[AKS] az aks safeguards: Add pod security standards support to AKS deployment safeguards commands (#32432)

Author: ShantingLiu

src/azure-cli/azure/cli/command_modules/acs/aaz/latest/aks/safeguards/_create.py

@@ -25,13 +25,18 @@ class Create(AAZCommand):
 
     :example: Create a DeploymentSafeguards resource at Warn level with ignored namespaces
         az aks safeguards create -g rg1 -n mc1 --excluded-ns ns1 ns2 --level Warn
+
+    :example: Create a DeploymentSafeguards resource at Warn level with Pod Security Standards level set to Baseline
+        az aks safeguards create --managed-cluster /subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1 --level Warn --pss-level Baseline
+
+    :example: Create a DeploymentSafeguards resource with PSS level set to Restricted using -g/-n pattern
+        az aks safeguards create -g rg1 -n cluster1 --level Enforce --pss-level Restricted
     """
 
     _aaz_info = {
-        "version": "2025-04-01",
+        "version": "2025-07-01",
         "resources": [
-            ["mgmt-plane",
-                "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-04-01"],
+            ["mgmt-plane", "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-07-01"],
         ]
     }
 
@@ -55,7 +60,7 @@ def _build_arguments_schema(cls, *args, **kwargs):
         _args_schema.managed_cluster = AAZStrArg(
             options=["-c", "--cluster", "--managed-cluster"],
             help="The fully qualified Azure Resource manager identifier of the Managed Cluster.",
-            required=False,
+            required=True,
         )
 
         # define Arg Group "Properties"
@@ -72,6 +77,12 @@ def _build_arguments_schema(cls, *args, **kwargs):
             help="The deployment safeguards level. Possible values are Warn and Enforce",
             enum={"Enforce": "Enforce", "Warn": "Warn"},
         )
+        _args_schema.pss_level = AAZStrArg(
+            options=["--pss-level"],
+            arg_group="Properties",
+            help="The pod security standards level",
+            enum={"Baseline": "Baseline", "Privileged": "Privileged", "Restricted": "Restricted"},
+        )
 
         excluded_namespaces = cls._args_schema.excluded_namespaces
         excluded_namespaces.Element = AAZStrArg()
@@ -91,17 +102,15 @@ def post_operations(self):
         pass
 
     def _output(self, *args, **kwargs):
-        result = self.deserialize_output(
-            self.ctx.vars.instance, client_flatten=True)
+        result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True)
         return result
 
     class DeploymentSafeguardsCreate(AAZHttpOperation):
         CLIENT_TYPE = "MgmtClient"
 
         def __call__(self, *args, **kwargs):
             request = self.make_request()
-            session = self.client.send_request(
-                request=request, stream=False, **kwargs)
+            session = self.client.send_request(request=request, stream=False, **kwargs)
             if session.http_response.status_code in [202]:
                 return self.client.build_lro_polling(
                     self.ctx.args.no_wait,
@@ -152,7 +161,7 @@ def url_parameters(self):
         def query_parameters(self):
             parameters = {
                 **self.serialize_query_param(
-                    "api-version", "2025-04-01",
+                    "api-version", "2025-07-01",
                     required=True,
                 ),
             }
@@ -175,20 +184,17 @@ def content(self):
             _content_value, _builder = self.new_content_builder(
                 self.ctx.args,
                 typ=AAZObjectType,
-                typ_kwargs={
-                    "flags": {"required": True, "client_flatten": True}}
+                typ_kwargs={"flags": {"required": True, "client_flatten": True}}
             )
             _builder.set_prop("properties", AAZObjectType)
 
             properties = _builder.get(".properties")
             if properties is not None:
-                properties.set_prop("excludedNamespaces",
-                                    AAZListType, ".excluded_namespaces")
-                properties.set_prop("level", AAZStrType, ".level", typ_kwargs={
-                                    "flags": {"required": True}})
+                properties.set_prop("excludedNamespaces", AAZListType, ".excluded_namespaces")
+                properties.set_prop("level", AAZStrType, ".level", typ_kwargs={"flags": {"required": True}})
+                properties.set_prop("podSecurityStandardsLevel", AAZStrType, ".pss_level")
 
-            excluded_namespaces = _builder.get(
-                ".properties.excludedNamespaces")
+            excluded_namespaces = _builder.get(".properties.excludedNamespaces")
             if excluded_namespaces is not None:
                 excluded_namespaces.set_elements(AAZStrType, ".")
 
@@ -238,6 +244,9 @@ def _build_schema_on_200_201(cls):
             properties.level = AAZStrType(
                 flags={"required": True},
             )
+            properties.pod_security_standards_level = AAZStrType(
+                serialized_name="podSecurityStandardsLevel",
+            )
             properties.provisioning_state = AAZStrType(
                 serialized_name="provisioningState",
                 flags={"read_only": True},

src/azure-cli/azure/cli/command_modules/acs/aaz/latest/aks/safeguards/_delete.py

@@ -26,9 +26,9 @@ class Delete(AAZCommand):
     """
 
     _aaz_info = {
-        "version": "2025-04-01",
+        "version": "2025-07-01",
         "resources": [
-            ["mgmt-plane", "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-04-01"],
+            ["mgmt-plane", "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-07-01"],
         ]
     }
 
@@ -52,7 +52,7 @@ def _build_arguments_schema(cls, *args, **kwargs):
         _args_schema.managed_cluster = AAZStrArg(
             options=["-c", "--cluster", "--managed-cluster"],
             help="The fully qualified Azure Resource manager identifier of the Managed Cluster.",
-            required=False,
+            required=True,
         )
         return cls._args_schema
 
@@ -134,7 +134,7 @@ def url_parameters(self):
         def query_parameters(self):
             parameters = {
                 **self.serialize_query_param(
-                    "api-version", "2025-04-01",
+                    "api-version", "2025-07-01",
                     required=True,
                 ),
             }

src/azure-cli/azure/cli/command_modules/acs/aaz/latest/aks/safeguards/_list.py

@@ -25,10 +25,9 @@ class List(AAZCommand):
     """
 
     _aaz_info = {
-        "version": "2025-04-01",
+        "version": "2025-07-01",
         "resources": [
-            ["mgmt-plane",
-                "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards", "2025-04-01"],
+            ["mgmt-plane", "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards", "2025-07-01"],
         ]
     }
 
@@ -52,7 +51,7 @@ def _build_arguments_schema(cls, *args, **kwargs):
         _args_schema.managed_cluster = AAZStrArg(
             options=["-c", "--cluster", "--managed-cluster"],
             help="The fully qualified Azure Resource manager identifier of the Managed Cluster.",
-            required=False,
+            required=True,
         )
         return cls._args_schema
 
@@ -70,8 +69,7 @@ def post_operations(self):
         pass
 
     def _output(self, *args, **kwargs):
-        result = self.deserialize_output(
-            self.ctx.vars.instance.value, client_flatten=True)
+        result = self.deserialize_output(self.ctx.vars.instance.value, client_flatten=True)
         next_link = self.deserialize_output(self.ctx.vars.instance.next_link)
         return result, next_link
 
@@ -80,8 +78,7 @@ class DeploymentSafeguardsList(AAZHttpOperation):
 
         def __call__(self, *args, **kwargs):
             request = self.make_request()
-            session = self.client.send_request(
-                request=request, stream=False, **kwargs)
+            session = self.client.send_request(request=request, stream=False, **kwargs)
             if session.http_response.status_code in [200]:
                 return self.on_200(session)
 
@@ -116,7 +113,7 @@ def url_parameters(self):
         def query_parameters(self):
             parameters = {
                 **self.serialize_query_param(
-                    "api-version", "2025-04-01",
+                    "api-version", "2025-07-01",
                     required=True,
                 ),
             }
@@ -186,6 +183,9 @@ def _build_schema_on_200(cls):
             properties.level = AAZStrType(
                 flags={"required": True},
             )
+            properties.pod_security_standards_level = AAZStrType(
+                serialized_name="podSecurityStandardsLevel",
+            )
             properties.provisioning_state = AAZStrType(
                 serialized_name="provisioningState",
                 flags={"read_only": True},

src/azure-cli/azure/cli/command_modules/acs/aaz/latest/aks/safeguards/_show.py

@@ -17,18 +17,17 @@
 class Show(AAZCommand):
     """Show Deployment Safeguards Configuration for a Managed Cluster
 
-    :example: Gets a DeploymentSafeguard resource by managed cluster id
+    :example: Get a DeploymentSafeguard resource by managed cluster id
         az aks safeguards show --managed-cluster subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1
 
-    :example: Gets a DeploymentSafeguard resource with resourceGroup and clusterName arguments
+    :example: Get a DeploymentSafeguard resource with resourceGroup and clusterName arguments
         az aks safeguards show -g rg1 -n cluster1
     """
 
     _aaz_info = {
-        "version": "2025-04-01",
+        "version": "2025-07-01",
         "resources": [
-            ["mgmt-plane",
-                "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-04-01"],
+            ["mgmt-plane", "/{resourceuri}/providers/microsoft.containerservice/deploymentsafeguards/default", "2025-07-01"],
         ]
     }
 
@@ -51,7 +50,7 @@ def _build_arguments_schema(cls, *args, **kwargs):
         _args_schema.managed_cluster = AAZStrArg(
             options=["-c", "--cluster", "--managed-cluster"],
             help="The fully qualified Azure Resource manager identifier of the Managed Cluster.",
-            required=False,
+            required=True,
         )
         return cls._args_schema
 
@@ -69,17 +68,15 @@ def post_operations(self):
         pass
 
     def _output(self, *args, **kwargs):
-        result = self.deserialize_output(
-            self.ctx.vars.instance, client_flatten=True)
+        result = self.deserialize_output(self.ctx.vars.instance, client_flatten=True)
         return result
 
     class DeploymentSafeguardsGet(AAZHttpOperation):
         CLIENT_TYPE = "MgmtClient"
 
         def __call__(self, *args, **kwargs):
             request = self.make_request()
-            session = self.client.send_request(
-                request=request, stream=False, **kwargs)
+            session = self.client.send_request(request=request, stream=False, **kwargs)
             if session.http_response.status_code in [200]:
                 return self.on_200(session)
 
@@ -114,7 +111,7 @@ def url_parameters(self):
         def query_parameters(self):
             parameters = {
                 **self.serialize_query_param(
-                    "api-version", "2025-04-01",
+                    "api-version", "2025-07-01",
                     required=True,
                 ),
             }
@@ -173,6 +170,9 @@ def _build_schema_on_200(cls):
             properties.level = AAZStrType(
                 flags={"required": True},
             )
+            properties.pod_security_standards_level = AAZStrType(
+                serialized_name="podSecurityStandardsLevel",
+            )
             properties.provisioning_state = AAZStrType(
                 serialized_name="provisioningState",
                 flags={"read_only": True},