Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for setting azurerm_kubernetes_cluster network policy to none #25597

Open
1 task done
stevehipwell opened this issue Apr 12, 2024 · 10 comments
Open
1 task done

Support for setting azurerm_kubernetes_cluster network policy to none #25597

stevehipwell opened this issue Apr 12, 2024 · 10 comments
Labels
enhancement service/kubernetes-cluster

Comments

@stevehipwell
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

I'd like to be able to uninstall the network policy for an AKS cluster.

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Potential Terraform Configuration

resource "azurerm_kubernetes_cluster" "example" {
  network_profile {
    network_policy = "none"
  }
}

References
@rcskosir rcskosir added service/kubernetes-cluster enhancement preview blocked upstream/microsoft Indicates that there's an upstream issue blocking this issue/PR labels Apr 12, 2024
@stevehipwell
Copy link
Author

@rcskosir could you add a comment as to what's blocking this upstream?

@aristosvo
Copy link
Collaborator

@stevehipwell The fact that it is in preview is blocking, as the AKS service team doesn't want preview features to be integrated in the azurerm Terraform provider

@stevehipwell
Copy link
Author

@aristosvo I'm pretty sure that isn't the case. There are a significant number of preview features integrated into the AKS TF resources and the API used is one of the preview APIs.

@aristosvo
Copy link
Collaborator

aristosvo commented May 15, 2024
edited
Loading

@stevehipwell I understand your confusion, but it is. hashicorp/pandora#3469 (comment) is explaining why.

@stevehipwell
Copy link
Author

@aristosvo that doesn't align with the communication we've had with the AKS team. I only add this to show that there doesn't seem to be a consistent message coming out of Azure.

@stephybun
Copy link
Member

@stevehipwell to reiterate on the comment linked by @aristosvo, we have been asked by the AKS Service Team to switch to using a stable API version for the AKS resource. This discussion is currently ongoing and has not reached a resolution yet.

If the conclusion is to move to a stable API version, then we will be removing all preview features currently supported in the AKS resource that do not exist in the newest available stable version at the time, in the next major 4.0 release.

It's unsettling that this news diverges from the communication you've had with the AKS team. Given the scope and impact of this change and being no longer able to support preview features going forward should the decision fall in favour of only using stable, it would be disconcerting to find out that this wasn't a unanimous desire.

Would you be able to reach out to your Azure/AKS contact to get some clarity and to get them to comment here on this issue? At the very least I think direct feedback from the community on how they feel about preview features being removed and no longer supported in the AzureRM provider would be helpful for the AKS team.

@stevehipwell
Copy link
Author

Thanks for the detailed explanation @stephybun. Azure is already significantly harder to operate as IaC than other clouds and the removal of preview support will have a significant impact based on the way Azure currently operates. The only way that this makes sense is if Azure are going to start releasing required functionality as GA rather than using "preview" to abdicate responsibility for quality (of implementation and design) ETC.

TL;DR - If functionality can't be accessed by IaC then it might as well not exist.

@stevehipwell
Copy link
Author

CC @phealy

@stephybun stephybun mentioned this issue Jun 3, 2024
Merged
14 tasks
@tnn-simon
Copy link

Seems like the feature is finally available in a stable ARM API.

Option none has been available since API version 2024-05-01: https://learn.microsoft.com/en-us/rest/api/aks/managed-clusters/create-or-update?view=rest-aks-2024-05-01&tabs=HTTP#networkpolicy.

Regarding the implementation. Should the provider support transitions for network_policy like calico -> azure? The transition graph gains some complexity from the constraints imposed by choice of network data_plane (cilium or azure).

@rcskosir rcskosir removed upstream/microsoft Indicates that there's an upstream issue blocking this issue/PR preview blocked labels Sep 25, 2024
@prdev89
Copy link

prdev89 commented Oct 31, 2024

@stephybun The feature to uninstall Network Policy is now GA. I was wondering if there are any plans to support this in Terraform soon?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement service/kubernetes-cluster
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@stevehipwell @aristosvo @stephybun @prdev89 @rcskosir @tnn-simon