Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Se podnet #570

Merged
merged 5 commits into from
May 5, 2023
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions bicep/aksagentpool.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ param nodeLabels object = {}
@description('The subnet the node pool will use')
param subnetId string

@description('The subnet the pods will use')
param podSubnetID string

@description('OS Type for the node pool')
@allowed(['Linux','Windows'])
param osType string
Expand Down Expand Up @@ -70,6 +73,7 @@ resource userNodepool 'Microsoft.ContainerService/managedClusters/agentPools@202
maxPods: maxPods
type: 'VirtualMachineScaleSets'
vnetSubnetID: !empty(subnetId) ? subnetId : null
podSubnetID: !empty(podSubnetID) ? podSubnetID : null
upgradeSettings: {
maxSurge: '33%'
}
Expand Down
17 changes: 17 additions & 0 deletions bicep/aksnetcontrib.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
//name/rg required to new up an existing reference and form a dependency
//principalid required as it needs to be used to establish a unique roleassignment name
param byoAKSSubnetId string
param byoAKSPodSubnetId string
param user_identity_principalId string

@allowed([
Expand All @@ -12,6 +13,7 @@ param rbacAssignmentScope string = 'Subnet'

var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')

var existingAksPodSubnetName = !empty(byoAKSPodSubnetId) ? split(byoAKSPodSubnetId, '/')[10] : ''
var existingAksSubnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[10] : ''
var existingAksVnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[8] : ''

Expand All @@ -23,6 +25,11 @@ resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2022-07-01
name: existingAksSubnetName
}

resource existingAksPodSubnet 'Microsoft.Network/virtualNetworks/subnets@2022-07-01' existing = {
parent: existingvnet
name: existingAksPodSubnetName
}

resource subnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope == 'subnet') {
name: guid(user_identity_principalId, networkContributorRole, existingAksSubnetName)
scope: existingAksSubnet
Expand All @@ -33,6 +40,16 @@ resource subnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (r
}
}

resource podSubnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope == 'subnet') {
name: guid(user_identity_principalId, networkContributorRole, existingAksPodSubnetName)
scope: existingAksPodSubnet
properties: {
roleDefinitionId: networkContributorRole
principalId: user_identity_principalId
principalType: 'ServicePrincipal'
}
}

resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope != 'subnet') {
name: guid(user_identity_principalId, networkContributorRole, existingAksVnetName)
scope: existingvnet
Expand Down
9 changes: 9 additions & 0 deletions bicep/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ param custom_vnet bool = false
@description('Full resource id path of an existing subnet to use for AKS')
param byoAKSSubnetId string = ''

@description('Full resource id path of an existing pod subnet to use for AKS')
param byoAKSPodSubnetId string = ''

@description('Full resource id path of an existing subnet to use for Application Gateway')
param byoAGWSubnetId string = ''

Expand Down Expand Up @@ -62,6 +65,7 @@ module aksnetcontrib './aksnetcontrib.bicep' = if (!empty(byoAKSSubnetId) && cre
scope: resourceGroup(existingAksVnetRG)
params: {
byoAKSSubnetId: byoAKSSubnetId
byoAKSPodSubnetId: byoAKSPodSubnetId
user_identity_principalId: createAksUai ? aksUai.properties.principalId : ''
rbacAssignmentScope: uaiNetworkScopeRbac
}
Expand Down Expand Up @@ -130,6 +134,8 @@ module network './network.bicep' = if (custom_vnet) {
location: location
networkPluginIsKubenet: networkPlugin=='kubenet'
vnetAddressPrefix: vnetAddressPrefix
vnetPodAddressPrefix: cniDynamicIpAllocation ? podCidr : ''
cniDynamicIpAllocation: cniDynamicIpAllocation
aksPrincipleId: aksPrincipalId
vnetAksSubnetAddressPrefix: vnetAksSubnetAddressPrefix
ingressApplicationGateway: ingressApplicationGateway
Expand Down Expand Up @@ -161,6 +167,7 @@ output CustomVnetId string = custom_vnet ? network.outputs.vnetId : ''
output CustomVnetPrivateLinkSubnetId string = custom_vnet ? network.outputs.privateLinkSubnetId : ''

var aksSubnetId = custom_vnet ? network.outputs.aksSubnetId : byoAKSSubnetId
var aksPodSubnetId = custom_vnet ? network.outputs.aksPodSubnetId : byoAKSPodSubnetId
var appGwSubnetId = ingressApplicationGateway ? (custom_vnet ? network.outputs.appGwSubnetId : byoAGWSubnetId) : ''


Expand Down Expand Up @@ -1141,6 +1148,7 @@ var systemPoolBase = {
maxPods: 30
type: 'VirtualMachineScaleSets'
vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : null
podSubnetID: !empty(aksPodSubnetId) ? aksPodSubnetId : null
upgradeSettings: {
maxSurge: '33%'
}
Expand Down Expand Up @@ -1352,6 +1360,7 @@ module userNodePool '../bicep/aksagentpool.bicep' = if (!JustUseSystemPool){
AksName: aks.name
PoolName: poolName
subnetId: aksSubnetId
podSubnetID: !empty(aksPodSubnetId) ? aksPodSubnetId : ''
agentCount: agentCount
agentCountMax: agentCountMax
agentVMSize: agentVMSize
Expand Down
27 changes: 27 additions & 0 deletions bicep/network.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ param aksPrincipleId string = ''

param vnetAddressPrefix string
param vnetAksSubnetAddressPrefix string
param vnetPodAddressPrefix string

param cniDynamicIpAllocation bool = false

//Nsg
param workspaceName string = ''
Expand Down Expand Up @@ -160,10 +163,33 @@ var aks_baseSubnet = {
}: {})
}

var aks_podSubnet_name = 'aks-sn-pods'
samaea marked this conversation as resolved.
Show resolved Hide resolved
var aks_podSubnet = {
name: aks_podSubnet_name
properties: union({
addressPrefix: vnetPodAddressPrefix
}, privateLinks ? {
privateEndpointNetworkPolicies: 'Disabled'
privateLinkServiceNetworkPolicies: 'Enabled'
} : {}, natGateway ? {
natGateway: {
id: natGw.id
}
} : {}, azureFirewalls ? {
routeTable: {
id: vnet_udr.id //resourceId('Microsoft.Network/routeTables', routeFwTableName)
}
}: {})
}

var aks_subnet = networkSecurityGroups ? union(aks_baseSubnet, nsgAks.outputs.nsgSubnetObj) : aks_baseSubnet
var aks_podsubnet = networkSecurityGroups ? union(aks_podSubnet, nsgAks.outputs.nsgSubnetObj) : aks_podSubnet



var subnets = union(
array(aks_subnet),
cniDynamicIpAllocation ? array(aks_podsubnet) : [],
azureFirewalls ? array(fw_subnet) : [],
privateLinks ? array(private_link_subnet) : [],
acrPrivatePool ? array(acrpool_subnet) : [],
Expand All @@ -189,6 +215,7 @@ resource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' = {
output vnetId string = vnet.id
output vnetName string = vnet.name
output aksSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subnets', vnet.name, aks_subnet_name)
output aksPodSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subnets', vnet.name, aks_podSubnet_name)
output fwSubnetId string = azureFirewalls ? '${vnet.id}/subnets/${fw_subnet_name}' : ''
output fwMgmtSubnetId string = azureFirewallsManagementSeperation ? '${vnet.id}/subnets/${fwmgmt_subnet_name}' : ''
output acrPoolSubnetId string = acrPrivatePool ? '${vnet.id}/subnets/${acrpool_subnet_name}' : ''
Expand Down
1 change: 1 addition & 0 deletions helper/src/components/deployTab.js
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
...(net.bastion && defaults.net.bastionSubnetAddressPrefix !== net.bastionSubnetAddressPrefix && {bastionSubnetAddressPrefix: net.bastionSubnetAddressPrefix})
}),
...(net.vnet_opt === "byo" && { byoAKSSubnetId: net.byoAKSSubnetId, ...serviceparams }),
...(net.vnet_opt === "byo" && net.cniDynamicIpAllocation && { byoAKSPodSubnetId: net.byoAKSPodSubnetId}),
...(net.vnet_opt === "byo" && addons.ingress === 'appgw' && { byoAGWSubnetId: net.byoAGWSubnetId }),
...(cluster.enable_aad && { enable_aad: true, ...(cluster.enableAzureRBAC === false && cluster.aad_tenant_id && { aad_tenant_id: cluster.aad_tenant_id }) }),
...(cluster.enable_aad && cluster.AksDisableLocalAccounts !== defaults.cluster.AksDisableLocalAccounts && { AksDisableLocalAccounts: cluster.AksDisableLocalAccounts }),
Expand Down
3 changes: 2 additions & 1 deletion helper/src/components/networkTab.js
Original file line number Diff line number Diff line change
Expand Up @@ -404,7 +404,8 @@ function BYOVNET({ net, addons, updateFn, invalidArray }) {
<TextField value={net.byoAKSSubnetId} onChange={(ev, v) => updateFn("byoAKSSubnetId", v)} errorMessage={getError(invalidArray, 'byoAKSSubnetId')} required placeholder="Resource Id" label={<Text style={{ fontWeight: 600 }}>Enter your existing AKS Nodes subnet ResourceId</Text>} />

<Separator className="notopmargin" />

<TextField disabled={!net.cniDynamicIpAllocation} value={net.byoAKSPodSubnetId} onChange={(ev, v) => updateFn("byoAKSPodSubnetId", v)} errorMessage={getError(invalidArray, 'byoAKSPodSubnetId')} required placeholder="Resource Id" label={<Text style={{ fontWeight: 600 }}>Enter your existing AKS Pods subnet ResourceId</Text>} />
<Separator/>

<TextField disabled={addons.ingress !== 'appgw'} value={net.byoAGWSubnetId} onChange={(ev, v) => updateFn("byoAGWSubnetId", v)} errorMessage={getError(invalidArray, 'byoAGWSubnetId')} required placeholder="Resource Id" label={<Text style={{ fontWeight: 600 }}>Enter your existing Application Gateway subnet ResourceId</Text>} />
<MessageBar messageBarType={MessageBarType.warning}>Ensure your Application Gateway subnet meets these requirements <Link href="https://docs.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#size-of-the-subnet">here</Link></MessageBar>
Expand Down
1 change: 1 addition & 0 deletions helper/src/components/portalnav.js
Original file line number Diff line number Diff line change
Expand Up @@ -380,6 +380,7 @@ export default function PortalNav({ config }) {
invalidFn('addons', 'appgwKVIntegration', addons.ingress === "appgw" && addons.appgwKVIntegration && addons.csisecret !== 'akvNew', 'KeyVault integration requires the \'CSI Secrets\' \'Yes, Provision a new KeyVault\' option to be selected')
invalidFn('addons', 'ingress', cluster.osType === "Windows" && addons.ingress !== "appgw" && addons.ingress !== "none", 'Neither the Windows nodepool or the system pool will be able to run your selected Ingress Controller. To support this Ingress Controller, add another linux nodepool post cluster creation.')
invalidFn('net', 'byoAKSSubnetId', net.vnet_opt === 'byo' && !net.byoAKSSubnetId.match('^/subscriptions/[^/ ]+/resourceGroups/[^/ ]+/providers/Microsoft.Network/virtualNetworks/[^/ ]+/subnets/[^/ ]+$'), 'Enter a valid Subnet Id where AKS nodes will be installed')
invalidFn('net', 'byoAKSPodSubnetId', net.vnet_opt === 'byo' && net.cniDynamicIpAllocation && !net.byoAKSPodSubnetId.match('^/subscriptions/[^/ ]+/resourceGroups/[^/ ]+/providers/Microsoft.Network/virtualNetworks/[^/ ]+/subnets/[^/ ]+$'), 'Enter a valid Subnet Id where AKS pods will be installed')
invalidFn('net', 'byoAGWSubnetId', net.vnet_opt === 'byo' && addons.ingress === 'appgw' && !net.byoAGWSubnetId.match('^/subscriptions/[^/ ]+/resourceGroups/[^/ ]+/providers/Microsoft.Network/virtualNetworks/[^/ ]+/subnets/[^/ ]+$'), 'Enter a valid Subnet Id where Application Gateway is installed')
invalidFn('net', 'vnet_opt', net.vnet_opt === "default" && (net.afw || net.vnetprivateend), 'Cannot use default networking of you select Firewall or Private Link')
invalidFn('net', 'afw',
Expand Down
1 change: 1 addition & 0 deletions helper/src/config.json
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@
"enableNodePublicIP": false,
"vnet_opt": "default",
"byoAKSSubnetId": "",
"byoAKSPodSubnetId": "",
"byoAGWSubnetId": "",
"vnetAddressPrefix": "10.240.0.0/16",
"vnetAksSubnetAddressPrefix": "10.240.0.0/22",
Expand Down