[AKS] az aks create/update: Add support for feature Advanced Contai…

…ner Networking Services (Azure#30208)
yanzhudd · Nov 25, 2024 · c1b0ccb · c1b0ccb
1 parent 5e2ae6a
commit c1b0ccb
Show file tree

Hide file tree

Showing 10 changed files with 6,822 additions and 0 deletions.
diff --git a/src/azure-cli/azure/cli/command_modules/acs/_help.py b/src/azure-cli/azure/cli/command_modules/acs/_help.py
@@ -541,6 +541,15 @@
   - name: --enable-vtpm
     type: bool
     short-summary: Enable vTPM on all node pools in the cluster. Must use VMSS agent pool type.
+  - name: --enable-acns
+    type: bool
+    short-summary: Enable advanced network functionalities on a cluster. Enabling this will incur additional costs. For non-cilium clusters, acns security will be disabled by default until further notice.
+  - name: --disable-acns-observability
+    type: bool
+    short-summary: Used to disable advanced networking observability features on a clusters when enabling advanced networking features with "--enable-acns".
+  - name: --disable-acns-security
+    type: bool
+    short-summary: Used to disable advanced networking security features on a clusters when enabling advanced networking features with "--enable-acns".
 
 examples:
   - name: Create a Kubernetes cluster with an existing SSH public key.
@@ -943,6 +952,18 @@
   - name: --disable-cost-analysis
     type: bool
     short-summary: Disable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal.
+  - name: --enable-acns
+    type: bool
+    short-summary: Enable advanced network functionalities on a cluster. Enabling this will incur additional costs. For non-cilium clusters, acns security will be disabled by default until further notice.
+  - name: --disable-acns
+    type: bool
+    short-summary: Disable all advanced networking functionalities on a cluster.
+  - name: --disable-acns-observability
+    type: bool
+    short-summary: Used to disable advanced networking observability features on a clusters when enabling advanced networking features with "--enable-acns".
+  - name: --disable-acns-security
+    type: bool
+    short-summary: Used to disable advanced networking security features on a clusters when enabling advanced networking features with "--enable-acns".
 
 examples:
   - name: Reconcile the cluster back to its current state.

diff --git a/src/azure-cli/azure/cli/command_modules/acs/_params.py b/src/azure-cli/azure/cli/command_modules/acs/_params.py
@@ -464,6 +464,10 @@ def load_arguments(self, _):
         c.argument('enable_cost_analysis', action='store_true')
         c.argument('enable_vtpm', action="store_true")
         c.argument('enable_secure_boot', action="store_true")
+        # advanced networking
+        c.argument('enable_acns', action='store_true')
+        c.argument('disable_acns_observability', action='store_true')
+        c.argument('disable_acns_security', action='store_true')
 
     with self.argument_context('aks update') as c:
         # managed cluster paramerters
@@ -487,6 +491,11 @@ def load_arguments(self, _):
                    help="Comma-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.")
         c.argument('tier', arg_type=get_enum_type(sku_tiers), validator=validate_sku_tier)
         c.argument('api_server_authorized_ip_ranges', validator=validate_ip_ranges)
+        # advanced networking
+        c.argument('enable_acns', action='store_true')
+        c.argument('disable_acns', action='store_true')
+        c.argument('disable_acns_observability', action='store_true')
+        c.argument('disable_acns_security', action='store_true')
         # private cluster parameters
         c.argument('enable_public_fqdn', action='store_true')
         c.argument('disable_public_fqdn', action='store_true')

diff --git a/src/azure-cli/azure/cli/command_modules/acs/custom.py b/src/azure-cli/azure/cli/command_modules/acs/custom.py
@@ -562,6 +562,10 @@ def aks_create(
     image_cleaner_interval_hours=None,
     enable_keda=False,
     enable_vpa=False,
+    # advanced networking
+    enable_acns=None,
+    disable_acns_observability=None,
+    disable_acns_security=None,
     # addons
     enable_addons=None,
     workspace_resource_id=None,
@@ -756,6 +760,11 @@ def aks_update(
     enable_force_upgrade=False,
     disable_force_upgrade=False,
     upgrade_override_until=None,
+    # advanced networking
+    disable_acns=None,
+    enable_acns=None,
+    disable_acns_observability=None,
+    disable_acns_security=None,
     # addons
     enable_secret_rotation=False,
     disable_secret_rotation=False,

diff --git a/src/azure-cli/azure/cli/command_modules/acs/linter_exclusions.yml b/src/azure-cli/azure/cli/command_modules/acs/linter_exclusions.yml
@@ -70,6 +70,9 @@ aks create:
       enable_high_log_scale_mode:
         rule_exclusions:
         - option_length_too_long
+      disable_acns_observability:
+        rule_exclusions:
+        - option_length_too_long
 
 aks enable-addons:
   parameters:
@@ -162,6 +165,9 @@ aks update:
       enable_high_log_scale_mode:
         rule_exclusions:
         - option_length_too_long
+      disable_acns_observability:
+        rule_exclusions:
+        - option_length_too_long
 aks nodepool add:
   parameters:
       disable_windows_outbound_nat:

diff --git a/src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py b/src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py
@@ -2360,6 +2360,54 @@ def get_network_dataplane(self) -> Union[str, None]:
         """
         return self.raw_param.get("network_dataplane")
 
+    def get_acns_enablement(self) -> Tuple[
+        Union[bool, None],
+        Union[bool, None],
+        Union[bool, None],
+    ]:
+        """Get the enablement of acns
+
+        :return: Tuple of 3 elements which can be bool or None
+        """
+        enable_acns = self.raw_param.get("enable_acns")
+        disable_acns = self.raw_param.get("disable_acns")
+        if enable_acns is None and disable_acns is None:
+            return None, None, None
+        if enable_acns and disable_acns:
+            raise MutuallyExclusiveArgumentError(
+                "Cannot specify --enable-acns and "
+                "--disable-acns at the same time."
+            )
+        enable_acns = bool(enable_acns) if enable_acns is not None else False
+        disable_acns = bool(disable_acns) if disable_acns is not None else False
+        acns = enable_acns or not disable_acns
+        acns_observability = self.get_acns_observability()
+        acns_security = self.get_acns_security()
+        if acns and (acns_observability is False and acns_security is False):
+            raise MutuallyExclusiveArgumentError(
+                "Cannot disable both observability and security when enabling ACNS. "
+                "Please enable at least one of them or disable ACNS with --disable-acns."
+            )
+        if not acns and (acns_observability is not None or acns_security is not None):
+            raise MutuallyExclusiveArgumentError(
+                "--disable-acns does not use any additional acns arguments."
+            )
+        return acns, acns_observability, acns_security
+
+    def get_acns_observability(self) -> Union[bool, None]:
+        """Get the enablement of acns observability
+
+        :return: bool or None"""
+        disable_acns_observability = self.raw_param.get("disable_acns_observability")
+        return not bool(disable_acns_observability) if disable_acns_observability is not None else None
+
+    def get_acns_security(self) -> Union[bool, None]:
+        """Get the enablement of acns security
+
+        :return: bool or None"""
+        disable_acns_security = self.raw_param.get("disable_acns_security")
+        return not bool(disable_acns_security) if disable_acns_security is not None else None
+
     def _get_pod_cidr_and_service_cidr_and_dns_service_ip_and_docker_bridge_address_and_network_policy(
         self, enable_validation: bool = False
     ) -> Tuple[
@@ -5651,6 +5699,20 @@ def set_up_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
 
         network_dataplane = self.context.get_network_dataplane()
 
+        (acns_enabled, acns_observability, acns_security) = self.context.get_acns_enablement()
+        if acns_enabled is not None:
+            acns = self.models.AdvancedNetworking(
+                enabled=acns_enabled,
+            )
+            if acns_observability is not None:
+                acns.observability = self.models.AdvancedNetworkingObservability(
+                    enabled=acns_observability,
+                )
+            if acns_security is not None:
+                acns.security = self.models.AdvancedNetworkingSecurity(
+                    enabled=acns_security,
+                )
+
         if any(
             [
                 network_plugin,
@@ -5710,6 +5772,8 @@ def set_up_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
         load_balancer_sku = self.context.get_load_balancer_sku()
         if load_balancer_sku != CONST_LOAD_BALANCER_SKU_BASIC:
             network_profile.nat_gateway_profile = nat_gateway_profile
+        if acns_enabled is not None:
+            network_profile.advanced_networking = acns
         mc.network_profile = network_profile
         return mc
 
@@ -7319,6 +7383,29 @@ def update_network_plugin_settings(self, mc: ManagedCluster) -> ManagedCluster:
 
         return mc
 
+    def update_network_profile_advanced_networking(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update advanced networking settings of network profile for the ManagedCluster object.
+
+        :return: the ManagedCluster object
+        """
+        self._ensure_mc(mc)
+        (acns_enabled, acns_observability, acns_security) = self.context.get_acns_enablement()
+        if acns_enabled is not None:
+            acns = self.models.AdvancedNetworking(
+                enabled=acns_enabled,
+            )
+            if acns_observability is not None:
+                acns.observability = self.models.AdvancedNetworkingObservability(
+                    enabled=acns_observability,
+                )
+            if acns_security is not None:
+                acns.security = self.models.AdvancedNetworkingSecurity(
+                    enabled=acns_security,
+                )
+        if acns_enabled is not None:
+            mc.network_profile.advanced_networking = acns
+        return mc
+
     def update_http_proxy_config(self, mc: ManagedCluster) -> ManagedCluster:
         """Set up http proxy config for the ManagedCluster object.
 
@@ -8242,6 +8329,8 @@ def update_mc_profile_default(self) -> ManagedCluster:
         mc = self.update_windows_profile(mc)
         # update network plugin settings
         mc = self.update_network_plugin_settings(mc)
+        # update network profile with acns
+        mc = self.update_network_profile_advanced_networking(mc)
         # update aad profile
         mc = self.update_aad_profile(mc)
         # update oidc issuer profile