Skip to content

[AKS] az aks safeguards: Add pod security standards support to AKS deployment safeguards commands #32432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
yanzhudd merged 21 commits into from
Nov 22, 2025
Merged

[AKS] az aks safeguards: Add pod security standards support to AKS deployment safeguards commands #32432

yanzhudd merged 21 commits into from
Nov 22, 2025

Conversation

@ShantingLiu
Copy link
Contributor

@ShantingLiu ShantingLiu commented Nov 17, 2025
edited
Loading

Related command
az aks safeguards create, az aks safeguards update, az aks safeguards show, az aks safeguards list, az aks safeguards delete, az aks safeguards wait

Description
This PR adds Pod Security Standards (PSS) support to Azure CLI's AKS deployment safeguards commands, preparing them for GA release.

Key Changes:

  1. Pod Security Standards Parameter: Added --pss-level parameter to create and update commands supporting Baseline, Privileged, and Restricted levels
  2. Pre-existence Validation: Added validation in create command to prevent duplicate resource creation with clear error messaging
  3. Enhanced Parameter Support: Fixed all safeguards commands to support -g/-n syntax in addition to --managed-cluster --c --cluster
  4. API Version Update: Updated all commands from 2025-04-01 to 2025-05-02-preview API
  5. Test Updates: Re-recorded test with live Azure resources

Related PRs:

Testing Guide

# Create safeguards with PSS level
az aks safeguards create -g myResourceGroup -n myCluster --level Warn --pss-level Baseline

# Create safeguards again to check if pre-existence check worked (should error)
az aks safeguards create -g myResourceGroup -n myCluster --level Warn --pss-level Baseline

# Update PSS level
az aks safeguards update -g myResourceGroup -n myCluster --pss-level Restricted

# Show safeguards (works with -g/-n syntax)
az aks safeguards show -g myResourceGroup -n myCluster

# List safeguards
az aks safeguards list -g myResourceGroup -n myCluster

# Delete safeguards
az aks safeguards delete -g myResourceGroup -n myCluster

History Notes
[AKS] az aks safeguards: Add --pss-level parameter to support Pod Security Standards
[AKS] az aks safeguards create: Add validation to prevent duplicate resource creation

This checklist is used to make sure that common guidelines for a pull request are followed.

Copilot AI review requested due to automatic review settings November 17, 2025 22:39
@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Nov 17, 2025
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@yonzhan
Copy link
Collaborator

yonzhan commented Nov 17, 2025

Thank you for your contribution! We will review the pull request and get back to you soon.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Nov 17, 2025

Hi @ShantingLiu,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@github-actions
Copy link

github-actions bot commented Nov 17, 2025

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Nov 17, 2025
edited
Loading

⚠️AzureCLI-BreakingChangeTest
⚠️acs
rule cmd_name rule_message suggest_message
⚠️ 1006 - ParaAdd aks safeguards create cmd aks safeguards create added parameter pss_level
⚠️ 1006 - ParaAdd aks safeguards update cmd aks safeguards update added parameter pss_level
⚠️ 1009 - ParaPropRemove aks safeguards wait cmd aks safeguards wait update parameter managed_cluster: removed property required=True

@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot AKS az aks/acs/openshift labels Nov 17, 2025
Copilot AI reviewed Nov 17, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds Pod Security Standards (PSS) support to Azure CLI's AKS deployment safeguards commands, preparing them for GA release by updating the API version to 2025-05-02-preview and introducing the --pss-level parameter.

Key Changes:

  • Added --pss-level parameter to create and update commands supporting Baseline, Privileged, and Restricted PSS levels
  • Implemented pre-existence validation in the create command to prevent duplicate safeguards resources
  • Updated API version from 2025-04-01 to 2025-05-02-preview across all safeguards commands with flattened properties schema

Reviewed Changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
_create.py Added --pss-level parameter, pre-existence validation logic, updated API version to 2025-05-02-preview, added skip_quote=True for resource URI handling
_update.py Added nullable --pss-level parameter, updated API version, added schema helper class to reduce duplication, added skip_quote=True
_show.py Updated API version to 2025-05-02-preview, added pod_security_standards_level to schema, set client_flatten flag, added skip_quote=True
_list.py Updated API version to 2025-05-02-preview, added pod_security_standards_level to schema, set client_flatten flag, added skip_quote=True
_delete.py Updated API version to 2025-05-02-preview, updated docstring examples to use "Deletes", added skip_quote=True
_wait.py Updated API version to 2025-05-02-preview, added pod_security_standards_level to schema, set client_flatten flag, added skip_quote=True
test_aks_safeguards.py Updated test assertions to use flattened properties paths (e.g., level instead of properties.level)
HISTORY.rst Added history notes for new --pss-level parameter and pre-existence validation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

FumingZhang
FumingZhang reviewed Nov 17, 2025
View reviewed changes
@FumingZhang
Copy link
Member

FumingZhang commented Nov 17, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 17, 2025

Azure Pipelines successfully started running 3 pipeline(s).

@FumingZhang
Copy link
Member

FumingZhang commented Nov 18, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 18, 2025

Azure Pipelines successfully started running 3 pipeline(s).

@ShantingLiu
Copy link
Contributor Author

ShantingLiu commented Nov 18, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 18, 2025

Commenter does not have sufficient privileges for PR 32432 in repo Azure/azure-cli

@FumingZhang
Copy link
Member

FumingZhang commented Nov 18, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 18, 2025

Azure Pipelines successfully started running 3 pipeline(s).

@ShantingLiu
Update safeguards test for 2025-05-02-preview API and flattened prope…
2f65d14 
…rties
@ShantingLiu
Fix breaking change and AAZ undefined check
ed6c121 
- Reverted all client_flatten=True to client_flatten=False to maintain backward compatibility
- Fixed AAZ undefined check to use has_value() instead of fragile string comparison
- Fixed list command to return both result and next_link
- Updated test assertions to use properties.* paths for nested structure
- No breaking changes to JSON output - properties remain nested
@ShantingLiu
Add pre-existence check for safeguards create command
7fccc7e 
Following the same pattern as managed namespaces, add a pre-existence check
in the AKSSafeguardsCreateCustom.pre_operations() method that prevents
creating duplicate Deployment Safeguards instances. Uses send_raw_request
to check if the resource exists before proceeding with creation.

Also adds get_container_service_client to imports for consistency.
@ShantingLiu
Re-record safeguards test with pre-existence check
f769549
@ShantingLiu
Fix style issues and datetime deprecation warning in safeguards
fb633ec
@ShantingLiu
Restore -c/--cluster options and add PSS level support to safeguards …
f2e3baf 
…commands

- Add -c/--cluster options back to safeguards create command
- Update validation to handle both cluster names and full resource IDs
- Fix pre_operations execution order in _execute_operations
- Add --pss-level parameter support with Baseline/Restricted values
- Update test to use -c/-g syntax and test PSS level functionality
- Re-record test with live Azure resources
@ShantingLiu
Fix trailing whitespace in custom.py
a2ac7a0
@ShantingLiu
Update example descriptions to use first-person imperative verbs
89eaa71 
- Change 'Creates' to 'Create'
- Change 'Deletes' to 'Delete'
- Change 'Gets' to 'Get'
- Keep all command flags unchanged
@ShantingLiu
Remove client_flatten flag from safeguards properties and update test…
046432f 
… recordings
@ShantingLiu
Add backward compatibility for resource IDs without leading slash and…
8d2a2b1 
… update test recordings
@ShantingLiu
Fix trailing whitespace in custom.py
cce3a0b
@ShantingLiu
Move pre-existence check logic from AAZ-generated file to custom class
285d886 
- Moved pre-existence check from _create.py to AKSSafeguardsCreateCustom.pre_operations()
- This prevents the logic from being wiped when AAZ regenerates the command files
- Custom logic now survives AAZ regeneration as it's in custom.py
- Re-recorded tests with new implementation (13 minutes, passed)
@ShantingLiu
Fix linter: remove f-string without interpolation
c269565
@ShantingLiu
Update aks safeguards commands to use 2025-07-01 GA API
b632f66 
- Update all safeguards commands (create, show, update, delete, list, wait) to use 2025-07-01 GA API version
- Remove is_preview=True flags since commands now use GA API
- Fix -g/-n parameter support by setting required=False for managed_cluster argument
- Update test recordings for new API version
- Resolves 'The command is in development' error by using GA API instead of preview

All CRUD operations tested and working:
- Show: Displays proper nested properties structure
- Delete: Clean deletion without errors
- Create: Successfully creates with level and PSS parameters
- Update: All parameters working (--level, --pss-level, --excluded-ns)
- Custom error handling preserved for duplicate creates
@ShantingLiu
Remove preview flags and update to GA API version for safeguards
55c43a9 
- Remove is_preview=True from aks and aks safeguards command groups
- Update API version retrieval to use direct access without defaults
- Re-record test with GA API version (2025-07-01)
@ShantingLiu
Fix test recording: replace real subscription ID with placeholder
fe0d854 
The recording was created with live mode which captured the real subscription ID.
Replace with 00000000-0000-0000-0000-000000000000 for CI pipeline compatibility.
@ShantingLiu
Regenerate AAZ files with GA API and fix custom override
262e3c3 
- Regenerated all AAZ safeguards files from workspace editor with 2025-07-01 GA API
- AAZ files now properly have required=True for managed_cluster argument
- Fixed custom.py to use ._required instead of .required for proper override
- Updated test recording with GA API version (2025-07-01)
- All CRUD operations work with both -c and -g/-n syntax
@ShantingLiu
Scrub subscription IDs in test recording
195d348
@ShantingLiu ShantingLiu mentioned this pull request Nov 21, 2025
Merged
@FumingZhang
Copy link
Member

FumingZhang commented Nov 21, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 21, 2025

Azure Pipelines successfully started running 3 pipeline(s).

@ShantingLiu
Remove unnecessary _args_schema = None from safeguards custom classes
cf8d8cc 
These attributes were added attempting to fix the -c required issue but didn't work. Removing them as they serve no purpose and CRUD operations work correctly without them.
@FumingZhang
Copy link
Member

FumingZhang commented Nov 21, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 21, 2025

Azure Pipelines successfully started running 3 pipeline(s).

@yanzhudd
Copy link
Contributor

yanzhudd commented Nov 21, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 21, 2025

Azure Pipelines successfully started running 3 pipeline(s).

@yanzhudd yanzhudd merged commit bc15429 into Azure:dev Nov 22, 2025
48 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@yanzhudd yanzhudd yanzhudd approved these changes

@FumingZhang FumingZhang FumingZhang left review comments

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

Assignees

@zhoxing-ms zhoxing-ms

@yanzhudd yanzhudd

Labels

AKS az aks/acs/openshift Auto-Assign Auto assign by bot

Projects

None yet

Milestone

January 2026 (2026-01-13)

Development

Successfully merging this pull request may close these issues.

5 participants

@ShantingLiu @yonzhan @FumingZhang @yanzhudd @zhoxing-ms