From f117a4b92e57bd519d7fec4d6ed7b6a61e3e5027 Mon Sep 17 00:00:00 2001 From: Roma Bogatikov Date: Mon, 20 Nov 2023 21:39:19 +0000 Subject: [PATCH 1/2] force --network-policy=cilium whenever --network-dataplane=cilium during upgrade --- .../azext_aks_preview/managed_cluster_decorator.py | 4 ++++ .../tests/latest/test_managed_cluster_decorator.py | 2 ++ 2 files changed, 6 insertions(+) diff --git a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py index dea881d2853..fb7f5706a13 100644 --- a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py +++ b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py @@ -68,6 +68,7 @@ CONST_NETWORK_PLUGIN_AZURE, CONST_NETWORK_PLUGIN_MODE_OVERLAY, CONST_NETWORK_DATAPLANE_CILIUM, + CONST_NETWORK_POLICY_CILIUM, CONST_PRIVATE_DNS_ZONE_NONE, CONST_PRIVATE_DNS_ZONE_SYSTEM, CONST_AZURE_KEYVAULT_SECRETS_PROVIDER_ADDON_NAME, @@ -3437,6 +3438,9 @@ def update_network_plugin_settings(self, mc: ManagedCluster) -> ManagedCluster: if network_policy: mc.network_profile.network_policy = network_policy + if network_dataplane == CONST_NETWORK_DATAPLANE_CILIUM: + mc.network_profile.network_policy = CONST_NETWORK_POLICY_CILIUM + return mc def update_enable_network_observability_in_network_profile(self, mc: ManagedCluster) -> ManagedCluster: diff --git a/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py index 08796cc011a..d31a05ea8ae 100644 --- a/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py +++ b/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py @@ -5104,6 +5104,7 @@ def test_update_network_plugin_settings(self): network_plugin="azure", network_plugin_mode="overlay", network_dataplane="cilium", + network_policy="", pod_cidr="100.64.0.0/16", service_cidr="192.168.0.0/16" ), @@ -5121,6 +5122,7 @@ def test_update_network_plugin_settings(self): network_plugin="azure", network_plugin_mode="overlay", network_dataplane="cilium", + network_policy="cilium", pod_cidr="100.64.0.0/16", service_cidr="192.168.0.0/16", ), From d86c0d8387665cb7823e97744b969a0ed645bf71 Mon Sep 17 00:00:00 2001 From: Roma Bogatikov Date: Mon, 20 Nov 2023 22:12:34 +0000 Subject: [PATCH 2/2] force network-policy cilium when it is not explicitly set + add comments --- .../azext_aks_preview/managed_cluster_decorator.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py index fb7f5706a13..b1b4c8bfc8e 100644 --- a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py +++ b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py @@ -3437,8 +3437,10 @@ def update_network_plugin_settings(self, mc: ManagedCluster) -> ManagedCluster: network_policy = self.context.get_network_policy() if network_policy: mc.network_profile.network_policy = network_policy - - if network_dataplane == CONST_NETWORK_DATAPLANE_CILIUM: + elif network_dataplane == CONST_NETWORK_DATAPLANE_CILIUM: + # force network_policy to "cilium" when network_dataplane is "cilium" to pass validation in aks rp + # this was needed because api version 2023-08-02preview introduced --network-policy=none + # without forcing network_policy to "cilium" here, when upgrading to cilium without specifying --network-policy, it will be set to none by default and validation in aks rp will fail. mc.network_profile.network_policy = CONST_NETWORK_POLICY_CILIUM return mc