Merge pull request #3419 from aevesdocker/ENGDOCS-2986

crazy-max · web-flow · commit 3293a2ef41be · 2025-09-11T13:55:17.000+02:00
docs: device entitlements
diff --git a/commands/build.go b/commands/build.go
@@ -502,7 +502,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugger debuggerOpt
 
 	flags.StringSliceVar(&options.extraHosts, "add-host", []string{}, `Add a custom host-to-IP mapping (format: "host:ip")`)
 
-	flags.StringArrayVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`)
+	flags.StringArrayVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure", "device")`)
 
 	flags.StringArrayVarP(&options.annotations, "annotation", "", []string{}, "Add annotation to the image")
 
diff --git a/docs/reference/buildx_bake.md b/docs/reference/buildx_bake.md
@@ -65,7 +65,7 @@ entitlements, making it clear when a build or bake operation requires elevated
 privileges.
 
 In addition to BuildKit's `network.host` and `security.insecure` entitlements
-(see [`docker buildx build --allow`](https://docs.docker.com/reference/cli/docker/buildx/build/#allow),
+(see [`docker buildx build --allow`](https://docs.docker.com/reference/cli/docker/buildx/build/#allow)),
 Bake supports file system entitlements that grant granular control over file
 system access. These are particularly useful when working with builds that need
 access to files outside the default working directory.
diff --git a/docs/reference/buildx_build.md b/docs/reference/buildx_build.md
@@ -16,7 +16,7 @@ Start a build
 | Name                                    | Type          | Default   | Description                                                                                                  |
 |:----------------------------------------|:--------------|:----------|:-------------------------------------------------------------------------------------------------------------|
 | [`--add-host`](#add-host)               | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                          |
-| [`--allow`](#allow)                     | `stringArray` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                               |
+| [`--allow`](#allow)                     | `stringArray` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`, `device`)                     |
 | [`--annotation`](#annotation)           | `stringArray` |           | Add annotation to the image                                                                                  |
 | [`--attest`](#attest)                   | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                                 |
 | [`--build-arg`](#build-arg)             | `stringArray` |           | Set build-time variables                                                                                     |
@@ -173,6 +173,10 @@ Allow extra privileged entitlement. List of entitlements:
 - `network.host` - Allows executions with host networking.
 - `security.insecure` - Allows executions without sandbox. See
   [related Dockerfile extensions](https://docs.docker.com/reference/dockerfile/#run---security).
+- `device` - Allows access to Container Device Interface (CDI) devices.
+   - `--allow device` - Grants access to all devices.
+   - `--allow device=kind|name` - Grants access to a specific device.
+   - `--allow device=kind|name,alias=kind|name` - Grants access to a specific device, with optional aliasing.
 
 For entitlements to be enabled, the BuildKit daemon also needs to allow them
 with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#buildkitd-flags)).
diff --git a/docs/reference/buildx_dap_build.md b/docs/reference/buildx_dap_build.md
@@ -8,7 +8,7 @@ Start a build
 | Name                | Type          | Default   | Description                                                                                                  |
 |:--------------------|:--------------|:----------|:-------------------------------------------------------------------------------------------------------------|
 | `--add-host`        | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                          |
-| `--allow`           | `stringArray` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                               |
+| `--allow`           | `stringArray` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`, `device`)                     |
 | `--annotation`      | `stringArray` |           | Add annotation to the image                                                                                  |
 | `--attest`          | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                                 |
 | `--build-arg`       | `stringArray` |           | Set build-time variables                                                                                     |
diff --git a/docs/reference/buildx_debug_build.md b/docs/reference/buildx_debug_build.md
@@ -12,7 +12,7 @@ Start a build
 | Name                | Type          | Default   | Description                                                                                                  |
 |:--------------------|:--------------|:----------|:-------------------------------------------------------------------------------------------------------------|
 | `--add-host`        | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                          |
-| `--allow`           | `stringArray` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                               |
+| `--allow`           | `stringArray` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`, `device`)                     |
 | `--annotation`      | `stringArray` |           | Add annotation to the image                                                                                  |
 | `--attest`          | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                                 |
 | `--build-arg`       | `stringArray` |           | Set build-time variables                                                                                     |
