feat(acns): add advanced network security fqdn policy feature to az a…

…ks create/update (#7860)
Azure · Aug 13, 2024 · 13664cc · 13664cc
1 parent 77fc21e
commit 13664cc
Show file tree

Hide file tree

Showing 15 changed files with 13,950 additions and 11 deletions.
diff --git a/src/aks-preview/HISTORY.rst b/src/aks-preview/HISTORY.rst
@@ -9,8 +9,10 @@ If there is no rush to release a new version, please just add a description of t
 
 To release a new version, please select a new version number (usually plus 1 to last patch version, X.Y.Z -> Major.Minor.Patch, more details in `\doc <https://semver.org/>`_), and then add a new section named as the new version number in this file, the content should include the new modifications and everything from the *Pending* section. Finally, update the `VERSION` variable in `setup.py` with this new version number.
 
-Pending
+7.0.0b5
 +++++++
+* Add option `--enable-acns`, `--disable-acns` to `az aks create/update`
+* Add option `--enable-fqdn-policy`, `--disable-fqdn-policy` to `az aks create/update`
 * az aks create/update: Support in place param updates for managed prom
 * Vendor new SDK and bump API version to 2024-06-02-preview.
 

diff --git a/src/aks-preview/azcli_aks_live_test/configs/ext_matrix_default.json b/src/aks-preview/azcli_aks_live_test/configs/ext_matrix_default.json
@@ -62,6 +62,14 @@
         ],
         "mixed sku, enabled in staging only": [
             "test_vms_agentpool_type"
+        ],
+        "fqdn policy, enabled in staging only": [
+            "test_aks_update_enable_fqdn_policy",
+            "test_aks_create_with_enable_fqdn_policy",
+            "test_aks_create_with_enable_fqdn_policy_observability",
+            "test_aks_create_with_enable_acns",
+            "test_aks_create_with_enable_acns_complex",
+            "test_aks_update_enable_acns"
         ]
     }
 }
diff --git a/src/aks-preview/azext_aks_preview/_help.py b/src/aks-preview/azext_aks_preview/_help.py
@@ -236,6 +236,12 @@
         - name: --enable-advanced-network-observability
           type: bool
           short-summary: Enable advanced network observability functionalities on a cluster. Note that enabling this will incur additional costs.
+        - name: --enable-fqdn-policy
+          type: bool
+          short-summary: Enable advanced network security FQDN functionalities on a cluster. Note that enabling this will incur additional costs.
+        - name: --enable-acns
+          type: bool
+          short-summary: Enable advanced network functionalities on a cluster. Note that enabling this will incur additional costs.
         - name: --no-ssh-key -x
           type: string
           short-summary: Do not use or create a local SSH key.
@@ -1231,6 +1237,18 @@
         - name: --disable-advanced-network-observability
           type: bool
           short-summary: Disable advanced network observability functionalities on a cluster
+        - name: --enable-fqdn-policy
+          type: bool
+          short-summary: Enable advanced network security FQDN functionalities on a cluster. Note that enabling this will incur additional costs.
+        - name: --disable-fqdn-policy
+          type: bool
+          short-summary: Disable advanced network security FQDN functionalities on a cluster
+        - name: --enable-acns
+          type: bool
+          short-summary: Enable advanced network functionalities on a cluster. Note that enabling this will incur additional costs.
+        - name: --disable-acns
+          type: bool
+          short-summary: Disable advanced network functionalities on a cluster
         - name: --enable-cost-analysis
           type: bool
           short-summary: Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.

diff --git a/src/aks-preview/azext_aks_preview/_params.py b/src/aks-preview/azext_aks_preview/_params.py
@@ -831,6 +831,16 @@ def load_arguments(self, _):
             action="store_true",
             is_preview=True,
         )
+        c.argument(
+            "enable_fqdn_policy",
+            action="store_true",
+            is_preview=True,
+        )
+        c.argument(
+            "enable_acns",
+            action="store_true",
+            is_preview=True,
+        )
         c.argument(
             "custom_ca_trust_certificates",
             options_list=["--custom-ca-trust-certificates", "--ca-certs"],
@@ -1329,6 +1339,26 @@ def load_arguments(self, _):
             action="store_true",
             is_preview=True,
         )
+        c.argument(
+            "enable_fqdn_policy",
+            action="store_true",
+            is_preview=True,
+        )
+        c.argument(
+            "disable_fqdn_policy",
+            action="store_true",
+            is_preview=True,
+        )
+        c.argument(
+            "enable_acns",
+            action="store_true",
+            is_preview=True,
+        )
+        c.argument(
+            "disable_acns",
+            action="store_true",
+            is_preview=True,
+        )
         c.argument("enable_cost_analysis", action="store_true")
         c.argument("disable_cost_analysis", action="store_true")
         c.argument('enable_ai_toolchain_operator', is_preview=True, action='store_true')

diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py
@@ -607,6 +607,8 @@ def aks_create(
     enable_cilium_dataplane=False,
     custom_ca_trust_certificates=None,
     enable_advanced_network_observability=None,
+    enable_fqdn_policy=None,
+    enable_acns=None,
     # nodepool
     crg_id=None,
     message_of_the_day=None,
@@ -839,6 +841,10 @@ def aks_update(
     safeguards_excluded_ns=None,
     enable_advanced_network_observability=None,
     disable_advanced_network_observability=None,
+    enable_fqdn_policy=None,
+    disable_fqdn_policy=None,
+    enable_acns=None,
+    disable_acns=None,
     # metrics profile
     enable_cost_analysis=False,
     disable_cost_analysis=False,

diff --git a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py
@@ -729,6 +729,61 @@ def get_enable_advanced_network_observability(self) -> Optional[bool]:
             return not disable_advanced_network_observability
         return None
 
+    def get_enable_fqdn_policy(self) -> Optional[bool]:
+        """Get the value of enable_fqdn_policy
+
+        :return: bool or None
+        """
+        enable_fqdn_policy = self.raw_param.get("enable_fqdn_policy")
+        disable_fqdn_policy = self.raw_param.get("disable_fqdn_policy")
+        if enable_fqdn_policy and disable_fqdn_policy:
+            raise MutuallyExclusiveArgumentError(
+                "Cannot specify --enable-fqdn-policy and "
+                "--disable-fqdn-policy at the same time."
+            )
+        if enable_fqdn_policy is False and disable_fqdn_policy is False:
+            return None
+        if enable_fqdn_policy is not None:
+            return enable_fqdn_policy
+        if disable_fqdn_policy is not None:
+            return not disable_fqdn_policy
+        return None
+
+    def get_enable_acns(self) -> Optional[bool]:
+        """Get the value of enable_acns
+
+        :return: bool or None
+        """
+        enable_acns = self.raw_param.get("enable_acns")
+        disable_acns = self.raw_param.get("disable_acns")
+        enable_advanced_network_observability = self.raw_param.get("enable_advanced_network_observability")
+        disable_advanced_network_observability = self.raw_param.get("disable_advanced_network_observability")
+        enable_fqdn_policy = self.raw_param.get("enable_fqdn_policy")
+        disable_fqdn_policy = self.raw_param.get("disable_fqdn_policy")
+
+        if enable_acns and disable_acns:
+            raise MutuallyExclusiveArgumentError(
+                "Cannot specify --enable-acns and "
+                "--disable-acns at the same time."
+            )
+        if enable_acns and (disable_advanced_network_observability or disable_fqdn_policy):
+            raise MutuallyExclusiveArgumentError(
+                "Cannot specify --enable-acns and "
+                "--disable-advanced-networking-observability or --disable-fqdn-policy at the same time."
+            )
+        if disable_acns and (enable_advanced_network_observability or enable_fqdn_policy):
+            raise MutuallyExclusiveArgumentError(
+                "Cannot specify --disable-acns and "
+                "--enable-advanced-networking-observability or --enable-fqdn-policy at the same time."
+            )
+        if enable_acns is False and disable_acns is False:
+            return None
+        if enable_acns is not None:
+            return enable_acns
+        if disable_acns is not None:
+            return not disable_acns
+        return None
+
     def get_load_balancer_managed_outbound_ip_count(self) -> Union[int, None]:
         """Obtain the value of load_balancer_managed_outbound_ip_count.
 
@@ -2997,13 +3052,39 @@ def set_up_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
         else:
             network_profile.network_dataplane = self.context.get_network_dataplane()
 
-        advanced_network_observability = self.context.get_enable_advanced_network_observability()
-        if advanced_network_observability is not None:
+        acns = self.context.get_enable_acns()
+        if acns is not None:
             network_profile.advanced_networking = self.models.AdvancedNetworking(  # pylint: disable=no-member
                 observability=self.models.AdvancedNetworkingObservability(  # pylint: disable=no-member
-                    enabled=advanced_network_observability
+                    enabled=acns
+                ),
+                security=self.models.AdvancedNetworkingSecurity(  # pylint: disable=no-member
+                    fqdn_policy=self.models.AdvancedNetworkingFQDNPolicy(
+                        enabled=acns
+                    )
                 )
             )
+
+        advanced_network_observability = self.context.get_enable_advanced_network_observability()
+        if advanced_network_observability is not None:
+            if network_profile.advanced_networking is None:
+                network_profile.advanced_networking = self.models.AdvancedNetworking(  # pylint: disable=no-member
+                )
+            network_profile.advanced_networking.observability = self.models.AdvancedNetworkingObservability(  # pylint: disable=no-member
+                enabled=advanced_network_observability
+            )
+
+        fqdn_policy = self.context.get_enable_fqdn_policy()
+        if fqdn_policy is not None:
+            if network_profile.advanced_networking is None:
+                network_profile.advanced_networking = self.models.AdvancedNetworking(  # pylint: disable=no-member
+                )
+            network_profile.advanced_networking.security = self.models.AdvancedNetworkingSecurity(  # pylint: disable=no-member
+                fqdn_policy=self.models.AdvancedNetworkingFQDNPolicy(
+                    enabled=fqdn_policy
+                )
+            )
+
         return mc
 
     def set_up_api_server_access_profile(self, mc: ManagedCluster) -> ManagedCluster:
@@ -4092,6 +4173,47 @@ def update_enable_advanced_network_observability_in_network_profile(self, mc: Ma
             )
         return mc
 
+    def update_enable_fqdn_policy_in_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update enable fqdn policy of network profile for the ManagedCluster object.
+
+        :return: the ManagedCluster object
+        """
+        self._ensure_mc(mc)
+
+        fqdn_policy = self.context.get_enable_fqdn_policy()
+        if fqdn_policy is not None:
+            if mc.network_profile.advanced_networking is None:
+                mc.network_profile.advanced_networking = self.models.AdvancedNetworking(  # pylint: disable=no-member
+                )
+            mc.network_profile.advanced_networking.security = self.models.AdvancedNetworkingSecurity(  # pylint: disable=no-member
+                fqdn_policy=self.models.AdvancedNetworkingFQDNPolicy(
+                    enabled=fqdn_policy
+                )
+            )
+        return mc
+
+    def update_enable_acns_in_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update enable fqdn policy of network profile for the ManagedCluster object.
+
+        :return: the ManagedCluster object
+        """
+        self._ensure_mc(mc)
+
+        acns = self.context.get_enable_acns()
+        if acns is not None:
+            # Override anything previously set
+            mc.network_profile.advanced_networking = self.models.AdvancedNetworking(  # pylint: disable=no-member
+                observability=self.models.AdvancedNetworkingObservability(  # pylint: disable=no-member
+                    enabled=acns
+                ),
+                security=self.models.AdvancedNetworkingSecurity(  # pylint: disable=no-member
+                    fqdn_policy=self.models.AdvancedNetworkingFQDNPolicy(
+                        enabled=acns
+                    )
+                )
+            )
+        return mc
+
     # pylint: disable=too-many-statements,too-many-locals,too-many-branches
     def update_azure_container_storage(self, mc: ManagedCluster) -> ManagedCluster:
         """Update azure container storage for the Managed Cluster object
@@ -5384,6 +5506,10 @@ def update_mc_profile_preview(self) -> ManagedCluster:
         mc = self.update_nodepool_initialization_taints_mc(mc)
         # update advanced_network_observability in network_profile
         mc = self.update_enable_advanced_network_observability_in_network_profile(mc)
+        # update fqdn policy in network_profile
+        mc = self.update_enable_fqdn_policy_in_network_profile(mc)
+        # update acns in network_profile
+        mc = self.update_enable_acns_in_network_profile(mc)
         # update kubernetes support plan
         mc = self.update_k8s_support_plan(mc)
         # update AI toolchain operator