[Safeguards][v20250502preview] Add PodSecurityStandardsLevel to DeploymentSafeguardsProperties (#35252)

Add PodSecurityStandardsLevel to DeploymetnSafeguardProperties for the Safeguards PodSecurityStandards feature offering. 

---------

Co-authored-by: Jenny Liu <[email protected]>

Author: ShantingLiu

specification/containerservice/DeploymentSafeguards.Management/deploymentsafeguards.tsp

@@ -42,6 +42,20 @@ union DeploymentSafeguardsLevel {
   string,
 }
 
+@doc("Specifies the Pod Security Standards level")
+union PodSecurityStandardsLevel {
+  @doc("Privileged level is an unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations.")
+  PodSecurityStandardsPrivileged: "Privileged",
+
+  @doc("Baseline level is a minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration.")
+  PodSecurityStandardsBaseline: "Baseline",
+
+  @doc("Restricted level is a heavily restricted policy, following current Pod hardening best practices.")
+  PodSecurityStandardsRestricted: "Restricted",
+
+  string,
+}
+
 @doc("DeploymentSafeguards Properties")
 model DeploymentSafeguardsProperties {
   @doc("Provisioning State")
@@ -57,6 +71,10 @@ model DeploymentSafeguardsProperties {
   @doc("System defined list of namespaces excluded from Deployment Safeguards. These are determined by the underlying provider (such as AKS), and cannot be changed. Deployments in these namespaces will not be checked")
   @visibility(Lifecycle.Read)
   systemExcludedNamespaces: Array<string>;
+
+  @doc("The pod security standards level")
+  @added(Versions.v2025_05_02_preview)
+  podSecurityStandardsLevel?: PodSecurityStandardsLevel;
 }
 
 @lroStatus

specification/containerservice/DeploymentSafeguards.Management/examples/2025-05-02-preview/DeploymentSafeguards_Create.json

@@ -0,0 +1,76 @@
+{
+  "operationId": "DeploymentSafeguards_Create",
+  "title": "Creates a DeploymentSafeguards resource with a long running operation.",
+  "parameters": {
+    "api-version": "2025-05-02-preview",
+    "resourceUri": "subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1",
+    "resource": {
+      "properties": {
+        "level": "Warn",
+        "podSecurityStandardsLevel": "Baseline"
+      }
+    }
+  },
+  "responses": {
+    "201": {
+      "headers": {
+        "ETag": "23ujdflewrj3=",
+        "Location": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.ContainerService/locations/eastus/operations/00000000-0000-0000-0000-000000000000?api-version=2022-02-01",
+        "Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.ContainerService/locations/eastus/operationResults/00000000-0000-0000-0000-000000000000?api-version=2022-02-01"
+      },
+      "body": {
+        "id": "/subscriptions/subid1/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1/providers/Microsoft.ContainerService/deploymentSafeguards/default",
+        "name": "default",
+        "type": "Microsoft.ContainerService/deploymentSafeguards",
+        "systemData": {
+          "createdBy": "someUser",
+          "createdByType": "User",
+          "createdAt": "2022-03-23T05:40:40.657Z",
+          "lastModifiedBy": "someOtherUser",
+          "lastModifiedByType": "User",
+          "lastModifiedAt": "2022-03-23T05:40:40.657Z"
+        },
+        "eTag": "23ujdflewrj3=",
+        "properties": {
+          "level": "Warn",
+          "systemExcludedNamespaces": [
+            "kube-system",
+            "gatekeeper-system"
+          ],
+          "podSecurityStandardsLevel": "Baseline",
+          "provisioningState": "Succeeded"
+        }
+      }
+    },
+    "200": {
+      "headers": {
+        "ETag": "23ujdflewrj3=",
+        "Location": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.ContainerService/locations/eastus/operations/00000000-0000-0000-0000-000000000000?api-version=2022-02-01",
+        "Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.ContainerService/locations/eastus/operationResults/00000000-0000-0000-0000-000000000000?api-version=2022-02-01"
+      },
+      "body": {
+        "id": "/subscriptions/subid1/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1/providers/Microsoft.ContainerService/deploymentSafeguards/default",
+        "name": "default",
+        "type": "Microsoft.ContainerService/deploymentSafeguards",
+        "systemData": {
+          "createdBy": "someUser",
+          "createdByType": "User",
+          "createdAt": "2022-03-23T05:40:40.657Z",
+          "lastModifiedBy": "someOtherUser",
+          "lastModifiedByType": "User",
+          "lastModifiedAt": "2022-03-23T05:40:40.657Z"
+        },
+        "eTag": "23ujdflewrj3=",
+        "properties": {
+          "level": "Warn",
+          "systemExcludedNamespaces": [
+            "kube-system",
+            "gatekeeper-system"
+          ],
+          "podSecurityStandardsLevel": "Baseline",
+          "provisioningState": "Succeeded"
+        }
+      }
+    }
+  }
+}

specification/containerservice/DeploymentSafeguards.Management/examples/2025-05-02-preview/DeploymentSafeguards_Delete.json

@@ -0,0 +1,17 @@
+{
+  "operationId": "DeploymentSafeguards_Delete",
+  "title": "Deletes a DeploymentSafeguard resource asynchronously with a long running operation.",
+  "parameters": {
+    "api-version": "2025-05-02-preview",
+    "resourceUri": "subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1"
+  },
+  "responses": {
+    "202": {
+      "headers": {
+        "Location": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.ContainerService/locations/eastus/operations/00000000-0000-0000-0000-000000000000?api-version=2022-02-01",
+        "Azure-AsyncOperation": "https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.ContainerService/locations/eastus/operationResults/00000000-0000-0000-0000-000000000000?api-version=2022-02-01"
+      }
+    },
+    "204": {}
+  }
+}

specification/containerservice/DeploymentSafeguards.Management/examples/2025-05-02-preview/DeploymentSafeguards_Get.json

@@ -0,0 +1,38 @@
+{
+  "operationId": "DeploymentSafeguards_Get",
+  "title": "Gets a DeploymentSafeguard resource.",
+  "parameters": {
+    "api-version": "2025-05-02-preview",
+    "resourceUri": "subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1"
+  },
+  "responses": {
+    "200": {
+      "headers": {
+        "ETag": "kd30rkdfo49="
+      },
+      "body": {
+        "id": "/subscriptions/subid1/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1/providers/Microsoft.ContainerService/deploymentSafeguards/default",
+        "name": "default",
+        "type": "Microsoft.ContainerService/deploymentSafeguards",
+        "systemData": {
+          "createdBy": "someUser",
+          "createdByType": "User",
+          "createdAt": "2022-03-23T05:40:40.657Z",
+          "lastModifiedBy": "someOtherUser",
+          "lastModifiedByType": "User",
+          "lastModifiedAt": "2022-03-23T05:40:40.657Z"
+        },
+        "eTag": "23ujdflewrj3=",
+        "properties": {
+          "level": "Warn",
+          "systemExcludedNamespaces": [
+            "kube-system",
+            "gatekeeper-system"
+          ],
+          "podSecurityStandardsLevel": "Baseline",
+          "provisioningState": "Succeeded"
+        }
+      }
+    }
+  }
+}

specification/containerservice/DeploymentSafeguards.Management/examples/2025-05-02-preview/DeploymentSafeguards_List.json

@@ -0,0 +1,42 @@
+{
+  "operationId": "DeploymentSafeguards_List",
+  "title": "Lists DeploymentSafeguards by parent resource.",
+  "parameters": {
+    "api-version": "2025-05-02-preview",
+    "resourceUri": "subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1"
+  },
+  "responses": {
+    "200": {
+      "headers": {
+        "ETag": "kd30rkdfo49="
+      },
+      "body": {
+        "value": [
+          {
+            "id": "/subscriptions/subid1/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/cluster1/providers/Microsoft.ContainerService/deploymentSafeguards/default",
+            "name": "default",
+            "type": "Microsoft.ContainerService/deploymentSafeguards",
+            "systemData": {
+              "createdBy": "someUser",
+              "createdByType": "User",
+              "createdAt": "2022-03-23T05:40:40.657Z",
+              "lastModifiedBy": "someOtherUser",
+              "lastModifiedByType": "User",
+              "lastModifiedAt": "2022-03-23T05:40:40.657Z"
+            },
+            "eTag": "23ujdflewrj3=",
+            "properties": {
+              "level": "Warn",
+              "systemExcludedNamespaces": [
+                "kube-system",
+                "gatekeeper-system"
+              ],
+              "podSecurityStandardsLevel": "Baseline",
+              "provisioningState": "Succeeded"
+            }
+          }
+        ]
+      }
+    }
+  }
+}

specification/containerservice/DeploymentSafeguards.Management/examples/2025-05-02-preview/Operations_List.json

@@ -0,0 +1,25 @@
+{
+  "operationId": "Operations_List",
+  "title": "List the operations for the provider.",
+  "parameters": {
+    "api-version": "2025-05-02-preview"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "value": [
+          {
+            "display": {
+              "description": "Gets the status of an asynchronous operation",
+              "operation": "Get Operation",
+              "provider": "Microsoft Container Service",
+              "resource": "Operation"
+            },
+            "name": "Microsoft.ContainerService/locations/operations/read",
+            "origin": "user,system"
+          }
+        ]
+      }
+    }
+  }
+}

specification/containerservice/DeploymentSafeguards.Management/main.tsp

@@ -31,4 +31,11 @@ enum Versions {
   @useDependency(Azure.Core.Versions.v1_0_Preview_2)
   @armCommonTypesVersion(Azure.ResourceManager.CommonTypes.Versions.v6)
   v2025_04_01: "2025-04-01",
+
+  /** 2025-05-02-preview version */
+  @doc("Deployment Safeguards api version 2025-05-02-preview")
+  @useDependency(Azure.ResourceManager.Versions.v1_0_Preview_1)
+  @useDependency(Azure.Core.Versions.v1_0_Preview_2)
+  @armCommonTypesVersion(Azure.ResourceManager.CommonTypes.Versions.v6)
+  v2025_05_02_preview: "2025-05-02-preview",
 }