Azure · wangzelin007 · Feb 28, 2024 · Feb 6, 2024 · Feb 6, 2024 · Feb 6, 2024
@@ -9,8 +9,9 @@ If there is no rush to release a new version, please just add a description of t
 
 To release a new version, please select a new version number (usually plus 1 to last patch version, X.Y.Z -> Major.Minor.Patch, more details in `\doc <https://semver.org/>`_), and then add a new section named as the new version number in this file, the content should include the new modifications and everything from the *Pending* section. Finally, update the `VERSION` variable in `setup.py` with this new version number.
 
-Pending
+2.0.0b1
 +++++++
+* [BREAKING CHANGE] Replace `guardrails` parameters with `safeguards`.
 * Implicitly enable istio when ingress or egress gateway is enabled for Azure Service Mesh.
 * Add `az aks nodepool delete-machines` command.
 * Update `az aks approuting zone` command to support private dns zones.

@@ -269,9 +269,9 @@
 CONST_NODEOSUPGRADE_CONFIGURATION_NAME = "aksManagedNodeOSUpgradeSchedule"
 
 # Guardrails Level Consts
-CONST_GUARDRAILSLEVEL_OFF = "Off"
-CONST_GUARDRAILSLEVEL_WARNING = "Warning"
-CONST_GUARDRAILSLEVEL_ENFORCEMENT = "Enforcement"
+CONST_SAFEGUARDSLEVEL_OFF = "Off"
+CONST_SAFEGUARDSLEVEL_WARNING = "Warning"
+CONST_SAFEGUARDSLEVEL_ENFORCEMENT = "Enforcement"
 
 CONST_AZURE_SERVICE_MESH_MODE_DISABLED = "Disabled"
 CONST_AZURE_SERVICE_MESH_MODE_ISTIO = "Istio"

@@ -185,7 +185,7 @@
             - http_application_routing        : configure ingress with automatic public DNS name creation.
             - monitoring                      :  turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. If monitoring addon is enabled --no-wait argument will have no effect
             - virtual-node                    : enable AKS Virtual Node. Requires --aci-subnet-name to provide the name of an existing subnet for the Virtual Node to use. aci-subnet-name must be in the same vnet which is specified by --vnet-subnet-id (required as well).
-            - azure-policy                    : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Required if enabling Guardrails. Learn more at aka.ms/aks/policy.
+            - azure-policy                    : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Required if enabling deployment safeguards. Learn more at aka.ms/aks/policy.
             - ingress-appgw                   : enable Application Gateway Ingress Controller addon (PREVIEW).
             - confcom                         : enable confcom addon, this will enable SGX device plugin by default(PREVIEW).
             - open-service-mesh               : enable Open Service Mesh addon (PREVIEW).
@@ -538,15 +538,15 @@
         - name: --node-public-ip-tags
           type: string
           short-summary: The ipTags of the node public IPs.
-        - name: --guardrails-level
+        - name: --safeguards-level
           type: string
-          short-summary: The Guardrails Level. Accepted Values are [Off, Warning]. Requires azure policy addon to be enabled
-        - name: --guardrails-version
+          short-summary: The deployment safeguards Level. Accepted Values are [Off, Warning, Enforcement]. Requires azure policy addon to be enabled
+        - name: --safeguards-version
           type: string
-          short-summary: The version of Guardrails to use. Default "v1.0.0" Use the ListGuardrailsVersions API to discover available versions
-        - name: --guardrails-excluded-ns
+          short-summary: The version of deployment safeguards to use. Default "v1.0.0" Use the ListSafeguardsVersions API to discover available versions
+        - name: --safeguards-excluded-ns
           type: string
-          short-summary: Comma-separated list of Kubernetes namespaces to exclude from Guardrails
+          short-summary: Comma-separated list of Kubernetes namespaces to exclude from deployment safeguards
         - name: --enable-asm --enable-azure-service-mesh
           type: bool
           short-summary: Enable Azure Service Mesh.
@@ -657,10 +657,10 @@
           text: az aks create -g MyResourceGroup -n MyManagedCluster --network-plugin none
         - name: Create a kubernetes cluster with Custom CA Trust enabled.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-custom-ca-trust
-        - name: Create a kubernetes cluster with guardrails set to "Warning"
-          text: az aks create -g MyResourceGroup -n MyManagedCluster --guardrails-level Warning --enable-addons azure-policy
-        - name: Create a kubernetes cluster with guardrails set to "Warning" and some namespaces excluded
-          text: az aks create -g MyResourceGroup -n MyManagedCluster --guardrails-level Warning --guardrails-excluded-ns ns1,ns2 --enable-addons azure-policy
+        - name: Create a kubernetes cluster with safeguards set to "Warning"
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --enable-addons azure-policy
+        - name: Create a kubernetes cluster with safeguards set to "Warning" and some namespaces excluded
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --safeguards-excluded-ns ns1,ns2 --enable-addons azure-policy
         - name: Create a kubernetes cluster with Azure Service Mesh enabled.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-service-mesh
         - name: Create a kubernetes cluster with Azure Monitor Metrics enabled.
@@ -1109,15 +1109,15 @@
           type: string
           short-summary: Path to a file containing up to 10 blank line separated certificates. Only valid for linux nodes.
           long-summary: These certificates are used by Custom CA Trust features and will be added to trust stores of nodes. Requires Custom CA Trust to be enabled on the node.
-        - name: --guardrails-level
+        - name: --safeguards-level
           type: string
-          short-summary: The Guardrails Level. Accepted Values are [Off, Warning]. Requires azure policy addon to be enabled
-        - name: --guardrails-version
+          short-summary: The deployment safeguards Level. Accepted Values are [Off, Warning, Enforcement]. Requires azure policy addon to be enabled
+        - name: --safeguards-version
           type: string
-          short-summary: The version of Guardrails to use. Default "v1.0.0" Use the ListGuardrailsVersions API to discover available versions
-        - name: --guardrails-excluded-ns
+          short-summary: The version of deployment safeguards to use. Default "v1.0.0" Use the ListSafeguardsVersions API to discover available versions
+        - name: --safeguards-excluded-ns
           type: string
-          short-summary: Comma-separated list of Kubernetes namespaces to exclude from Guardrails. Use "" to clear a previously non-empty list
+          short-summary: Comma-separated list of Kubernetes namespaces to exclude from deployment safeguards. Use "" to clear a previously non-empty list
         - name: --nodepool-taints
           type: string
           short-summary: The node taints for all node pool.
@@ -1207,12 +1207,12 @@
         text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"
       - name: Update a existing managed cluster to a managed cluster snapshot.
         text: az aks update -g MyResourceGroup -n MyManagedCluster --cluster-snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/managedclustersnapshots/mysnapshot1"
-      - name: Update a kubernetes cluster with guardrails set to "Warning". Assumes azure policy addon is already enabled
-        text: az aks update -g MyResourceGroup -n MyManagedCluster --guardrails-level Warning
-      - name: Update a kubernetes cluster with guardrails set to "Warning" and some namespaces excluded. Assumes azure policy addon is already enabled
-        text: az aks update -g MyResourceGroup -n MyManagedCluster --guardrails-level Warning --guardrails-excluded-ns ns1,ns2
-      - name: Update a kubernetes cluster to clear any namespaces excluded from guardrails. Assumes azure policy addon is already enabled
-        text: az aks update -g MyResourceGroup -n MyManagedCluster --guardrails-excluded-ns ""
+      - name: Update a kubernetes cluster with safeguards set to "Warning". Assumes azure policy addon is already enabled
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning
+      - name: Update a kubernetes cluster with safeguards set to "Warning" and some namespaces excluded. Assumes azure policy addon is already enabled
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --safeguards-excluded-ns ns1,ns2
+      - name: Update a kubernetes cluster to clear any namespaces excluded from safeguards. Assumes azure policy addon is already enabled
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-excluded-ns ""
 """
 
 helps['aks kollect'] = """

@@ -309,7 +309,7 @@ def check_is_apiserver_vnet_integration_cluster(mc: ManagedCluster) -> bool:
     return False
 
 
-def setup_common_guardrails_profile(level, version, excludedNamespaces, mc: ManagedCluster, models) -> ManagedCluster:
+def setup_common_safeguards_profile(level, version, excludedNamespaces, mc: ManagedCluster, models) -> ManagedCluster:
     if (level is not None or version is not None or excludedNamespaces is not None) and mc.safeguards_profile is None:
         mc.safeguards_profile = models.SafeguardsProfile(
             level=level,

@@ -95,9 +95,9 @@
     CONST_WEEKINDEX_FIRST,
     CONST_WEEKINDEX_FOURTH,
     CONST_WEEKINDEX_LAST,
-    CONST_GUARDRAILSLEVEL_OFF,
-    CONST_GUARDRAILSLEVEL_WARNING,
-    CONST_GUARDRAILSLEVEL_ENFORCEMENT,
+    CONST_SAFEGUARDSLEVEL_OFF,
+    CONST_SAFEGUARDSLEVEL_WARNING,
+    CONST_SAFEGUARDSLEVEL_ENFORCEMENT,
     CONST_AZURE_SERVICE_MESH_INGRESS_MODE_EXTERNAL,
     CONST_AZURE_SERVICE_MESH_INGRESS_MODE_INTERNAL,
     CONST_WEEKINDEX_SECOND,
@@ -289,11 +289,11 @@
     CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE,
 ]
 
-# consts for guardrails level
-guardrails_levels = [
-    CONST_GUARDRAILSLEVEL_OFF,
-    CONST_GUARDRAILSLEVEL_WARNING,
-    CONST_GUARDRAILSLEVEL_ENFORCEMENT,
+# consts for Safeguards level
+safeguards_levels = [
+    CONST_SAFEGUARDSLEVEL_OFF,
+    CONST_SAFEGUARDSLEVEL_WARNING,
+    CONST_SAFEGUARDSLEVEL_ENFORCEMENT,
 ]
 
 # azure service mesh
@@ -324,7 +324,6 @@
     CONST_STORAGE_POOL_OPTION_SSD,
 ]
 
-# consts for guardrails level
 node_provisioning_modes = [
     CONST_NODE_PROVISIONING_MODE_MANUAL,
     CONST_NODE_PROVISIONING_MODE_AUTO,
@@ -756,17 +755,17 @@ def load_arguments(self, _):
             help="space-separated tags: key[=value] [key[=value] ...].",
         )
         c.argument(
-            "guardrails_level",
-            arg_type=get_enum_type(guardrails_levels),
+            "safeguards_level",
+            arg_type=get_enum_type(safeguards_levels),
             is_preview=True,
         )
         c.argument(
-            "guardrails_version",
+            "safeguards_version",
             type=str,
-            help="The guardrails version",
+            help="The deployment safeguards version",
             is_preview=True,
         )
-        c.argument("guardrails_excluded_ns", type=str, is_preview=True)
+        c.argument("safeguards_excluded_ns", type=str, is_preview=True)
         # azure monitor profile
         c.argument(
             "enable_azuremonitormetrics",
@@ -1141,12 +1140,12 @@ def load_arguments(self, _):
             help="path to file containing list of new line separated CAs",
         )
         c.argument(
-            "guardrails_level",
-            arg_type=get_enum_type(guardrails_levels),
+            "safeguards_level",
+            arg_type=get_enum_type(safeguards_levels),
             is_preview=True,
         )
-        c.argument("guardrails_version", help="The guardrails version", is_preview=True)
-        c.argument("guardrails_excluded_ns", is_preview=True)
+        c.argument("safeguards_version", help="The deployment safeguards version", is_preview=True)
+        c.argument("safeguards_excluded_ns", is_preview=True)
         c.argument(
             "enable_network_observability",
             action="store_true",

@@ -592,10 +592,10 @@ def aks_create(
     nodepool_allowed_host_ports=None,
     nodepool_asg_ids=None,
     node_public_ip_tags=None,
-    # guardrails parameters
-    guardrails_level=None,
-    guardrails_version=None,
-    guardrails_excluded_ns=None,
+    # safeguards parameters
+    safeguards_level=None,
+    safeguards_version=None,
+    safeguards_excluded_ns=None,
     # azure service mesh
     enable_azure_service_mesh=None,
     # azure monitor profile
@@ -786,10 +786,10 @@ def aks_update(
     disable_addon_autoscaling=False,
     cluster_snapshot_id=None,
     custom_ca_trust_certificates=None,
-    # guardrails parameters
-    guardrails_level=None,
-    guardrails_version=None,
-    guardrails_excluded_ns=None,
+    # safeguards parameters
+    safeguards_level=None,
+    safeguards_version=None,
+    safeguards_excluded_ns=None,
     enable_network_observability=None,
     disable_network_observability=None,
     # metrics profile

@@ -37,7 +37,7 @@
     check_is_apiserver_vnet_integration_cluster,
     check_is_private_cluster,
     get_cluster_snapshot_by_snapshot_id,
-    setup_common_guardrails_profile,
+    setup_common_safeguards_profile,
 )
 from azext_aks_preview._loadbalancer import create_load_balancer_profile
 from azext_aks_preview._loadbalancer import (
@@ -187,14 +187,14 @@ def external_functions(self) -> SimpleNamespace:
             self.__external_functions = SimpleNamespace(**external_functions)
         return self.__external_functions
 
-    def get_guardrails_level(self) -> Union[str, None]:
-        return self.raw_param.get("guardrails_level")
+    def get_safeguards_level(self) -> Union[str, None]:
+        return self.raw_param.get("safeguards_level")
 
-    def get_guardrails_excluded_namespaces(self) -> Union[str, None]:
-        return self.raw_param.get("guardrails_excluded_ns")
+    def get_safeguards_excluded_namespaces(self) -> Union[str, None]:
+        return self.raw_param.get("safeguards_excluded_ns")
 
-    def get_guardrails_version(self) -> Union[str, None]:
-        return self.raw_param.get("guardrails_version")
+    def get_safeguards_version(self) -> Union[str, None]:
+        return self.raw_param.get("safeguards_version")
 
     def __validate_pod_identity_with_kubenet(self, mc, enable_pod_identity, enable_pod_identity_with_kubenet):
         """Helper function to check the validity of serveral pod identity related parameters.
@@ -3122,12 +3122,12 @@ def set_up_auto_upgrade_profile(self, mc: ManagedCluster) -> ManagedCluster:
             mc.auto_upgrade_profile.node_os_upgrade_channel = node_os_upgrade_channel
         return mc
 
-    def set_up_guardrails_profile(self, mc: ManagedCluster) -> ManagedCluster:
-        excludedNamespaces = self.context.get_guardrails_excluded_namespaces()
-        version = self.context.get_guardrails_version()
-        level = self.context.get_guardrails_level()
+    def set_up_safeguards_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        excludedNamespaces = self.context.get_safeguards_excluded_namespaces()
+        version = self.context.get_safeguards_version()
+        level = self.context.get_safeguards_level()
         # provided any value?
-        mc = setup_common_guardrails_profile(level, version, excludedNamespaces, mc, self.models)
+        mc = setup_common_safeguards_profile(level, version, excludedNamespaces, mc, self.models)
         return mc
 
     def set_up_azure_service_mesh_profile(self, mc: ManagedCluster) -> ManagedCluster:
@@ -3291,8 +3291,8 @@ def construct_mc_profile_preview(self, bypass_restore_defaults: bool = False) ->
         mc = self.set_up_node_resource_group_profile(mc)
         # set up auto upgrade profile
         mc = self.set_up_auto_upgrade_profile(mc)
-        # set up guardrails profile
-        mc = self.set_up_guardrails_profile(mc)
+        # set up safeguards profile
+        mc = self.set_up_safeguards_profile(mc)
         # set up azure service mesh profile
         mc = self.set_up_azure_service_mesh_profile(mc)
         # setup k8s support plan
@@ -4264,18 +4264,18 @@ def update_auto_upgrade_profile(self, mc: ManagedCluster) -> ManagedCluster:
             mc.auto_upgrade_profile.node_os_upgrade_channel = node_os_upgrade_channel
         return mc
 
-    def update_guardrails_profile(self, mc: ManagedCluster) -> ManagedCluster:
-        """Update guardrails profile for the ManagedCluster object
+    def update_safeguards_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update safeguards profile for the ManagedCluster object
         :return: the ManagedCluster object
         """
 
         self._ensure_mc(mc)
 
-        excludedNamespaces = self.context.get_guardrails_excluded_namespaces()
-        version = self.context.get_guardrails_version()
-        level = self.context.get_guardrails_level()
+        excludedNamespaces = self.context.get_safeguards_excluded_namespaces()
+        version = self.context.get_safeguards_version()
+        level = self.context.get_safeguards_level()
 
-        mc = setup_common_guardrails_profile(level, version, excludedNamespaces, mc, self.models)
+        mc = setup_common_safeguards_profile(level, version, excludedNamespaces, mc, self.models)
 
         if level is not None:
             mc.safeguards_profile.level = level
@@ -4659,8 +4659,8 @@ def update_mc_profile_preview(self) -> ManagedCluster:
         mc = self.update_node_resource_group_profile(mc)
         # update auto upgrade profile
         mc = self.update_auto_upgrade_profile(mc)
-        # update guardrails_profile
-        mc = self.update_guardrails_profile(mc)
+        # update safeguards_profile
+        mc = self.update_safeguards_profile(mc)
         # update cluster upgrade settings profile
         mc = self.update_upgrade_settings(mc)
         # update nodepool taints