diff --git a/README.md b/README.md
index 41ff0c23..6ae9612b 100644
--- a/README.md
+++ b/README.md
@@ -500,6 +500,7 @@ Options:
 
 | Flag | Description |
 | --- | --- |
+|  --allow stringArray     | Allow extra privileged entitlement, e.g. network.host, security.insecure
 |  -f, --file stringArray  | Build definition file
 |      --no-cache          | Do not use cache when building the image
 |      --print             | Print the options without building
@@ -507,6 +508,10 @@ Options:
 |      --pull              | Always attempt to pull a newer version of the image
 |      --set stringArray   | Override target value (eg: target.key=value)
 
+#### `--allow=ENTITLEMENT`
+
+Same as [`build --allow`](#--allowentitlement).
+
 #### `-f, --file FILE`
 
 Specifies the bake definition file. The file can be a Docker Compose, JSON or HCL file. If multiple files are specified they are all read and configurations are combined. By default, if no files are specified, the following are parsed:
diff --git a/bake/bake.go b/bake/bake.go
index 2e44af4f..23f0a1bc 100644
--- a/bake/bake.go
+++ b/bake/bake.go
@@ -11,6 +11,7 @@ import (
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/docker/pkg/urlutil"
 	"github.com/moby/buildkit/session/auth/authprovider"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/pkg/errors"
 )
 
@@ -248,10 +249,10 @@ func (t *Target) normalize() {
 	t.Outputs = removeDupes(t.Outputs)
 }
 
-func TargetsToBuildOpt(m map[string]Target, noCache, pull bool) (map[string]build.Options, error) {
+func TargetsToBuildOpt(m map[string]Target, noCache, pull bool, allow []entitlements.Entitlement) (map[string]build.Options, error) {
 	m2 := make(map[string]build.Options, len(m))
 	for k, v := range m {
-		bo, err := toBuildOpt(v, noCache, pull)
+		bo, err := toBuildOpt(v, noCache, pull, allow)
 		if err != nil {
 			return nil, err
 		}
@@ -260,7 +261,7 @@ func TargetsToBuildOpt(m map[string]Target, noCache, pull bool) (map[string]buil
 	return m2, nil
 }
 
-func toBuildOpt(t Target, noCache, pull bool) (*build.Options, error) {
+func toBuildOpt(t Target, noCache, pull bool, allow []entitlements.Entitlement) (*build.Options, error) {
 	if v := t.Context; v != nil && *v == "-" {
 		return nil, errors.Errorf("context from stdin not allowed in bake")
 	}
@@ -291,6 +292,7 @@ func toBuildOpt(t Target, noCache, pull bool) (*build.Options, error) {
 		Labels:    t.Labels,
 		NoCache:   noCache,
 		Pull:      pull,
+		Allow:     allow,
 	}
 
 	platforms, err := platformutil.Parse(t.Platforms)
diff --git a/commands/bake.go b/commands/bake.go
index 4e740247..287a9b76 100644
--- a/commands/bake.go
+++ b/commands/bake.go
@@ -6,6 +6,7 @@ import (
 	"os"
 
 	"github.com/docker/buildx/bake"
+	"github.com/docker/buildx/build"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
@@ -51,7 +52,12 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) error {
 		return nil
 	}
 
-	bo, err := bake.TargetsToBuildOpt(m, in.noCache, in.pull)
+	allow, err := build.ParseEntitlements(in.allow)
+	if err != nil {
+		return err
+	}
+
+	bo, err := bake.TargetsToBuildOpt(m, in.noCache, in.pull, allow)
 	if err != nil {
 		return err
 	}
diff --git a/commands/build.go b/commands/build.go
index e3275b17..08b212aa 100644
--- a/commands/build.go
+++ b/commands/build.go
@@ -44,8 +44,6 @@ type buildOptions struct {
 	squash bool
 	quiet  bool
 
-	allow []string
-
 	// hidden
 	// untrusted   bool
 	// ulimits        *opts.UlimitOpt
@@ -67,6 +65,7 @@ type commonOptions struct {
 	noCache  bool
 	progress string
 	pull     bool
+	allow    []string
 }
 
 func runBuild(dockerCli command.Cli, in buildOptions) error {
@@ -222,8 +221,6 @@ func buildCmd(dockerCli command.Cli) *cobra.Command {
 
 	flags.StringVar(&options.target, "target", "", "Set the target build stage to build.")
 
-	flags.StringSliceVar(&options.allow, "allow", []string{}, "Allow extra privileged entitlement, e.g. network.host, security.insecure")
-
 	// not implemented
 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the build output and print image ID on success")
 	flags.StringVar(&options.networkMode, "network", "default", "Set the networking mode for the RUN instructions during build")
@@ -287,6 +284,7 @@ func buildCmd(dockerCli command.Cli) *cobra.Command {
 }
 
 func commonFlags(options *commonOptions, flags *pflag.FlagSet) {
+	flags.StringSliceVar(&options.allow, "allow", []string{}, "Allow extra privileged entitlement, e.g. network.host, security.insecure")
 	flags.BoolVar(&options.noCache, "no-cache", false, "Do not use cache when building the image")
 	flags.StringVar(&options.progress, "progress", "auto", "Set type of progress output (auto, plain, tty). Use plain to show container output")
 	flags.BoolVar(&options.pull, "pull", false, "Always attempt to pull a newer version of the image")