[image integrity] add image integrity disable (#6603)

* [image integrity] add image integrity disable * f
Azure · Aug 11, 2023 · 45a41b4 · 45a41b4
1 parent eb96c42
commit 45a41b4
Show file tree

Hide file tree

Showing 9 changed files with 2,077 additions and 1 deletion.
diff --git a/src/aks-preview/HISTORY.rst b/src/aks-preview/HISTORY.rst
@@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 ++++++
 
+0.5.151
++++++++
+* Add `--disable-image-integrity` to the `az aks update` command.
+
 0.5.150
 +++++++
 * Vendor new SDK and bump API version to 2023-06-02-preview.

diff --git a/src/aks-preview/azext_aks_preview/_help.py b/src/aks-preview/azext_aks_preview/_help.py
@@ -960,6 +960,9 @@
         - name: --image-cleaner-interval-hours
           type: int
           short-summary: ImageCleaner scanning interval.
+        - name: --disable-image-integrity
+          type: bool
+          short-summary: Disable ImageIntegrity Service.
         - name: --enable-apiserver-vnet-integration
           type: bool
           short-summary: Enable integration of user vnet with control plane apiserver pods.

diff --git a/src/aks-preview/azext_aks_preview/_params.py b/src/aks-preview/azext_aks_preview/_params.py
@@ -539,6 +539,7 @@ def load_arguments(self, _):
         c.argument('enable_image_cleaner', action='store_true', is_preview=True)
         c.argument('disable_image_cleaner', action='store_true', validator=validate_image_cleaner_enable_disable_mutually_exclusive, is_preview=True)
         c.argument('image_cleaner_interval_hours', type=int, is_preview=True)
+        c.argument('disable_image_integrity', action='store_true', is_preview=True)
         c.argument('enable_apiserver_vnet_integration', action='store_true', is_preview=True)
         c.argument('apiserver_subnet_id', validator=validate_apiserver_subnet_id, is_preview=True)
         c.argument('enable_keda', action='store_true', is_preview=True)

diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py
@@ -724,6 +724,7 @@ def aks_update(
     enable_image_cleaner=False,
     disable_image_cleaner=False,
     image_cleaner_interval_hours=None,
+    disable_image_integrity=False,
     enable_apiserver_vnet_integration=False,
     apiserver_subnet_id=None,
     enable_keda=False,

diff --git a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py
@@ -1162,6 +1162,16 @@ def get_image_cleaner_interval_hours(self) -> Union[int, None]:
 
         return interval_hours
 
+    def get_disable_image_integrity(self) -> bool:
+        """Obtain the value of disable_image_integrity.
+
+        :return: bool
+        """
+        # read the original value passed by the command
+        disable_image_integrity = self.raw_param.get("disable_image_integrity")
+
+        return disable_image_integrity
+
     def get_cluster_snapshot_id(self) -> Union[str, None]:
         """Obtain the values of cluster_snapshot_id.
 
@@ -3284,6 +3294,32 @@ def update_image_cleaner(self, mc: ManagedCluster) -> ManagedCluster:
 
         return mc
 
+    def update_image_integrity(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update security profile imageIntegrity for the ManagedCluster object.
+
+        :return: the ManagedCluster object
+        """
+        self._ensure_mc(mc)
+
+        disable_image_integrity = self.context.get_disable_image_integrity()
+
+        # no image integrity related changes
+        if not disable_image_integrity:
+            return mc
+
+        if mc.security_profile is None:
+            mc.security_profile = self.models.ManagedClusterSecurityProfile()
+
+        image_integrity_profile = mc.security_profile.image_integrity
+
+        if image_integrity_profile is None:
+            image_integrity_profile = self.models.ManagedClusterSecurityProfileImageIntegrity()
+            mc.security_profile.image_integrity = image_integrity_profile
+
+        image_integrity_profile.enabled = False
+
+        return mc
+
     def update_storage_profile(self, mc: ManagedCluster) -> ManagedCluster:
         """Update storage profile for the ManagedCluster object.
 
@@ -3645,6 +3681,8 @@ def update_mc_profile_preview(self) -> ManagedCluster:
         mc = self.update_node_restriction(mc)
         # update image cleaner
         mc = self.update_image_cleaner(mc)
+        # update image integrity
+        mc = self.update_image_integrity(mc)
         # update workload auto scaler profile
         mc = self.update_workload_auto_scaler_profile(mc)
         # update azure monitor metrics profile
-Original file line number
+Diff line change
@@ Expand Up @@
     Pending
     ++++++
+.5.151
+    +++++++
+    * Add `--disable-image-integrity` to the `az aks update` command.
 .5.150
     +++++++
     * Vendor new SDK and bump API version to 2023-06-02-preview.
@@ Expand Down @@