az confcom

Note

This reference is part of the confcom extension for the Azure CLI (version 2.26.2 or higher). The extension will automatically install the first time you run an az confcom command. Learn more about extensions.

Commands to generate security policies for confidential containers in Azure.

Commands

Name	Description	Type	Status
az confcom acifragmentgen	Create a Confidential Container Policy Fragment for ACI.	Extension	GA
az confcom acipolicygen	Create a Confidential Container Security Policy for ACI.	Extension	GA
az confcom katapolicygen	Create a Confidential Container Security Policy for AKS.	Extension	GA

az confcom acifragmentgen

Create a Confidential Container Policy Fragment for ACI.

az confcom acifragmentgen [--algo]
                          [--chain]
                          [--debug-mode]
                          [--disable-stdio]
                          [--feed]
                          [--fragment-path]
                          [--fragments-json]
                          [--generate-import]
                          [--image]
                          [--input]
                          [--key]
                          [--minimum-svn]
                          [--namespace]
                          [--no-print]
                          [--output-filename]
                          [--outraw]
                          [--svn]
                          [--tar]
                          [--upload-fragment]

Examples

Input an image name to generate a simple fragment

az confcom acifragmentgen --image mcr.microsoft.com/azuredocs/aci-helloworld

Input a config file to generate a fragment with a custom namespace and debug mode enabled

az confcom acifragmentgen --input "./config.json" --namespace "my-namespace" --debug-mode

Generate an import statement for a signed local fragment

az confcom acifragmentgen --fragment-path "./fragment.json" --generate-import --minimum-svn 1

Generate a fragment and COSE sign it with a key and chain

az confcom acifragmentgen --image mcr.microsoft.com/azuredocs/aci-helloworld --key "./key.pem" --chain "./chain.pem" --svn 1 --namespace contoso --no-print

Optional Parameters

--algo

Algorithm used for signing the generated policy fragment. This must be used with --key and --chain. Supported algorithms are ['PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'EdDSA'].

Default value: ES384

--chain

Path to .pem formatted certificate chain file to use for signing the generated policy fragment. This must be used with --key.

--debug-mode

When enabled, the generated security policy adds the ability to use /bin/sh or /bin/bash to debug the container. It also enabled stdio access, ability to dump stack traces, and enables runtime logging. It is recommended to only use this option for debugging purposes.

Default value: False

--disable-stdio

When enabled, the containers in the container group do not have access to stdio.

Default value: False

--feed -f

Feed to use for the generated policy fragment. This is typically the same as the image name when using image-attached fragments. It is the location in the remote repository where the fragment will be stored.

--fragment-path -p

Path to an existing policy fragment file to be used with --generate-import. This option allows you to create import statements for the specified fragment without needing to pull it from an OCI registry.

--fragments-json -j

Path to a JSON file that will store the fragment import information generated when using --generate-import. This file can later be fed into the policy generation command (acipolicygen) to include the fragment in a new or existing policy. If not specified, the import statement will be printed to the console instead of being saved to a file.

--generate-import -g

Generate an import statement for a policy fragment.

Default value: False

--image

Image to use for the generated policy fragment.

--input -i

Path to a JSON file containing the configuration for the generated policy fragment.

--key -k

Path to .pem formatted key file to use for signing the generated policy fragment. This must be used with --chain.

--minimum-svn

Used with --generate-import to specify the minimum SVN for the import statement.

--namespace -n

Namespace to use for the generated policy fragment.

--no-print

Do not print the generated policy fragment to stdout.

Default value: False

--output-filename

Save output policy to given file path.

--outraw

Output policy in clear text compact JSON instead of default pretty print format.

Default value: False

--svn

Minimum Allowed Software Version Number for the generated policy fragment. This should be a monotonically increasing integer.

--tar

Path to either a tarball containing image layers or a JSON file containing paths to tarballs of image layers.

--upload-fragment -u

When enabled, the generated policy fragment will be uploaded to the registry of the image being used.

Default value: False

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc

Default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az confcom acipolicygen

Create a Confidential Container Security Policy for ACI.

az confcom acipolicygen [--approve-wildcards]
                        [--debug-mode]
                        [--diff]
                        [--disable-stdio]
                        [--exclude-default-fragments]
                        [--faster-hashing]
                        [--fragments-json]
                        [--image]
                        [--include-fragments]
                        [--infrastructure-svn]
                        [--input]
                        [--omit-id]
                        [--outraw]
                        [--outraw-pretty-print]
                        [--parameters]
                        [--print-existing-policy]
                        [--print-policy]
                        [--save-to-file]
                        [--tar]
                        [--template-file]
                        [--validate-sidecar]
                        [--virtual-node-yaml]

Examples

Input an ARM Template file to inject a base64 encoded Confidential Container Security Policy into the ARM Template

az confcom acipolicygen --template-file "./template.json"

Input an ARM Template file to create a human-readable Confidential Container Security Policy

az confcom acipolicygen --template-file "./template.json" --outraw-pretty-print

Input an ARM Template file to save a Confidential Container Security Policy to a file as base64 encoded text

az confcom acipolicygen --template-file "./template.json" -s "./output-file.txt" --print-policy

Input an ARM Template file and use a tar file as the image source instead of the Docker daemon

az confcom acipolicygen --template-file "./template.json" --tar "./image.tar"

Input an ARM Template file and use a fragments JSON file to generate a policy

az confcom acipolicygen --template-file "./template.json" --fragments-json "./fragments.json" --include-fragments

Optional Parameters

--approve-wildcards -y

When enabled, all prompts for using wildcards in environment variables are automatically approved.

Default value: False

--debug-mode

When enabled, the generated security policy adds the ability to use /bin/sh or /bin/bash to debug the container. It also enabled stdio access, ability to dump stack traces, and enables runtime logging. It is recommended to only use this option for debugging purposes.

Default value: False

--diff -d

When combined with an input ARM Template file (or YAML file for Virtual Node policy generation), verifies the policy present in the ARM Template under "ccePolicy" and the containers within the file are compatible. If they are incompatible, a list of reasons is given and the exit status code will be 2.

Default value: False

--disable-stdio

When enabled, the containers in the container group do not have access to stdio.

Default value: False

--exclude-default-fragments -e

When enabled, the default fragments are not included in the generated policy. This includes containers needed to mount azure files, mount secrets, mount git repos, and other common ACI features.

Default value: False

--faster-hashing

When enabled, the hashing algorithm used to generate the policy is faster but less memory efficient.

Default value: False

--fragments-json -j

Path to JSON file containing fragment information to use for generating a policy. This requires --include-fragments to be enabled.

--image

Input image name.

--include-fragments -f

When enabled, the path specified by --fragments-json will be used to pull fragments from an OCI registry or locally and include them in the generated policy.

Default value: False

--infrastructure-svn

Minimum Allowed Software Version Number for Infrastructure Fragment.

--input -i

Input JSON config file.

--omit-id

When enabled, the generated policy will not contain the ID field. This will keep the policy from being tied to a specific image name and tag.

Default value: False

--outraw

Output policy in clear text compact JSON instead of default base64 format.

Default value: False

--outraw-pretty-print

Output policy in clear text and pretty print format.

Default value: False

--parameters -p

Input parameters file to optionally accompany an ARM Template.

--print-existing-policy

When enabled, the existing security policy that is present in the ARM Template is printed to the command line, and no new security policy is generated.

Default value: False

--print-policy

When enabled, the generated security policy is printed to the command line instead of injected into the input ARM Template.

Default value: False

--save-to-file -s

Save output policy to given file path.

--tar

Path to either a tarball containing image layers or a JSON file containing paths to tarballs of image layers.

--template-file -a

Input ARM Template file.

--validate-sidecar -v

Validate that the image used to generate the CCE Policy for a sidecar container will be allowed by its generated policy.

Default value: False

--virtual-node-yaml

Input YAML file for Virtual Node policy generation.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc

Default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az confcom katapolicygen

Create a Confidential Container Security Policy for AKS.

az confcom katapolicygen [--config-map-file]
                         [--containerd-pull]
                         [--containerd-socket-path]
                         [--outraw]
                         [--print-policy]
                         [--print-version]
                         [--rules-file-name]
                         [--settings-file-name]
                         [--use-cached-files]
                         [--yaml]

Examples

Input a Kubernetes YAML file to inject a base64 encoded Confidential Container Security Policy into the YAML file

az confcom katapolicygen --yaml "./pod.json"

Input a Kubernetes YAML file to print a base64 encoded Confidential Container Security Policy to stdout

az confcom katapolicygen --yaml "./pod.json" --print-policy

Input a Kubernetes YAML file and custom settings file to inject a base64 encoded Confidential Container Security Policy into the YAML file

az confcom katapolicygen --yaml "./pod.json" -j "./settings.json"

Input a Kubernetes YAML file and external config map file

az confcom katapolicygen --yaml "./pod.json" --config-map-file "./configmap.json"

Input a Kubernetes YAML file and custom rules file

az confcom katapolicygen --yaml "./pod.json" -p "./rules.rego"

Input a Kubernetes YAML file with a custom containerd socket path

az confcom katapolicygen --yaml "./pod.json" --containerd-pull --containerd-socket-path "/my/custom/containerd.sock"

Optional Parameters

--config-map-file -c

Path to config map file.

--containerd-pull -d

Use containerd to pull the image. This option is only supported on Linux.

Default value: False

--containerd-socket-path

Path to the containerd socket. This option is only supported on Linux.

--outraw

Output policy in clear text compact JSON instead of default base64 format.

Default value: False

--print-policy

Print the base64 encoded generated policy in the terminal.

Default value: False

--print-version -v

Print the version of genpolicy tooling.

Default value: False

--rules-file-name -p

Path to custom rules file.

--settings-file-name -j

Path to custom settings file.

--use-cached-files -u

Use cached files to save on computation time.

Default value: False

--yaml -y

Input YAML Kubernetes file.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc

Default value: json

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.