From 2e4d1bc5045a041a12865948124837263fab446e Mon Sep 17 00:00:00 2001 From: Robbie Zhang Date: Tue, 23 Apr 2019 16:34:42 -0700 Subject: [PATCH 1/5] Add the Azure Policy Addon Support --- src/aks-preview/HISTORY.md | 4 ++++ src/aks-preview/azext_aks_preview/_help.py | 24 +++++++++++++++++++++ src/aks-preview/azext_aks_preview/custom.py | 4 +++- src/aks-preview/setup.py | 2 +- 4 files changed, 32 insertions(+), 2 deletions(-) diff --git a/src/aks-preview/HISTORY.md b/src/aks-preview/HISTORY.md index 1905e80504e..49ff10afa6d 100644 --- a/src/aks-preview/HISTORY.md +++ b/src/aks-preview/HISTORY.md @@ -2,6 +2,10 @@ Release History =============== +0.4.0 ++++++ +* Add support for Azure policy add-on. + 0.3.1 +++++ * Add support of pod security policy. diff --git a/src/aks-preview/azext_aks_preview/_help.py b/src/aks-preview/azext_aks_preview/_help.py index e5d2615a23a..3ad10d166c1 100644 --- a/src/aks-preview/azext_aks_preview/_help.py +++ b/src/aks-preview/azext_aks_preview/_help.py @@ -96,6 +96,8 @@ These addons are available: http_application_routing - configure ingress with automatic public DNS name creation. monitoring - turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. + virtual-node - enable AKS Virtual Node (PREVIEW). Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use. + azure-policy - enable Azure policy (PREVIEW). - name: --disable-rbac type: bool short-summary: Disable Kubernetes Role-Based Access Control. @@ -297,3 +299,25 @@ type: command short-summary: Delete the agent pool in the managed Kubernetes cluster. """ + +helps['aks enable-addons'] = """ +type: command +short-summary: Enable Kubernetes addons. +long-summary: |- + These addons are available: + http_application_routing - configure ingress with automatic public DNS name creation. + monitoring - turn on Log Analytics monitoring. Requires "--workspace-resource-id". + virtual-node - enable AKS Virtual Node (PREVIEW). Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use. + azure-policy - enable Azure policy (PREVIEW). +parameters: + - name: --addons -a + type: string + short-summary: Enable the Kubernetes addons in a comma-separated list. + - name: --workspace-resource-id + type: string + short-summary: The resource ID of an existing Log Analytics Workspace to use for storing monitoring data. +examples: + - name: Enable Kubernetes addons. (autogenerated) + text: az aks enable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup + crafted: true +""" \ No newline at end of file diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py index b5dd5beb73c..5daeac21d24 100644 --- a/src/aks-preview/azext_aks_preview/custom.py +++ b/src/aks-preview/azext_aks_preview/custom.py @@ -642,7 +642,9 @@ def _remove_nulls(managed_clusters): ADDONS = { 'http_application_routing': 'httpApplicationRouting', - 'monitoring': 'omsagent' + 'monitoring': 'omsagent', + 'virtual-node': 'aciConnector', + 'azure-policy': 'azurepolicy' } diff --git a/src/aks-preview/setup.py b/src/aks-preview/setup.py index 7b71fc1c639..dabcaf7a956 100644 --- a/src/aks-preview/setup.py +++ b/src/aks-preview/setup.py @@ -8,7 +8,7 @@ from codecs import open as open1 from setuptools import setup, find_packages -VERSION = "0.3.1" +VERSION = "0.4.0" CLASSIFIERS = [ 'Development Status :: 4 - Beta', 'Intended Audience :: Developers', From 9f14e6c438d77207e38fb1be4435fe3c5d32e8f0 Mon Sep 17 00:00:00 2001 From: Robbie Zhang Date: Tue, 23 Apr 2019 18:08:18 -0700 Subject: [PATCH 2/5] Add azure-policy addon --- src/aks-preview/azext_aks_preview/_params.py | 7 ++ src/aks-preview/azext_aks_preview/commands.py | 2 + src/aks-preview/azext_aks_preview/custom.py | 109 ++++++++++++++++++ 3 files changed, 118 insertions(+) diff --git a/src/aks-preview/azext_aks_preview/_params.py b/src/aks-preview/azext_aks_preview/_params.py index c83fe296369..8c457b2ef7a 100644 --- a/src/aks-preview/azext_aks_preview/_params.py +++ b/src/aks-preview/azext_aks_preview/_params.py @@ -103,6 +103,13 @@ def load_arguments(self, _): with self.argument_context(scope) as c: c.argument('nodepool_name', type=str, options_list=['--name', '-n'], validator=validate_nodepool_name, help='The node pool name.') + with self.argument_context('aks disable-addons') as c: + c.argument('addons', options_list=['--addons', '-a']) + + with self.argument_context('aks enable-addons') as c: + c.argument('addons', options_list=['--addons', '-a']) + c.argument('subnet_name', options_list=['--subnet-name', '-s']) + def _get_default_install_location(exe_name): system = platform.system() diff --git a/src/aks-preview/azext_aks_preview/commands.py b/src/aks-preview/azext_aks_preview/commands.py index 559fa06c09b..4dc2a6f6ad4 100644 --- a/src/aks-preview/azext_aks_preview/commands.py +++ b/src/aks-preview/azext_aks_preview/commands.py @@ -30,6 +30,8 @@ def load_command_table(self, _): g.custom_command('create', 'aks_create', supports_no_wait=True) g.custom_command('update', 'aks_update', supports_no_wait=True) g.custom_command('scale', 'aks_scale', supports_no_wait=True) + g.custom_command('disable-addons', 'aks_disable_addons', supports_no_wait=True) + g.custom_command('enable-addons', 'aks_enable_addons', supports_no_wait=True) g.custom_show_command('show', 'aks_show', table_transformer=aks_show_table_format) g.custom_command('upgrade', 'aks_upgrade', supports_no_wait=True, confirmation='Kubernetes may be unavailable during cluster upgrades.\n' + diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py index 5daeac21d24..960ee4a2522 100644 --- a/src/aks-preview/azext_aks_preview/custom.py +++ b/src/aks-preview/azext_aks_preview/custom.py @@ -1084,3 +1084,112 @@ def aks_agentpool_delete(cmd, client, resource_group_name, cluster_name, "use 'aks nodepool list' to get current node pool list".format(nodepool_name)) return sdk_no_wait(no_wait, client.delete, resource_group_name, cluster_name, nodepool_name) + + +def aks_disable_addons(cmd, client, resource_group_name, name, addons, no_wait=False): + instance = client.get(resource_group_name, name) + subscription_id = _get_subscription_id(cmd.cli_ctx) + + instance = _update_addons( + cmd, + instance, + subscription_id, + resource_group_name, + addons, + enable=False, + no_wait=no_wait + ) + + # send the managed cluster representation to update the addon profiles + return sdk_no_wait(no_wait, client.create_or_update, resource_group_name, name, instance) + + +def aks_enable_addons(cmd, client, resource_group_name, name, addons, workspace_resource_id=None, + subnet_name=None, no_wait=False): + instance = client.get(resource_group_name, name) + subscription_id = _get_subscription_id(cmd.cli_ctx) + service_principal_client_id = instance.service_principal_profile.client_id + instance = _update_addons(cmd, instance, subscription_id, resource_group_name, addons, enable=True, + workspace_resource_id=workspace_resource_id, subnet_name=subnet_name, no_wait=no_wait) + + if 'omsagent' in instance.addon_profiles: + _ensure_container_insights_for_monitoring(cmd, instance.addon_profiles['omsagent']) + cloud_name = cmd.cli_ctx.cloud.name + # mdm metrics supported only in Azure Public cloud so add the role assignment only in this cloud + if cloud_name.lower() == 'azurecloud': + from msrestazure.tools import resource_id + cluster_resource_id = resource_id( + subscription=subscription_id, + resource_group=resource_group_name, + namespace='Microsoft.ContainerService', type='managedClusters', + name=name + ) + if not _add_role_assignment(cmd.cli_ctx, 'Monitoring Metrics Publisher', + service_principal_client_id, scope=cluster_resource_id): + logger.warning('Could not create a role assignment for Monitoring addon. ' + 'Are you an Owner on this subscription?') + + # send the managed cluster representation to update the addon profiles + return sdk_no_wait(no_wait, client.create_or_update, resource_group_name, name, instance) + + +def _update_addons(cmd, instance, subscription_id, resource_group_name, addons, enable, workspace_resource_id=None, + subnet_name=None, no_wait=False): + # parse the comma-separated addons argument + addon_args = addons.split(',') + + addon_profiles = instance.addon_profiles or {} + + os_type = 'Linux' + + # for each addons argument + for addon_arg in addon_args: + addon = ADDONS[addon_arg] + if addon == 'aciConnector': + # only linux is supported for now, in the future this will be a user flag + addon += os_type + # addon name is case insensitive + addon = next((x for x in addon_profiles.keys() if x.lower() == addon.lower()), addon) + if enable: + # add new addons or update existing ones and enable them + addon_profile = addon_profiles.get(addon, ManagedClusterAddonProfile(enabled=False)) + # special config handling for certain addons + if addon == 'omsagent': + if addon_profile.enabled: + raise CLIError('The monitoring addon is already enabled for this managed cluster.\n' + 'To change monitoring configuration, run "az aks disable-addons -a monitoring"' + 'before enabling it again.') + if not workspace_resource_id: + workspace_resource_id = _ensure_default_log_analytics_workspace_for_monitoring( + cmd, + subscription_id, + resource_group_name) + workspace_resource_id = workspace_resource_id.strip() + if not workspace_resource_id.startswith('/'): + workspace_resource_id = '/' + workspace_resource_id + if workspace_resource_id.endswith('/'): + workspace_resource_id = workspace_resource_id.rstrip('/') + addon_profile.config = {'logAnalyticsWorkspaceResourceID': workspace_resource_id} + elif addon.lower() == ('aciConnector' + os_type).lower(): + if addon_profile.enabled: + raise CLIError('The virtual-node addon is already enabled for this managed cluster.\n' + 'To change virtual-node configuration, run ' + '"az aks disable-addons -a virtual-node -g {resource_group_name}" ' + 'before enabling it again.') + if not subnet_name: + raise CLIError('The aci-connector addon requires setting a subnet name.') + addon_profile.config = {'SubnetName': subnet_name} + addon_profiles[addon] = addon_profile + else: + if addon not in addon_profiles: + raise CLIError("The addon {} is not installed.".format(addon)) + addon_profiles[addon].config = None + addon_profiles[addon].enabled = enable + + instance.addon_profiles = addon_profiles + + # null out the SP and AAD profile because otherwise validation complains + instance.service_principal_profile = None + instance.aad_profile = None + + return instance From c488ad0d332e9a2b6c8e891bfb3b7ea254f54fc6 Mon Sep 17 00:00:00 2001 From: Robbie Zhang Date: Wed, 24 Apr 2019 11:17:55 -0700 Subject: [PATCH 3/5] Allow azure-policy addon in create --- src/aks-preview/azext_aks_preview/custom.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py index 960ee4a2522..3b884a3736a 100644 --- a/src/aks-preview/azext_aks_preview/custom.py +++ b/src/aks-preview/azext_aks_preview/custom.py @@ -708,7 +708,9 @@ def _handle_addons_args(cmd, addons_str, subscription_id, resource_group_name, a # error out if '--enable-addons=monitoring' isn't set but workspace_resource_id is elif workspace_resource_id: raise CLIError('"--workspace-resource-id" requires "--enable-addons monitoring".') - + if 'azure-policy' in addons: + addon_profiles['azurepolicy'] = ManagedClusterAddonProfile(enabled=True) + addons.remove('azure-policy') # error out if any (unrecognized) addons remain if addons: raise CLIError('"{}" {} not recognized by the --enable-addons argument.'.format( From f6fcb21a0b202af53ade5cc15ea3ffe923f1fb5d Mon Sep 17 00:00:00 2001 From: Robbie Zhang Date: Thu, 25 Apr 2019 12:52:06 -0700 Subject: [PATCH 4/5] Update the index --- src/index.json | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/src/index.json b/src/index.json index be65b7de469..dd41083d000 100644 --- a/src/index.json +++ b/src/index.json @@ -155,6 +155,38 @@ "version": "0.3.1" }, "sha256Digest": "c930d51fe33a184c48f050c1723cd9164e907fc3104ea81d9e1f8a496baffadb" + }, + { + "downloadUrl": "https://azurecliaks.blob.core.windows.net/azure-cli-extension/aks_preview-0.4.0-py2.py3-none-any.whl", + "filename": "aks_preview-0.4.0-py2.py3-none-any.whl", + "metadata": { + "azext.isPreview": true, + "azext.minCliCoreVersion": "2.0.49", + "extensions": { + "python.details": { + "contacts": [ + { + "email": "azpycli@microsoft.com", + "name": "Microsoft Corporation", + "role": "author" + } + ], + "document_names": { + "description": "DESCRIPTION.rst" + }, + "project_urls": { + "Home": "https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview" + } + } + }, + "generator": "bdist_wheel (0.30.0)", + "license": "MIT", + "metadata_version": "2.0", + "name": "aks-preview", + "summary": "Provides a preview for upcoming AKS features", + "version": "0.4.0" + }, + "sha256Digest": "a4e9acdf6b5ab3a7b16d2912d1c94a1e7d7eff3c6e5829745a71d340e8f698b7" } ], "alias": [ From 613c3cceef2ecb9d54e7e0ec867121cef8ce7194 Mon Sep 17 00:00:00 2001 From: Robbie Zhang Date: Thu, 25 Apr 2019 17:39:21 -0700 Subject: [PATCH 5/5] Add the missing parameter description --- src/aks-preview/azext_aks_preview/_help.py | 7 +- src/index.json | 74 ++++++---------------- 2 files changed, 26 insertions(+), 55 deletions(-) diff --git a/src/aks-preview/azext_aks_preview/_help.py b/src/aks-preview/azext_aks_preview/_help.py index 983a71ee822..f1fb771d1a9 100644 --- a/src/aks-preview/azext_aks_preview/_help.py +++ b/src/aks-preview/azext_aks_preview/_help.py @@ -310,7 +310,7 @@ These addons are available: http_application_routing - configure ingress with automatic public DNS name creation. monitoring - turn on Log Analytics monitoring. Requires "--workspace-resource-id". - virtual-node - enable AKS Virtual Node (PREVIEW). Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use. + virtual-node - enable AKS Virtual Node (PREVIEW). Requires "--subnet-name". azure-policy - enable Azure policy (PREVIEW). parameters: - name: --addons -a @@ -319,8 +319,11 @@ - name: --workspace-resource-id type: string short-summary: The resource ID of an existing Log Analytics Workspace to use for storing monitoring data. + - name: --subnet-name -s + type: string + short-summary: The subnet name for the virtual node to use. examples: - name: Enable Kubernetes addons. (autogenerated) - text: az aks enable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup + text: az aks enable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup --subnet-name VirtualNodeSubnet crafted: true """ diff --git a/src/index.json b/src/index.json index dd41083d000..0887c05fb78 100644 --- a/src/index.json +++ b/src/index.json @@ -48,24 +48,11 @@ ], "aks-preview": [ { - "downloadUrl": "https://azurecliaks.blob.core.windows.net/azure-cli-extension/aks_preview-0.3.2-py2.py3-none-any.whl", - "filename": "aks_preview-0.3.2-py2.py3-none-any.whl", + "downloadUrl": "https://azurecliaks.blob.core.windows.net/azure-cli-extension/aks_preview-0.4.0-py2.py3-none-any.whl", + "filename": "aks_preview-0.4.0-py2.py3-none-any.whl", "metadata": { "azext.isPreview": true, "azext.minCliCoreVersion": "2.0.49", - "classifiers": [ - "Development Status :: 4 - Beta", - "Intended Audience :: Developers", - "Intended Audience :: System Administrators", - "Programming Language :: Python", - "Programming Language :: Python :: 2", - "Programming Language :: Python :: 2.7", - "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.4", - "Programming Language :: Python :: 3.5", - "Programming Language :: Python :: 3.6", - "License :: OSI Approved :: MIT License" - ], "extensions": { "python.details": { "contacts": [ @@ -88,16 +75,29 @@ "metadata_version": "2.0", "name": "aks-preview", "summary": "Provides a preview for upcoming AKS features", - "version": "0.3.2" + "version": "0.4.0" }, - "sha256Digest": "5839622f96bd4e42c4542eefb55a22c589f0d858924be790e1d5818e95912881" + "sha256Digest": "9c6b7362a5c880a97de0ab92491f88f64739e8321ccf98ca571de30579de3f93" }, { - "downloadUrl": "https://azurecliaks.blob.core.windows.net/azure-cli-extension/aks_preview-0.3.0-py2.py3-none-any.whl", - "filename": "aks_preview-0.3.0-py2.py3-none-any.whl", + "downloadUrl": "https://azurecliaks.blob.core.windows.net/azure-cli-extension/aks_preview-0.3.2-py2.py3-none-any.whl", + "filename": "aks_preview-0.3.2-py2.py3-none-any.whl", "metadata": { "azext.isPreview": true, "azext.minCliCoreVersion": "2.0.49", + "classifiers": [ + "Development Status :: 4 - Beta", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "Programming Language :: Python", + "Programming Language :: Python :: 2", + "Programming Language :: Python :: 2.7", + "Programming Language :: Python :: 3", + "Programming Language :: Python :: 3.4", + "Programming Language :: Python :: 3.5", + "Programming Language :: Python :: 3.6", + "License :: OSI Approved :: MIT License" + ], "extensions": { "python.details": { "contacts": [ @@ -120,9 +120,9 @@ "metadata_version": "2.0", "name": "aks-preview", "summary": "Provides a preview for upcoming AKS features", - "version": "0.3.0" + "version": "0.3.2" }, - "sha256Digest": "4da5c5366fd93573f6b195e59d5af4d60dca036dcce0f972d3f23446640f69e7" + "sha256Digest": "5839622f96bd4e42c4542eefb55a22c589f0d858924be790e1d5818e95912881" }, { "downloadUrl": "https://azurecliaks.blob.core.windows.net/azure-cli-extension/aks_preview-0.3.1-py2.py3-none-any.whl", @@ -155,38 +155,6 @@ "version": "0.3.1" }, "sha256Digest": "c930d51fe33a184c48f050c1723cd9164e907fc3104ea81d9e1f8a496baffadb" - }, - { - "downloadUrl": "https://azurecliaks.blob.core.windows.net/azure-cli-extension/aks_preview-0.4.0-py2.py3-none-any.whl", - "filename": "aks_preview-0.4.0-py2.py3-none-any.whl", - "metadata": { - "azext.isPreview": true, - "azext.minCliCoreVersion": "2.0.49", - "extensions": { - "python.details": { - "contacts": [ - { - "email": "azpycli@microsoft.com", - "name": "Microsoft Corporation", - "role": "author" - } - ], - "document_names": { - "description": "DESCRIPTION.rst" - }, - "project_urls": { - "Home": "https://github.com/Azure/azure-cli-extensions/tree/master/src/aks-preview" - } - } - }, - "generator": "bdist_wheel (0.30.0)", - "license": "MIT", - "metadata_version": "2.0", - "name": "aks-preview", - "summary": "Provides a preview for upcoming AKS features", - "version": "0.4.0" - }, - "sha256Digest": "a4e9acdf6b5ab3a7b16d2912d1c94a1e7d7eff3c6e5829745a71d340e8f698b7" } ], "alias": [