[Container] az container create: Add new parameters for container security context for confidential ContainerGroupSku

src/azure-cli/azure/cli/command_modules/container/_params.py

@@ -79,6 +79,13 @@ def load_arguments(self, _):
 
     with self.argument_context('container create', arg_group='Confidential Container Group') as c:
         c.argument('cce_policy', help="The CCE policy for the confidential container group")
+        c.argument('allow_privilege_escalation', options_list=['--allow-escalation'], help="Allow whether a process can gain more privileges than its parent process.", action='store_true')
+        c.argument('privileged', help='The flag to determine if the contianer permissions is elevated to Privileged', action='store_true')
+        c.argument('run_as_user', help="Set the User GID for the container")
+        c.argument('run_as_group', help="Set the User UID for the container")
+        c.argument('seccomp_profile', help="A base64 encoded string containing the contents of the JSON in the seccomp profile")
+        c.argument('add_capabilities', nargs='+', help="A List of security context capabilities to be added")
+        c.argument('drop_capabilities', nargs='+', help="A List of security context capabilities to be dropped")
 
     with self.argument_context('container create', arg_group='Managed Service Identity') as c:
         c.argument('assign_identity', nargs='*', validator=validate_msi, help="Space-separated list of assigned identities. Assigned identities are either user assigned identities (resource IDs) and / or the system assigned identity ('[system]'). See examples for more info.")

src/azure-cli/azure/cli/command_modules/container/custom.py

@@ -36,7 +36,8 @@
                                                  ResourceRequirements, Volume, VolumeMount, ContainerExecRequest, ContainerExecRequestTerminalSize,
                                                  GitRepoVolume, LogAnalytics, ContainerGroupDiagnostics, ContainerGroupSubnetId,
                                                  ContainerGroupIpAddressType, ResourceIdentityType, ContainerGroupIdentity,
-                                                 ContainerGroupPriority, ContainerGroupSku, ConfidentialComputeProperties)
+                                                 ContainerGroupPriority, ContainerGroupSku, ConfidentialComputeProperties,
+                                                 SecurityContextDefinition, SecurityContextCapabilitiesDefinition)
 from azure.cli.core.util import sdk_no_wait
 from azure.cli.core.azclierror import RequiredArgumentMissingError
 from ._client_factory import (cf_container_groups, cf_container, cf_log_analytics_workspace,
@@ -115,7 +116,14 @@ def create_container(cmd,
                      zone=None,
                      priority=None,
                      sku=None,
-                     cce_policy=None):
+                     cce_policy=None,
+                     add_capabilities=None,
+                     drop_capabilities=None,
+                     privileged=False,
+                     allow_privilege_escalation=False,
+                     run_as_group=None,
+                     run_as_user=None,
+                     seccomp_profile=None):
     """Create a container group. """
     if file:
         return _create_update_from_file(cmd.cli_ctx, resource_group_name, name, location, file, no_wait)
@@ -218,9 +226,17 @@ def create_container(cmd,
 
     # Set up Container Group Sku.
     confidential_compute_properties = None
+    security_context = None
     if sku == "Confidential":
         sku = ContainerGroupSku.Confidential
         confidential_compute_properties = ConfidentialComputeProperties(cce_policy=cce_policy)
+        security_context_capabilities = SecurityContextCapabilitiesDefinition(add=add_capabilities, drop=drop_capabilities)
+        security_context = SecurityContextDefinition(privileged=privileged,
+                                                     allow_privilege_escalation=allow_privilege_escalation,
+                                                     capabilities=security_context_capabilities,
+                                                     run_as_group=run_as_group,
+                                                     run_as_user=run_as_user,
+                                                     seccomp_profile=seccomp_profile)
 
     container = Container(name=name,
                           image=image,
@@ -229,7 +245,8 @@ def create_container(cmd,
                           ports=[ContainerPort(
                               port=p, protocol=protocol) for p in ports] if cgroup_ip_address else None,
                           environment_variables=environment_variables,
-                          volume_mounts=mounts or None)
+                          volume_mounts=mounts or None,
+                          security_context=security_context)
 
     cgroup = ContainerGroup(location=location,
                             identity=identity,