From 1f733df2d21dde3ef36b98a6423dfe83343b24f5 Mon Sep 17 00:00:00 2001 From: Ruchika Gupta Date: Fri, 4 Sep 2020 17:35:44 -0700 Subject: [PATCH 1/4] add azure policy addon --- src/azure-cli/azure/cli/command_modules/acs/_help.py | 2 ++ src/azure-cli/azure/cli/command_modules/acs/custom.py | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/azure-cli/azure/cli/command_modules/acs/_help.py b/src/azure-cli/azure/cli/command_modules/acs/_help.py index 91ece750a75..3bbdf08eecf 100644 --- a/src/azure-cli/azure/cli/command_modules/acs/_help.py +++ b/src/azure-cli/azure/cli/command_modules/acs/_help.py @@ -298,6 +298,7 @@ monitoring - turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. If monitoring addon is enabled --no-wait argument will have no effect + azure-policy - enable Azure policy. - name: --disable-rbac type: bool short-summary: Disable Kubernetes Role-Based Access Control. @@ -507,6 +508,7 @@ monitoring - turn on Log Analytics monitoring. Requires "--workspace-resource-id". If monitoring addon is enabled --no-wait argument will have no effect virtual-node - enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use. + azure-policy - enable Azure policy. parameters: - name: --addons -a type: string diff --git a/src/azure-cli/azure/cli/command_modules/acs/custom.py b/src/azure-cli/azure/cli/command_modules/acs/custom.py index 8cccdf08e22..c84ec640a66 100644 --- a/src/azure-cli/azure/cli/command_modules/acs/custom.py +++ b/src/azure-cli/azure/cli/command_modules/acs/custom.py @@ -2159,7 +2159,8 @@ def aks_get_credentials(cmd, client, resource_group_name, name, admin=False, 'http_application_routing': 'httpApplicationRouting', 'monitoring': 'omsagent', 'virtual-node': 'aciConnector', - 'kube-dashboard': 'kubeDashboard' + 'kube-dashboard': 'kubeDashboard', + 'azure-policy': 'azurepolicy' } @@ -2619,6 +2620,9 @@ def _handle_addons_args(cmd, addons_str, subscription_id, resource_group_name, a # error out if '--enable-addons=monitoring' isn't set but workspace_resource_id is elif workspace_resource_id: raise CLIError('"--workspace-resource-id" requires "--enable-addons monitoring".') + if 'azure-policy' in addons: + addon_profiles['azurepolicy'] = ManagedClusterAddonProfile(enabled=True) + addons.remove('azure-policy') # error out if any (unrecognized) addons remain if addons: raise CLIError('"{}" {} not recognized by the --enable-addons argument.'.format( From f437664ab988b67bda65f3ebd106222ff6e1b507 Mon Sep 17 00:00:00 2001 From: Ruchika Gupta Date: Wed, 9 Sep 2020 12:40:46 -0700 Subject: [PATCH 2/4] update test --- .../acs/tests/latest/test_custom.py | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py b/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py index 2a9090a06ae..91ec272dbb2 100644 --- a/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py +++ b/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py @@ -591,7 +591,7 @@ def test_update_addons(self, rg_def, cf_resource_groups, cf_resources): addon_profile = instance.addon_profiles['httpApplicationRouting'] self.assertTrue(addon_profile.enabled) - # http_application_routing enabled + # http_application_routing disabled instance = _update_addons(cmd, instance, '00000000-0000-0000-0000-000000000000', 'clitest000001', 'http_application_routing', enable=False) addon_profile = instance.addon_profiles['httpApplicationRouting'] @@ -616,6 +616,29 @@ def test_update_addons(self, rg_def, cf_resource_groups, cf_resources): self.assertTrue(routing_addon_profile.enabled) self.assertEqual(sorted(list(instance.addon_profiles)), ['httpApplicationRouting', 'omsagent']) + # azurepolicy added + instance = _update_addons(cmd, instance, '00000000-0000-0000-0000-000000000000', + 'clitest000001', 'azure-policy', enable=True) + azurepolicy_addon_profile = instance.addon_profiles['azurepolicy'] + self.assertTrue(azurepolicy_addon_profile.enabled) + routing_addon_profile = instance.addon_profiles['httpApplicationRouting'] + self.assertTrue(routing_addon_profile.enabled) + monitoring_addon_profile = instance.addon_profiles['omsagent'] + self.assertFalse(monitoring_addon_profile.enabled) + + # azurepolicy disabled, routing enabled + instance = _update_addons(cmd, instance, '00000000-0000-0000-0000-000000000000', + 'clitest000001', 'azurepolicy', enable=False) + instance = _update_addons(cmd, instance, '00000000-0000-0000-0000-000000000000', 'clitest000001', + 'http_application_routing', enable=True) + azurepolicy_addon_profile = instance.addon_profiles['azurepolicy'] + self.assertTrue(azurepolicy_addon_profile.enabled) + monitoring_addon_profile = instance.addon_profiles['omsagent'] + self.assertFalse(monitoring_addon_profile.enabled) + routing_addon_profile = instance.addon_profiles['httpApplicationRouting'] + self.assertTrue(routing_addon_profile.enabled) + self.assertEqual(sorted(list(instance.addon_profiles)), ['azurepolicy','httpApplicationRouting', 'omsagent']) + # monitoring enabled and then enabled again should error instance = mock.Mock() instance.addon_profiles = None From aa07d50cae41c1edb0eb2cd3a8e597f0c115b520 Mon Sep 17 00:00:00 2001 From: Ruchika Gupta Date: Wed, 9 Sep 2020 14:43:26 -0700 Subject: [PATCH 3/4] update tests and help text for policy addon --- src/azure-cli/azure/cli/command_modules/acs/_help.py | 6 ++++-- .../cli/command_modules/acs/tests/latest/test_custom.py | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/azure-cli/azure/cli/command_modules/acs/_help.py b/src/azure-cli/azure/cli/command_modules/acs/_help.py index 3bbdf08eecf..0fbd74a2139 100644 --- a/src/azure-cli/azure/cli/command_modules/acs/_help.py +++ b/src/azure-cli/azure/cli/command_modules/acs/_help.py @@ -298,7 +298,8 @@ monitoring - turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. If monitoring addon is enabled --no-wait argument will have no effect - azure-policy - enable Azure policy. + azure-policy - enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. + Learn more at aka.ms/aks/policy. - name: --disable-rbac type: bool short-summary: Disable Kubernetes Role-Based Access Control. @@ -508,7 +509,8 @@ monitoring - turn on Log Analytics monitoring. Requires "--workspace-resource-id". If monitoring addon is enabled --no-wait argument will have no effect virtual-node - enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use. - azure-policy - enable Azure policy. + azure-policy - enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. + Learn more at aka.ms/aks/policy. parameters: - name: --addons -a type: string diff --git a/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py b/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py index 91ec272dbb2..59eac92db6e 100644 --- a/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py +++ b/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py @@ -628,11 +628,11 @@ def test_update_addons(self, rg_def, cf_resource_groups, cf_resources): # azurepolicy disabled, routing enabled instance = _update_addons(cmd, instance, '00000000-0000-0000-0000-000000000000', - 'clitest000001', 'azurepolicy', enable=False) + 'clitest000001', 'azure-policy', enable=False) instance = _update_addons(cmd, instance, '00000000-0000-0000-0000-000000000000', 'clitest000001', 'http_application_routing', enable=True) azurepolicy_addon_profile = instance.addon_profiles['azurepolicy'] - self.assertTrue(azurepolicy_addon_profile.enabled) + self.assertFalse(azurepolicy_addon_profile.enabled) monitoring_addon_profile = instance.addon_profiles['omsagent'] self.assertFalse(monitoring_addon_profile.enabled) routing_addon_profile = instance.addon_profiles['httpApplicationRouting'] From 75c7cbc7538a472464280cb9652060d19759a89e Mon Sep 17 00:00:00 2001 From: Ruchika Gupta Date: Wed, 9 Sep 2020 15:46:51 -0700 Subject: [PATCH 4/4] fix missing whitespace --- .../azure/cli/command_modules/acs/tests/latest/test_custom.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py b/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py index 59eac92db6e..047f73e18e8 100644 --- a/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py +++ b/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py @@ -637,7 +637,7 @@ def test_update_addons(self, rg_def, cf_resource_groups, cf_resources): self.assertFalse(monitoring_addon_profile.enabled) routing_addon_profile = instance.addon_profiles['httpApplicationRouting'] self.assertTrue(routing_addon_profile.enabled) - self.assertEqual(sorted(list(instance.addon_profiles)), ['azurepolicy','httpApplicationRouting', 'omsagent']) + self.assertEqual(sorted(list(instance.addon_profiles)), ['azurepolicy', 'httpApplicationRouting', 'omsagent']) # monitoring enabled and then enabled again should error instance = mock.Mock()