az confcom
Note
This reference is part of the confcom extension for the Azure CLI (version 2.26.2 or higher). The extension will automatically install the first time you run an az confcom command. Learn more about extensions.
Commands to generate security policies for confidential containers in Azure.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az confcom acipolicygen |
Create a Confidential Container Security Policy for ACI. |
Extension | GA |
| az confcom katapolicygen |
Create a Confidential Container Security Policy for AKS. |
Extension | GA |
az confcom acipolicygen
Create a Confidential Container Security Policy for ACI.
az confcom acipolicygen [--approve-wildcards]
[--debug-mode]
[--diff]
[--disable-stdio]
[--faster-hashing]
[--image]
[--infrastructure-svn]
[--input]
[--outraw]
[--outraw-pretty-print]
[--parameters]
[--print-existing-policy]
[--print-policy]
[--save-to-file]
[--tar]
[--template-file]
[--validate-sidecar]
[--virtual-node-yaml]Examples
Input an ARM Template file to inject a base64 encoded Confidential Container Security Policy into the ARM Template
az confcom acipolicygen --template-file "./template.json"Input an ARM Template file to create a human-readable Confidential Container Security Policy
az confcom acipolicygen --template-file "./template.json" --outraw-pretty-printInput an ARM Template file to save a Confidential Container Security Policy to a file as base64 encoded text
az confcom acipolicygen --template-file "./template.json" -s "./output-file.txt" --print-policyInput an ARM Template file and use a tar file as the image source instead of the Docker daemon
az confcom acipolicygen --template-file "./template.json" --tar "./image.tar"Optional Parameters
When enabled, all prompts for using wildcards in environment variables are automatically approved.
When enabled, the generated security policy adds the ability to use /bin/sh or /bin/bash to debug the container. It also enabled stdio access, ability to dump stack traces, and enables runtime logging. It is recommended to only use this option for debugging purposes.
When combined with an input ARM Template, verifies the policy present in the ARM Template under "ccePolicy" and the containers within the ARM Template are compatible. If they are incompatible, a list of reasons is given and the exit status code will be 2.
When enabled, the containers in the container group do not have access to stdio.
When enabled, the hashing algorithm used to generate the policy is faster but less memory efficient.
Input image name.
Minimum Allowed Software Version Number for Infrastructure Fragment.
Input JSON config file.
Output policy in clear text compact JSON instead of default base64 format.
Output policy in clear text and pretty print format.
Input parameters file to optionally accompany an ARM Template.
When enabled, the existing security policy that is present in the ARM Template is printed to the command line, and no new security policy is generated.
When enabled, the generated security policy is printed to the command line instead of injected into the input ARM Template.
Save output policy to given file path.
Path to either a tarball containing image layers or a JSON file containing paths to tarballs of image layers.
Input ARM Template file.
Validate that the image used to generate the CCE Policy for a sidecar container will be allowed by its generated policy.
Input YAML file for Virtual Node policy generation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az confcom katapolicygen
Create a Confidential Container Security Policy for AKS.
az confcom katapolicygen [--config-map-file]
[--containerd-pull]
[--containerd-socket-path]
[--outraw]
[--print-policy]
[--print-version]
[--rules-file-name]
[--settings-file-name]
[--use-cached-files]
[--yaml]Examples
Input a Kubernetes YAML file to inject a base64 encoded Confidential Container Security Policy into the YAML file
az confcom katapolicygen --yaml "./pod.json"Input a Kubernetes YAML file to print a base64 encoded Confidential Container Security Policy to stdout
az confcom katapolicygen --yaml "./pod.json" --print-policyInput a Kubernetes YAML file and custom settings file to inject a base64 encoded Confidential Container Security Policy into the YAML file
az confcom katapolicygen --yaml "./pod.json" -j "./settings.json"Input a Kubernetes YAML file and external config map file
az confcom katapolicygen --yaml "./pod.json" --config-map-file "./configmap.json"Input a Kubernetes YAML file and custom rules file
az confcom katapolicygen --yaml "./pod.json" -p "./rules.rego"Input a Kubernetes YAML file with a custom containerd socket path
az confcom katapolicygen --yaml "./pod.json" --containerd-pull --containerd-socket-path "/my/custom/containerd.sock"Optional Parameters
Path to config map file.
Use containerd to pull the image. This option is only supported on Linux.
Path to the containerd socket. This option is only supported on Linux.
Output policy in clear text compact JSON instead of default base64 format.
Print the base64 encoded generated policy in the terminal.
Print the version of genpolicy tooling.
Path to custom rules file.
Path to custom settings file.
Use cached files to save on computation time.
Input YAML Kubernetes file.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
