Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: added option to enable image cleaner to container service aks. - avm/res/container-service/managed-cluster #1697

Merged
merged 17 commits into from
May 6, 2024
Merged
Show file tree
Hide file tree
Changes from 14 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions avm/res/container-service/managed-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1494,6 +1494,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
| [`enableAzureMonitorProfileMetrics`](#parameter-enableazuremonitorprofilemetrics) | bool | Whether the metric state of the kubenetes cluster is enabled. |
| [`enableContainerInsights`](#parameter-enablecontainerinsights) | bool | Indicates if Azure Monitor Container Insights Logs Addon is enabled. |
| [`enableDnsZoneContributorRoleAssignment`](#parameter-enablednszonecontributorroleassignment) | bool | Specifies whether assing the DNS zone contributor role to the cluster service principal. It will be ignored if `webApplicationRoutingEnabled` is set to `false` or `dnsZoneResourceId` not provided. |
| [`enableImageCleaner`](#parameter-enableimagecleaner) | bool | Whether to enable Image Cleaner for Kubernetes. |
| [`enableKeyvaultSecretsProvider`](#parameter-enablekeyvaultsecretsprovider) | bool | Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. |
| [`enableOidcIssuerProfile`](#parameter-enableoidcissuerprofile) | bool | Whether the The OIDC issuer profile of the Managed Cluster is enabled. |
| [`enablePodSecurityPolicy`](#parameter-enablepodsecuritypolicy) | bool | Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription. |
Expand All @@ -1512,6 +1513,7 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
| [`httpApplicationRoutingEnabled`](#parameter-httpapplicationroutingenabled) | bool | Specifies whether the httpApplicationRouting add-on is enabled or not. |
| [`httpProxyConfig`](#parameter-httpproxyconfig) | object | Configurations for provisioning the cluster with HTTP proxy servers. |
| [`identityProfile`](#parameter-identityprofile) | object | Identities associated with the cluster. |
| [`imageCleanerIntervalHours`](#parameter-imagecleanerintervalhours) | int | The interval in hours Image Cleaner will run. Minimum value is 24 hours and maximum is three months. |
| [`ingressApplicationGatewayEnabled`](#parameter-ingressapplicationgatewayenabled) | bool | Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not. |
| [`kedaAddon`](#parameter-kedaaddon) | bool | Enables Kubernetes Event-driven Autoscaling (KEDA). |
| [`kubeDashboardEnabled`](#parameter-kubedashboardenabled) | bool | Specifies whether the kubeDashboard add-on is enabled or not. |
Expand Down Expand Up @@ -2544,6 +2546,14 @@ Specifies whether assing the DNS zone contributor role to the cluster service pr
- Type: bool
- Default: `True`

### Parameter: `enableImageCleaner`

Whether to enable Image Cleaner for Kubernetes.

- Required: No
- Type: bool
- Default: `False`

### Parameter: `enableKeyvaultSecretsProvider`

Specifies whether the KeyvaultSecretsProvider add-on is enabled or not.
Expand Down Expand Up @@ -2779,6 +2789,14 @@ Identities associated with the cluster.
- Required: No
- Type: object

### Parameter: `imageCleanerIntervalHours`

The interval in hours Image Cleaner will run. Minimum value is 24 hours and maximum is three months.

- Required: No
- Type: int
- Default: `24`

### Parameter: `ingressApplicationGatewayEnabled`

Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not.
Expand Down
12 changes: 12 additions & 0 deletions avm/res/container-service/managed-cluster/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,12 @@ param enableWorkloadIdentity bool = false
@description('Optional. Whether to enable Azure Defender.')
param enableAzureDefender bool = false

@description('Optional. Whether to enable Image Cleaner for Kubernetes.')
param enableImageCleaner bool = false

@description('Optional. The interval in hours Image Cleaner will run. Minimum value is 24 hours and maximum is three months.')
param imageCleanerIntervalHours int = 24
PixelRobots marked this conversation as resolved.
Show resolved Hide resolved

@description('Optional. Whether to enable Kubernetes pod security policy. Requires enabling the pod security policy feature flag on the subscription.')
param enablePodSecurityPolicy bool = false

Expand Down Expand Up @@ -734,6 +740,12 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-07-02-p
enabled: enableWorkloadIdentity
}
: null
imageCleaner: enableImageCleaner
? {
enabled: enableImageCleaner
intervalHours: imageCleanerIntervalHours
}
: null
}
storageProfile: {
blobCSIDriver: {
Expand Down
19 changes: 17 additions & 2 deletions avm/res/container-service/managed-cluster/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.170.59819",
"templateHash": "10554258944393732282"
"templateHash": "10639713915689427723"
},
"name": "Azure Kubernetes Service (AKS) Managed Clusters",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.",
Expand Down Expand Up @@ -1270,6 +1270,20 @@
"description": "Optional. Whether to enable Azure Defender."
}
},
"enableImageCleaner": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Optional. Whether to enable Image Cleaner for Kubernetes."
}
},
"imageCleanerIntervalHours": {
PixelRobots marked this conversation as resolved.
Show resolved Hide resolved
"type": "int",
"defaultValue": 24,
"metadata": {
"description": "Optional. The interval in hours Image Cleaner will run. Minimum value is 24 hours and maximum is three months."
}
},
"enablePodSecurityPolicy": {
"type": "bool",
"defaultValue": false,
Expand Down Expand Up @@ -1665,7 +1679,8 @@
},
"securityProfile": {
"defender": "[if(parameters('enableAzureDefender'), createObject('securityMonitoring', createObject('enabled', parameters('enableAzureDefender')), 'logAnalyticsWorkspaceResourceId', parameters('monitoringWorkspaceId')), null())]",
"workloadIdentity": "[if(parameters('enableWorkloadIdentity'), createObject('enabled', parameters('enableWorkloadIdentity')), null())]"
"workloadIdentity": "[if(parameters('enableWorkloadIdentity'), createObject('enabled', parameters('enableWorkloadIdentity')), null())]",
"imageCleaner": "[if(parameters('enableImageCleaner'), createObject('enabled', parameters('enableImageCleaner'), 'intervalHours', parameters('imageCleanerIntervalHours')), null())]"
},
"storageProfile": {
"blobCSIDriver": {
Expand Down