[AKS] Add options for users to specify guardrails

src/aks-preview/HISTORY.rst

@@ -13,6 +13,10 @@ Pending
 +++++++
 * Vendor new SDK and bump API version to 2023-04-02-preview.
 
+0.5.140
++++++++
+* Allow options for specifying guardrails profile arguments
+
 0.5.139
 * `az aks create` and `az aks nodepool add`: Add warning message when specifying `--os-sku` to `Mariner` or `CBLMariner`.
 

src/aks-preview/azext_aks_preview/_consts.py

@@ -250,6 +250,11 @@
 CONST_AUTOUPGRADE_CONFIGURATION_NAME = "aksManagedAutoUpgradeSchedule"
 CONST_NODEOSUPGRADE_CONFIGURATION_NAME = "aksManagedNodeOSUpgradeSchedule"
 
+# Guardrails Level Consts
+CONST_GUARDRAILSLEVEL_OFF = "Off"
+CONST_GUARDRAILSLEVEL_WARNING = "Warning"
+CONST_GUARDRAILSLEVEL_ENFORCEMENT = "Enforcement"
+
 CONST_AZURE_SERVICE_MESH_MODE_DISABLED = "Disabled"
 CONST_AZURE_SERVICE_MESH_MODE_ISTIO = "Istio"
 CONST_AZURE_SERVICE_MESH_INGRESS_MODE_EXTERNAL = "External"

src/aks-preview/azext_aks_preview/_help.py

@@ -186,7 +186,7 @@
                                                   If monitoring addon is enabled --no-wait argument will have no effect
                 virtual-node                    - enable AKS Virtual Node. Requires --aci-subnet-name to provide the name of an existing subnet for the Virtual Node to use.
                                                   aci-subnet-name must be in the same vnet which is specified by --vnet-subnet-id (required as well).
-                azure-policy                    - enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
+                azure-policy                    - enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Required if enabling Guardrails
                                                   Learn more at aka.ms/aks/policy.
                 ingress-appgw                   - enable Application Gateway Ingress Controller addon (PREVIEW).
                 confcom                         - enable confcom addon, this will enable SGX device plugin by default(PREVIEW).
@@ -525,6 +525,15 @@
         - name: --node-public-ip-tags
           type: string
           short-summary: The ipTags of the node public IPs.
+        - name: --guardrails-level
+          type: string
+          short-summary: The Guardrails Level. Accepted Values are [Off, Warning]. Requires azure policy addon to be enabled
+        - name: --guardrails-version
+          type: string
+          short-summary: The version of Guardrails to use. Default "v1.0.0" Use the ListGuardrailsVersions API to discover available versions
+        - name: --guardrails-excluded-ns
+          type: string
+          short-summary: Comma-separated list of Kubernetes namespaces to exclude from Guardrails
         - name: --enable-asm --enable-azure-service-mesh
           type: bool
           short-summary: Enable Azure Service Mesh.
@@ -611,6 +620,10 @@
           text: az aks create -g MyResourceGroup -n MyManagedCluster --network-plugin none
         - name: Create a kubernetes cluster with Custom CA Trust enabled.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-custom-ca-trust
+        - name: Create a kubernetes cluster with guardrails set to "Warning"
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --guardrails-level Warning --enable-addons azure-policy
+        - name: Create a kubernetes cluster with guardrails set to "Warning" and some namespaces excluded
+          text: az aks create -g MyResourceGroup -n MyManagedCluster --guardrails-level Warning --guardrails-excluded-ns ns1,ns2 --enable-addons azure-policy
         - name: Create a kubernetes cluster with Azure Service Mesh enabled.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-service-mesh
         - name: Create a kubernetes cluster with Azure Monitor Metrics enabled.
@@ -1000,6 +1013,15 @@
           type: string
           short-summary: Path to a file containing up to 10 blank line separated certificates. Only valid for linux nodes.
           long-summary: These certificates are used by Custom CA Trust features and will be added to trust stores of nodes. Requires Custom CA Trust to be enabled on the node.
+        - name: --guardrails-level
+          type: string
+          short-summary: The Guardrails Level. Accepted Values are [Off, Warning]. Requires azure policy addon to be enabled
+        - name: --guardrails-version
+          type: string
+          short-summary: The version of Guardrails to use. Default "v1.0.0" Use the ListGuardrailsVersions API to discover available versions
+        - name: --guardrails-excluded-ns
+          type: string
+          short-summary: Comma-separated list of Kubernetes namespaces to exclude from Guardrails. Use "" to clear a previously non-empty list
     examples:
       - name: Reconcile the cluster back to its current state.
         text: az aks update -g MyResourceGroup -n MyManagedCluster
@@ -1059,6 +1081,12 @@
         text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"
       - name: Update a existing managed cluster to a managed cluster snapshot.
         text: az aks update -g MyResourceGroup -n MyManagedCluster --cluster-snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/managedclustersnapshots/mysnapshot1"
+      - name: Update a kubernetes cluster with guardrails set to "Warning". Assumes azure policy addon is already enabled
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --guardrails-level Warning
+      - name: Update a kubernetes cluster with guardrails set to "Warning" and some namespaces excluded. Assumes azure policy addon is already enabled
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --guardrails-level Warning --guardrails-excluded-ns ns1,ns2
+      - name: Update a kubernetes cluster to clear any namespaces excluded from guardrails. Assumes azure policy addon is already enabled
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --guardrails-excluded-ns ""
 """
 
 helps['aks kollect'] = """

src/aks-preview/azext_aks_preview/_helpers.py

@@ -19,6 +19,10 @@
 
 from azext_aks_preview._client_factory import get_nodepool_snapshots_client, get_mc_snapshots_client
 
+from azure.cli.command_modules.acs._validators import (
+    extract_comma_separated_string,
+)
+
 logger = get_logger(__name__)
 
 # type variables
@@ -282,3 +286,17 @@ def check_is_apiserver_vnet_integration_cluster(mc: ManagedCluster) -> bool:
     if mc and mc.api_server_access_profile:
         return bool(mc.api_server_access_profile.enable_vnet_integration)
     return False
+
+
+def setup_common_guardrails_profile(level, version, excludedNamespaces, mc: ManagedCluster, models) -> ManagedCluster:
+    if (level is not None or version is not None or excludedNamespaces is not None) and mc.guardrails_profile is None:
+        mc.guardrails_profile = models.GuardrailsProfile(
+            level=level,
+            version=version
+        )
+    # replace values with provided values
+    if excludedNamespaces is not None:
+        mc.guardrails_profile.excluded_namespaces = extract_comma_separated_string(
+            excludedNamespaces, enable_strip=True, keep_none=True, default_value=[])
+
+    return mc

src/aks-preview/azext_aks_preview/_params.py

@@ -75,6 +75,11 @@
     CONST_WEEKINDEX_FIRST,
     CONST_WEEKINDEX_FOURTH,
     CONST_WEEKINDEX_LAST,
+    CONST_GUARDRAILSLEVEL_OFF,
+    CONST_GUARDRAILSLEVEL_WARNING,
+    CONST_GUARDRAILSLEVEL_ENFORCEMENT,
+    CONST_AZURE_SERVICE_MESH_INGRESS_MODE_EXTERNAL,
+    CONST_AZURE_SERVICE_MESH_INGRESS_MODE_INTERNAL,
     CONST_WEEKINDEX_SECOND,
     CONST_WEEKINDEX_THIRD,
     CONST_WEEKLY_MAINTENANCE_SCHEDULE,
@@ -230,6 +235,13 @@
 
 keyvault_network_access_types = [CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PUBLIC, CONST_AZURE_KEYVAULT_NETWORK_ACCESS_PRIVATE]
 
+# consts for guardrails level
+guardrails_levels = [
+    CONST_GUARDRAILSLEVEL_OFF,
+    CONST_GUARDRAILSLEVEL_WARNING,
+    CONST_GUARDRAILSLEVEL_ENFORCEMENT
+]
+
 # azure service mesh
 ingress_gateway_types = [
     CONST_AZURE_SERVICE_MESH_INGRESS_MODE_EXTERNAL,
@@ -417,6 +429,10 @@ def load_arguments(self, _):
         c.argument('nodepool_asg_ids', validator=validate_application_security_groups, is_preview=True, help="application security groups for agentpool")
         c.argument('node_public_ip_tags', arg_type=tags_type, validator=validate_node_public_ip_tags,
                    help='space-separated tags: key[=value] [key[=value] ...].')
+        c.argument('guardrails_level', arg_type=get_enum_type(guardrails_levels), is_preview=True)
+        c.argument('guardrails_version', type=str,
+                   help='The guardrails version', is_preview=True)
+        c.argument('guardrails_excluded_ns', type=str, is_preview=True)
         # azure monitor profile
         c.argument('enable_azuremonitormetrics', action='store_true')
         c.argument('azure_monitor_workspace_resource_id', validator=validate_azuremonitorworkspaceresourceid)
@@ -538,6 +554,9 @@ def load_arguments(self, _):
         c.argument('disable_vpa', action='store_true', is_preview=True, help="disable vertical pod autoscaler for cluster")
         c.argument('cluster_snapshot_id', validator=validate_cluster_snapshot_id, is_preview=True)
         c.argument('custom_ca_trust_certificates', options_list=["--custom-ca-trust-certificates", "--ca-certs"], validator=validate_custom_ca_trust_certificates, is_preview=True, help="path to file containing list of new line separated CAs")
+        c.argument('guardrails_level', arg_type=get_enum_type(guardrails_levels), is_preview=True)
+        c.argument('guardrails_version', help='The guardrails version', is_preview=True)
+        c.argument('guardrails_excluded_ns', is_preview=True)
 
     with self.argument_context('aks upgrade') as c:
         c.argument('kubernetes_version', completer=get_k8s_upgrades_completion_list)

src/aks-preview/azext_aks_preview/custom.py

@@ -573,6 +573,10 @@ def aks_create(
     nodepool_allowed_host_ports=None,
     nodepool_asg_ids=None,
     node_public_ip_tags=None,
+    # guardrails parameters
+    guardrails_level=None,
+    guardrails_version=None,
+    guardrails_excluded_ns=None,
     # azure service mesh
     enable_azure_service_mesh=None,
     # azure monitor profile
@@ -736,6 +740,10 @@ def aks_update(
     disable_vpa=False,
     cluster_snapshot_id=None,
     custom_ca_trust_certificates=None,
+    # guardrails parameters
+    guardrails_level=None,
+    guardrails_version=None,
+    guardrails_excluded_ns=None,
 ):
     # DO NOT MOVE: get all the original parameters and save them as a dictionary
     raw_parameters = locals()

src/aks-preview/azext_aks_preview/managed_cluster_decorator.py

@@ -67,6 +67,7 @@
     check_is_private_cluster,
     check_is_apiserver_vnet_integration_cluster,
     get_cluster_snapshot_by_snapshot_id,
+    setup_common_guardrails_profile
 )
 from azext_aks_preview._loadbalancer import create_load_balancer_profile
 from azext_aks_preview._loadbalancer import (
@@ -162,6 +163,15 @@ def external_functions(self) -> SimpleNamespace:
             self.__external_functions = SimpleNamespace(**external_functions)
         return self.__external_functions
 
+    def get_guardrails_level(self) -> Union[str, None]:
+        return self.raw_param.get("guardrails_level")
+
+    def get_guardrails_excluded_namespaces(self) -> Union[str, None]:
+        return self.raw_param.get("guardrails_excluded_ns")
+
+    def get_guardrails_version(self) -> Union[str, None]:
+        return self.raw_param.get("guardrails_version")
+
     # pylint: disable=no-self-use
     def __validate_pod_identity_with_kubenet(self, mc, enable_pod_identity, enable_pod_identity_with_kubenet):
         """Helper function to check the validity of serveral pod identity related parameters.
@@ -2654,6 +2664,14 @@ def set_up_auto_upgrade_profile(self, mc: ManagedCluster) -> ManagedCluster:
             mc.auto_upgrade_profile.node_os_upgrade_channel = node_os_upgrade_channel
         return mc
 
+    def set_up_guardrails_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        excludedNamespaces = self.context.get_guardrails_excluded_namespaces()
+        version = self.context.get_guardrails_version()
+        level = self.context.get_guardrails_level()
+        # provided any value?
+        mc = setup_common_guardrails_profile(level, version, excludedNamespaces, mc, self.models)
+        return mc
+
     def set_up_azure_service_mesh_profile(self, mc: ManagedCluster) -> ManagedCluster:
         """Set up azure service mesh for the ManagedCluster object.
 
@@ -2720,6 +2738,8 @@ def construct_mc_profile_preview(self, bypass_restore_defaults: bool = False) ->
         mc = self.set_up_node_resource_group_profile(mc)
         # set up auto upgrade profile
         mc = self.set_up_auto_upgrade_profile(mc)
+        # set up guardrails profile
+        mc = self.set_up_guardrails_profile(mc)
         # set up azure service mesh profile
         mc = self.set_up_azure_service_mesh_profile(mc)
         # set up azure monitor profile
@@ -3436,6 +3456,26 @@ def update_auto_upgrade_profile(self, mc: ManagedCluster) -> ManagedCluster:
             mc.auto_upgrade_profile.node_os_upgrade_channel = node_os_upgrade_channel
         return mc
 
+    def update_guardrails_profile(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update guardrails profile for the ManagedCluster object
+        :return: the ManagedCluster object
+        """
+
+        self._ensure_mc(mc)
+
+        excludedNamespaces = self.context.get_guardrails_excluded_namespaces()
+        version = self.context.get_guardrails_version()
+        level = self.context.get_guardrails_level()
+
+        mc = setup_common_guardrails_profile(level, version, excludedNamespaces, mc, self.models)
+
+        if level is not None:
+            mc.guardrails_profile.level = level
+        if version is not None:
+            mc.guardrails_profile.version = version
+
+        return mc
+
     def update_azure_service_mesh_profile(self, mc: ManagedCluster) -> ManagedCluster:
         """Update azure service mesh profile for the ManagedCluster object.
         """
@@ -3561,6 +3601,8 @@ def update_mc_profile_preview(self) -> ManagedCluster:
         mc = self.update_node_resource_group_profile(mc)
         # update auto upgrade profile
         mc = self.update_auto_upgrade_profile(mc)
+        # update guardrails_profile
+        mc = self.update_guardrails_profile(mc)
         # update auto upgrade profile
         mc = self.update_upgrade_settings(mc)