 3
+```
+
+---
+
 ## `safeguard-pod-enforce-antiaffinity` — Add topology spread *(LLM-reasoned — ask user for label)*
 
 Ask user: _"What label key/value identifies your workload's pods?"_