[AKS] Add Pod Security Standards support to Deployment Safeguards

Author: Jenny Liu

deploymentsafeguards.json

@@ -159,3 +159,7 @@ def cf_load_balancers(cli_ctx, *_):
 
 def cf_jwt_authenticators(cli_ctx, *_):
     return get_container_service_client(cli_ctx).jwt_authenticators
+
+
+def cf_deployment_safeguards(cli_ctx, *_):
+    return get_container_service_client(cli_ctx).deployment_safeguards

src/aks-preview/azext_aks_preview/_client_factory.py

@@ -325,6 +325,11 @@
 CONST_SAFEGUARDSLEVEL_WARNING = "Warning"
 CONST_SAFEGUARDSLEVEL_ENFORCEMENT = "Enforcement"
 
+# Pod Security Standards Level Consts
+CONST_POD_SECURITY_STANDARDS_LEVEL_PRIVILEGED = "Privileged"
+CONST_POD_SECURITY_STANDARDS_LEVEL_BASELINE = "Baseline"
+CONST_POD_SECURITY_STANDARDS_LEVEL_RESTRICTED = "Restricted"
+
 CONST_AZURE_SERVICE_MESH_MODE_DISABLED = "Disabled"
 CONST_AZURE_SERVICE_MESH_MODE_ISTIO = "Istio"
 CONST_AZURE_SERVICE_MESH_INGRESS_MODE_EXTERNAL = "External"

src/aks-preview/azext_aks_preview/_consts.py

@@ -564,6 +564,9 @@
         - name: --safeguards-excluded-ns
           type: string
           short-summary: Comma-separated list of Kubernetes namespaces to exclude from deployment safeguards
+        - name: --pod-security-standards-level
+          type: string
+          short-summary: The Pod Security Standards level. Accepted Values are [Privileged, Baseline, Restricted]. Requires safeguards to be enabled
         - name: --enable-asm --enable-azure-service-mesh
           type: bool
           short-summary: Enable Azure Service Mesh.
@@ -762,6 +765,8 @@
           text: az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --enable-addons azure-policy
         - name: Create a kubernetes cluster with safeguards set to "Warning" and some namespaces excluded
           text: az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --safeguards-excluded-ns ns1,ns2 --enable-addons azure-policy
+        - name: Create a kubernetes cluster with safeguards and Pod Security Standards set to "Baseline"
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --pod-security-standards-level Baseline --enable-addons azure-policy
         - name: Create a kubernetes cluster with Azure Service Mesh enabled.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-service-mesh
         - name: Create a kubernetes cluster with Azure Monitor Metrics enabled.
@@ -1486,6 +1491,8 @@
         text: az aks update -g MyResourceGroup -n MyManagedCluster --disable-azure-monitor-logs
       - name: Update a kubernetes cluster to clear any namespaces excluded from safeguards. Assumes azure policy addon is already enabled
         text: az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-excluded-ns ""
+      - name: Update a kubernetes cluster with safeguards and Pod Security Standards set to "Baseline". Assumes azure policy addon is already enabled
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --pod-security-standards-level Baseline
       - name: Update a kubernetes cluster to enable a managed installation of Gateway API CRDs from the standard release channel.
         text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-gateway-api
       - name: Update a kubernetes cluster to disable the managed installation of Gateway API CRDs.
@@ -4347,3 +4354,76 @@
         - name: Show a specific JWT authenticator configuration
           text: az aks jwtauthenticator show -g MyResourceGroup --cluster-name MyCluster --name myjwt
 """
+
+helps['aks safeguards'] = """
+    type: group
+    short-summary: Manage Deployment Safeguards for a Managed Cluster (preview).
+"""
+
+helps['aks safeguards create'] = """
+    type: command
+    short-summary: Enable Deployment Safeguards for a Managed Cluster with Pod Security Standards support (preview).
+    parameters:
+        - name: --level
+          type: string
+          short-summary: The deployment safeguards level. Accepted values are Warn and Enforce.
+        - name: --excluded-namespaces --excluded-ns
+          type: string
+          short-summary: Space-separated list of namespaces to exclude from Deployment Safeguards.
+        - name: --pod-security-standards-level
+          type: string
+          short-summary: The Pod Security Standards level. Accepted values are Privileged, Baseline, Restricted.
+    examples:
+        - name: Create DeploymentSafeguards at Warn level with Pod Security Standards Baseline
+          text: az aks safeguards create -g MyResourceGroup -n MyCluster --level Warn --pod-security-standards-level Baseline
+        - name: Create DeploymentSafeguards at Enforce level with excluded namespaces
+          text: az aks safeguards create -g MyResourceGroup -n MyCluster --level Enforce --excluded-ns kube-system ns1 ns2
+        - name: Create DeploymentSafeguards with all security features enabled
+          text: az aks safeguards create -g MyResourceGroup -n MyCluster --level Enforce --pod-security-standards-level Restricted
+"""
+
+helps['aks safeguards update'] = """
+    type: command
+    short-summary: Update Deployment Safeguards configuration for a Managed Cluster with Pod Security Standards support (preview).
+    parameters:
+        - name: --level
+          type: string
+          short-summary: The deployment safeguards level. Accepted values are Warn and Enforce.
+        - name: --excluded-namespaces --excluded-ns
+          type: string
+          short-summary: Space-separated list of namespaces to exclude from Deployment Safeguards.
+        - name: --pod-security-standards-level
+          type: string
+          short-summary: The Pod Security Standards level. Accepted values are Privileged, Baseline, Restricted.
+    examples:
+        - name: Update DeploymentSafeguards to Enforce level
+          text: az aks safeguards update -g MyResourceGroup -n MyCluster --level Enforce
+        - name: Update Pod Security Standards level to Restricted
+          text: az aks safeguards update -g MyResourceGroup -n MyCluster --pod-security-standards-level Restricted
+        - name: Update excluded namespaces
+          text: az aks safeguards update -g MyResourceGroup -n MyCluster --excluded-ns kube-system custom-ns
+"""
+
+helps['aks safeguards show'] = """
+    type: command
+    short-summary: Show Deployment Safeguards configuration for a Managed Cluster (preview).
+    examples:
+        - name: Show DeploymentSafeguards configuration
+          text: az aks safeguards show -g MyResourceGroup -n MyCluster
+"""
+
+helps['aks safeguards delete'] = """
+    type: command
+    short-summary: Disable Deployment Safeguards for a Managed Cluster (preview).
+    examples:
+        - name: Delete DeploymentSafeguards
+          text: az aks safeguards delete -g MyResourceGroup -n MyCluster
+"""
+
+helps['aks safeguards list'] = """
+    type: command
+    short-summary: List DeploymentSafeguards by parent resource (preview).
+    examples:
+        - name: List DeploymentSafeguards for a cluster
+          text: az aks safeguards list -g MyResourceGroup -n MyCluster
+"""

src/aks-preview/azext_aks_preview/_help.py

@@ -351,16 +351,19 @@ def check_is_apiserver_vnet_integration_cluster(mc: ManagedCluster) -> bool:
     return False
 
 
-def setup_common_safeguards_profile(level, version, excludedNamespaces, mc: ManagedCluster, models) -> ManagedCluster:
-    if (level is not None or version is not None or excludedNamespaces is not None) and mc.safeguards_profile is None:
+def setup_common_safeguards_profile(level, version, excludedNamespaces, podSecurityStandardsLevel, mc: ManagedCluster, models) -> ManagedCluster:
+    if (level is not None or version is not None or excludedNamespaces is not None or podSecurityStandardsLevel is not None) and mc.safeguards_profile is None:
         mc.safeguards_profile = models.SafeguardsProfile(
             level=level,
-            version=version
+            version=version,
+            pod_security_standards_level=podSecurityStandardsLevel
         )
     # replace values with provided values
     if excludedNamespaces is not None:
         mc.safeguards_profile.excluded_namespaces = extract_comma_separated_string(
             excludedNamespaces, enable_strip=True, keep_none=True, default_value=[])
+    if podSecurityStandardsLevel is not None:
+        mc.safeguards_profile.pod_security_standards_level = podSecurityStandardsLevel
 
     return mc
 

src/aks-preview/azext_aks_preview/_helpers.py

@@ -441,6 +441,13 @@
     CONST_SAFEGUARDSLEVEL_ENFORCEMENT,
 ]
 
+# consts for Pod Security Standards level
+pod_security_standards_levels = [
+    CONST_POD_SECURITY_STANDARDS_LEVEL_PRIVILEGED,
+    CONST_POD_SECURITY_STANDARDS_LEVEL_BASELINE,
+    CONST_POD_SECURITY_STANDARDS_LEVEL_RESTRICTED,
+]
+
 # azure service mesh
 ingress_gateway_types = [
     CONST_AZURE_SERVICE_MESH_INGRESS_MODE_EXTERNAL,
@@ -1030,6 +1037,11 @@ def load_arguments(self, _):
             type=str,
             is_preview=True
         )
+        c.argument(
+            "pod_security_standards_level",
+            arg_type=get_enum_type(pod_security_standards_levels),
+            is_preview=True,
+        )
         # azure monitor profile
         c.argument(
             "enable_azuremonitormetrics",
@@ -3117,6 +3129,33 @@ def load_arguments(self, _):
             c.argument('config_file', options_list=['--config-file'], type=file_type, completer=FilesCompleter(),
                        help='Path to the JSON configuration file containing JWT authenticator properties.')
 
+    # AKS deployment safeguards parameters
+    with self.argument_context('aks safeguards') as c:
+        c.argument('resource_group_name', options_list=['--resource-group', '-g'])
+        c.argument('cluster_name', options_list=['--name', '-n'], help='The name of the Managed Cluster.')
+        c.argument('managed_cluster', options_list=['--cluster', '--managed-cluster', '-c'],
+                   help='The fully qualified Azure Resource manager identifier of the Managed Cluster.')
+
+    with self.argument_context('aks safeguards create') as c:
+        c.argument('level', arg_type=get_enum_type(['Warn', 'Enforce']),
+                   help='The deployment safeguards level.')
+        c.argument('excluded_namespaces', options_list=['--excluded-namespaces', '--excluded-ns'],
+                   nargs='+',
+                   help='User defined list of namespaces to exclude from Deployment Safeguards.')
+        c.argument('pod_security_standards_level', arg_type=get_enum_type(pod_security_standards_levels),
+                   is_preview=True,
+                   help='The Pod Security Standards level.')
+
+    with self.argument_context('aks safeguards update') as c:
+        c.argument('level', arg_type=get_enum_type(['Warn', 'Enforce']),
+                   help='The deployment safeguards level.')
+        c.argument('excluded_namespaces', options_list=['--excluded-namespaces', '--excluded-ns'],
+                   nargs='+',
+                   help='User defined list of namespaces to exclude from Deployment Safeguards.')
+        c.argument('pod_security_standards_level', arg_type=get_enum_type(pod_security_standards_levels),
+                   is_preview=True,
+                   help='The Pod Security Standards level.')
+
 
 def _get_default_install_location(exe_name):
     system = platform.system()

src/aks-preview/azext_aks_preview/_params.py

@@ -17,6 +17,7 @@
     cf_load_balancers,
     cf_identity_bindings,
     cf_jwt_authenticators,
+    cf_deployment_safeguards,
 )
 
 from azext_aks_preview._format import (
@@ -566,3 +567,38 @@ def load_command_table(self, _):
             "aks_jwtauthenticator_show",
             table_transformer=aks_jwtauthenticator_show_table_format
         )
+
+    # AKS deployment safeguards commands
+    deployment_safeguards_sdk = CliCommandType(
+        operations_tmpl="azext_aks_preview.vendored_sdks.azure_mgmt_preview_aks."
+        "operations._deployment_safeguards_operations#DeploymentSafeguardsOperations.{}",
+        operation_group="deployment_safeguards",
+        client_factory=cf_deployment_safeguards,
+    )
+    with self.command_group(
+        "aks safeguards", deployment_safeguards_sdk, client_factory=cf_deployment_safeguards, is_preview=True
+    ) as g:
+        g.custom_command(
+            "create",
+            "aks_safeguards_create",
+            supports_no_wait=True
+        )
+        g.custom_command(
+            "update",
+            "aks_safeguards_update",
+            supports_no_wait=True
+        )
+        g.custom_show_command(
+            "show",
+            "aks_safeguards_show"
+        )
+        g.custom_command(
+            "delete",
+            "aks_safeguards_delete",
+            supports_no_wait=True,
+            confirmation=True
+        )
+        g.custom_command(
+            "list",
+            "aks_safeguards_list"
+        )