Skip to content

[AKS] Support create aks clusters enabling managed identity #12420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arrownj merged 4 commits into from
Mar 5, 2020
Merged

[AKS] Support create aks clusters enabling managed identity #12420

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
701ecc6
Support create aks clusters enabling managed identity
norshtein Mar 3, 2020
af083a9
Remove 'preview'
norshtein Mar 3, 2020
99301e8
Merge branch 'dev' into tosi/aks-enable-managed-identity
norshtein Mar 4, 2020
a8150bc
Add test case for AKS using managed identity
norshtein Mar 5, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions src/azure-cli/azure/cli/command_modules/acs/_help.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -331,6 +331,9 @@
- name: --api-server-authorized-ip-ranges
type: string
short-summary: Comma seperated list of authorized apiserver IP ranges. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.
- name: --enable-managed-identity
type: bool
short-summary: Using a system assigned managed identity to manage cluster resource group.
examples:
- name: Create a Kubernetes cluster with an existing SSH public key.
text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
Expand All @@ -354,6 +357,8 @@
text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku basic --vm-set-type AvailabilitySet
- name: Create a kubernetes cluster with authorized apiserver IP ranges.
text: az aks create -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24,195.168.1.0
- name: Create a kubernetes cluster which enables managed identity.
text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-managed-identity
"""

helps['aks update'] = """
Expand Down
1 change: 1 addition & 0 deletions src/azure-cli/azure/cli/command_modules/acs/_params.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,7 @@ def load_arguments(self, _):
c.argument('attach_acr', acr_arg_type)
c.argument('enable_private_cluster', action='store_true')
c.argument('nodepool_tags', nargs='*', validator=validate_nodepool_tags, help='space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.')
c.argument('enable_managed_identity', action='store_true')
c.argument('nodepool_labels', nargs='*', validator=validate_nodepool_labels, help='space-separated labels: key[=value] [key[=value] ...]. You can not change the node labels through CLI after creation. See https://aka.ms/node-labels for syntax of labels.')

with self.argument_context('aks update') as c:
Expand Down
10 changes: 9 additions & 1 deletion src/azure-cli/azure/cli/command_modules/acs/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@
from azure.mgmt.containerservice.v2019_11_01.models import ManagedClusterAADProfile
from azure.mgmt.containerservice.v2019_11_01.models import ManagedClusterAddonProfile
from azure.mgmt.containerservice.v2019_11_01.models import ManagedClusterAgentPoolProfile
from azure.mgmt.containerservice.v2019_11_01.models import ManagedClusterIdentity
from azure.mgmt.containerservice.v2019_11_01.models import AgentPool

from azure.mgmt.containerservice.v2019_09_30_preview.models import OpenShiftManagedClusterAgentPoolProfile
Expand Down Expand Up @@ -1682,6 +1683,7 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value, # pylint:
generate_ssh_keys=False, # pylint: disable=unused-argument
api_server_authorized_ip_ranges=None,
enable_private_cluster=False,
enable_managed_identity=False,
attach_acr=None,
no_wait=False):
_validate_ssh_key(no_ssh_key, ssh_key_value)
Expand Down Expand Up @@ -1817,6 +1819,11 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value, # pylint:
if all([disable_rbac, enable_rbac]):
raise CLIError('specify either "--disable-rbac" or "--enable-rbac", not both.')

identity = None
if enable_managed_identity:
identity = ManagedClusterIdentity(
type="SystemAssigned"
)
mc = ManagedCluster(
location=location,
tags=tags,
Expand All @@ -1829,7 +1836,8 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value, # pylint:
network_profile=network_profile,
addon_profiles=addon_profiles,
aad_profile=aad_profile,
api_server_access_profile=api_server_access_profile
api_server_access_profile=api_server_access_profile,
identity=identity
)

# Due to SPN replication latency, we do a few retries here
Expand Down