az confcom
Note
This reference is part of the confcom extension for the Azure CLI (version 2.26.2 or higher). The extension will automatically install the first time you run an az confcom command. Learn more about extensions.
Commands to generate security policies for confidential containers in Azure.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az confcom acifragmentgen |
Create a Confidential Container Policy Fragment for ACI. |
Extension | GA |
| az confcom acipolicygen |
Create a Confidential Container Security Policy for ACI. |
Extension | GA |
| az confcom katapolicygen |
Create a Confidential Container Security Policy for AKS. |
Extension | GA |
az confcom acifragmentgen
Create a Confidential Container Policy Fragment for ACI.
az confcom acifragmentgen [--algo]
[--chain]
[--debug-mode]
[--disable-stdio]
[--feed]
[--fragment-path]
[--fragments-json]
[--generate-import]
[--image]
[--image-target]
[--input]
[--key]
[--minimum-svn]
[--namespace]
[--no-print]
[--omit-id]
[--output-filename]
[--outraw]
[--svn]
[--tar]
[--upload-fragment]Examples
Input an image name to generate a simple fragment
az confcom acifragmentgen --image mcr.microsoft.com/azuredocs/aci-helloworldInput a config file to generate a fragment with a custom namespace and debug mode enabled
az confcom acifragmentgen --input "./config.json" --namespace "my-namespace" --debug-modeGenerate an import statement for a signed local fragment
az confcom acifragmentgen --fragment-path "./fragment.rego.cose" --generate-import --minimum-svn 1Generate a fragment and COSE sign it with a key and chain
az confcom acifragmentgen --input "./config.json" --key "./key.pem" --chain "./chain.pem" --svn 1 --namespace contoso --no-printGenerate a fragment import from an image name
az confcom acifragmentgen --image <my-image> --generate-import --minimum-svn 1Attach a fragment to a specified image
az confcom acifragmentgen --input "./config.json" --key "./key.pem" --chain "./chain.pem" --svn 1 --namespace contoso --upload-fragment --image-target <my-image>Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Algorithm used for signing the generated policy fragment. This must be used with --key and --chain. Supported algorithms are ['PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'EdDSA'].
| Property | Value |
|---|---|
| Default value: | ES384 |
Path to .pem formatted certificate chain file to use for signing the generated policy fragment. This must be used with --key.
When enabled, the generated security policy adds the ability to use /bin/sh or /bin/bash to debug the container. It also enabled stdio access, ability to dump stack traces, and enables runtime logging. It is recommended to only use this option for debugging purposes.
| Property | Value |
|---|---|
| Default value: | False |
When enabled, the containers in the container group do not have access to stdio.
| Property | Value |
|---|---|
| Default value: | False |
Feed to use for the generated policy fragment. This is typically the same as the image name when using image-attached fragments. It is the location in the remote repository where the fragment will be stored.
Path to an existing policy fragment file to be used with --generate-import. This option allows you to create import statements for the specified fragment without needing to pull it from an OCI registry.
Path to a JSON file that will store the fragment import information generated when using --generate-import. This file can later be fed into the policy generation command (acipolicygen) to include the fragment in a new or existing policy. If not specified, the import statement will be printed to the console instead of being saved to a file.
Generate an import statement for a policy fragment.
| Property | Value |
|---|---|
| Default value: | False |
Image to use for the generated policy fragment.
Image target where the generated policy fragment is attached.
Path to a JSON file containing the configuration for the generated policy fragment.
Path to .pem formatted key file to use for signing the generated policy fragment. This must be used with --chain.
Used with --generate-import to specify the minimum SVN for the import statement.
Namespace to use for the generated policy fragment.
Do not print the generated policy fragment to stdout.
| Property | Value |
|---|---|
| Default value: | False |
When enabled, the generated policy will not contain the ID field. This will keep the policy from being tied to a specific image name and tag. This is helpful if the image being used will be present in multiple registries and used interchangeably.
| Property | Value |
|---|---|
| Default value: | False |
Save output policy to given file path.
Output policy in clear text compact JSON instead of default pretty print format.
| Property | Value |
|---|---|
| Default value: | False |
Minimum Allowed Software Version Number for the generated policy fragment. This should be a monotonically increasing integer.
Path to either a tarball containing image layers or a JSON file containing paths to tarballs of image layers.
When enabled, the generated policy fragment will be uploaded to the registry of the image being used.
| Property | Value |
|---|---|
| Default value: | False |
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az confcom acipolicygen
Create a Confidential Container Security Policy for ACI.
az confcom acipolicygen [--approve-wildcards]
[--debug-mode]
[--diff]
[--disable-stdio]
[--exclude-default-fragments]
[--faster-hashing]
[--fragments-json]
[--image]
[--include-fragments]
[--infrastructure-svn]
[--input]
[--omit-id]
[--outraw]
[--outraw-pretty-print]
[--parameters]
[--print-existing-policy]
[--print-policy]
[--save-to-file]
[--tar]
[--template-file]
[--validate-sidecar]
[--virtual-node-yaml]Examples
Input an ARM Template file to inject a base64 encoded Confidential Container Security Policy into the ARM Template
az confcom acipolicygen --template-file "./template.json"Input an ARM Template file to create a human-readable Confidential Container Security Policy
az confcom acipolicygen --template-file "./template.json" --outraw-pretty-printInput an ARM Template file to save a Confidential Container Security Policy to a file as base64 encoded text
az confcom acipolicygen --template-file "./template.json" -s "./output-file.txt" --print-policyInput an ARM Template file and use a tar file as the image source instead of the Docker daemon
az confcom acipolicygen --template-file "./template.json" --tar "./image.tar"Input an ARM Template file and use a fragments JSON file to generate a policy
az confcom acipolicygen --template-file "./template.json" --fragments-json "./fragments.json" --include-fragmentsOptional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
When enabled, all prompts for using wildcards in environment variables are automatically approved.
| Property | Value |
|---|---|
| Default value: | False |
When enabled, the generated security policy adds the ability to use /bin/sh or /bin/bash to debug the container. It also enabled stdio access, ability to dump stack traces, and enables runtime logging. It is recommended to only use this option for debugging purposes.
| Property | Value |
|---|---|
| Default value: | False |
When combined with an input ARM Template file (or YAML file for Virtual Node policy generation), verifies the policy present in the ARM Template under "ccePolicy" and the containers within the file are compatible. If they are incompatible, a list of reasons is given and the exit status code will be 2.
| Property | Value |
|---|---|
| Default value: | False |
When enabled, the containers in the container group do not have access to stdio.
| Property | Value |
|---|---|
| Default value: | False |
When enabled, the default fragments are not included in the generated policy. This includes containers needed to mount azure files, mount secrets, mount git repos, and other common ACI features.
| Property | Value |
|---|---|
| Default value: | False |
When enabled, the hashing algorithm used to generate the policy is faster but less memory efficient.
| Property | Value |
|---|---|
| Default value: | False |
Path to JSON file containing fragment information to use for generating a policy. This requires --include-fragments to be enabled.
Input image name.
When enabled, the path specified by --fragments-json will be used to pull fragments from an OCI registry or locally and include them in the generated policy.
| Property | Value |
|---|---|
| Default value: | False |
Minimum Allowed Software Version Number for Infrastructure Fragment.
Input JSON config file.
When enabled, the generated policy will not contain the ID field. This will keep the policy from being tied to a specific image name and tag. This is helpful if the image being used will be present in multiple registries and used interchangeably.
| Property | Value |
|---|---|
| Default value: | False |
Output policy in clear text compact JSON instead of default base64 format.
| Property | Value |
|---|---|
| Default value: | False |
Output policy in clear text and pretty print format.
| Property | Value |
|---|---|
| Default value: | False |
Input parameters file to optionally accompany an ARM Template.
When enabled, the existing security policy that is present in the ARM Template is printed to the command line, and no new security policy is generated.
| Property | Value |
|---|---|
| Default value: | False |
When enabled, the generated security policy is printed to the command line instead of injected into the input ARM Template.
| Property | Value |
|---|---|
| Default value: | False |
Save output policy to given file path.
Path to either a tarball containing image layers or a JSON file containing paths to tarballs of image layers.
Input ARM Template file.
Validate that the image used to generate the CCE Policy for a sidecar container will be allowed by its generated policy.
| Property | Value |
|---|---|
| Default value: | False |
Input YAML file for Virtual Node policy generation.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
az confcom katapolicygen
Create a Confidential Container Security Policy for AKS.
az confcom katapolicygen [--config-map-file]
[--containerd-pull]
[--containerd-socket-path]
[--outraw]
[--print-policy]
[--print-version]
[--rules-file-name]
[--settings-file-name]
[--use-cached-files]
[--yaml]Examples
Input a Kubernetes YAML file to inject a base64 encoded Confidential Container Security Policy into the YAML file
az confcom katapolicygen --yaml "./pod.json"Input a Kubernetes YAML file to print a base64 encoded Confidential Container Security Policy to stdout
az confcom katapolicygen --yaml "./pod.json" --print-policyInput a Kubernetes YAML file and custom settings file to inject a base64 encoded Confidential Container Security Policy into the YAML file
az confcom katapolicygen --yaml "./pod.json" -j "./settings.json"Input a Kubernetes YAML file and external config map file
az confcom katapolicygen --yaml "./pod.json" --config-map-file "./configmap.json"Input a Kubernetes YAML file and custom rules file
az confcom katapolicygen --yaml "./pod.json" -p "./rules.rego"Input a Kubernetes YAML file with a custom containerd socket path
az confcom katapolicygen --yaml "./pod.json" --containerd-pull --containerd-socket-path "/my/custom/containerd.sock"Optional Parameters
The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.
Path to config map file.
Use containerd to pull the image. This option is only supported on Linux.
| Property | Value |
|---|---|
| Default value: | False |
Path to the containerd socket. This option is only supported on Linux.
Output policy in clear text compact JSON instead of default base64 format.
| Property | Value |
|---|---|
| Default value: | False |
Print the base64 encoded generated policy in the terminal.
| Property | Value |
|---|---|
| Default value: | False |
Print the version of genpolicy tooling.
| Property | Value |
|---|---|
| Default value: | False |
Path to custom rules file.
Path to custom settings file.
Use cached files to save on computation time.
| Property | Value |
|---|---|
| Default value: | False |
Input YAML Kubernetes file.
Global Parameters
Increase logging verbosity to show all debug logs.
| Property | Value |
|---|---|
| Default value: | False |
Show this help message and exit.
Only show errors, suppressing warnings.
| Property | Value |
|---|---|
| Default value: | False |
Output format.
| Property | Value |
|---|---|
| Default value: | json |
| Accepted values: | json, jsonc, none, table, tsv, yaml, yamlc |
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
| Property | Value |
|---|---|
| Default value: | False |
