diff --git a/src/command_modules/azure-cli-acs/HISTORY.rst b/src/command_modules/azure-cli-acs/HISTORY.rst index 874f0208831..9235f61cf88 100644 --- a/src/command_modules/azure-cli-acs/HISTORY.rst +++ b/src/command_modules/azure-cli-acs/HISTORY.rst @@ -4,11 +4,13 @@ Release History =============== 2.1.2 -++++++ ++++++ +* Breaking change: Enable Kubernetes role-based access control by default. +* Add a `--disable-rbac` argument and deprecate `--enable-rbac` since it's the default now. * Updated options for `az aks browse` command. Added `--listen-port` support. 2.1.1 -++++++ ++++++ * Updated options of `az aks use-dev-spaces` command. Added `--update` support. * `az aks get-credentials --admin` won't replace the user context in $HOME/.kube/config * expose read-only "nodeResourceGroup" property on managed clusters diff --git a/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_help.py b/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_help.py index 220e5750eab..355d5f5dac6 100644 --- a/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_help.py +++ b/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_help.py @@ -212,9 +212,12 @@ These addons are available: http_application_routing - configure ingress with automatic public DNS name creation. monitoring - turn on Log Analytics monitoring. Requires "--workspace-resource-id". + - name: --disable-rbac + type: bool + short-summary: Disable Kubernetes Role-Based Access Control. - name: --enable-rbac -r - type: string - short-summary: Enable Kubernetes Role-Based Access Control. + type: bool + short-summary: "[DEPRECATED: RBAC is on by default. Use --disable-rbac to disable it.] Enable Kubernetes Role-Based Access Control." - name: --max-pods -m type: int short-summary: The maximum number of pods deployable to a node. diff --git a/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_params.py b/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_params.py index d51801cdad0..eda2d39c4c5 100644 --- a/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_params.py +++ b/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_params.py @@ -163,7 +163,8 @@ def load_arguments(self, _): c.argument('dns_service_ip') c.argument('docker_bridge_address') c.argument('enable_addons', options_list=['--enable-addons', '-a']) - c.argument('enable_rbac', options_list=['--enable-rbac', '-r']) + c.argument('disable_rbac', action='store_true') + c.argument('enable_rbac', action='store_true', options_list=['--enable-rbac', '-r']) c.argument('max_pods', type=int, options_list=['--max-pods', '-m']) c.argument('network_plugin') c.argument('no_ssh_key', options_list=['--no-ssh-key', '-x']) diff --git a/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/custom.py b/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/custom.py index 1764b43be39..850fd804706 100644 --- a/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/custom.py +++ b/src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/custom.py @@ -1331,7 +1331,8 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value, # pylint: node_count=3, service_principal=None, client_secret=None, no_ssh_key=False, - enable_rbac=False, + disable_rbac=None, + enable_rbac=None, network_plugin=None, pod_cidr=None, service_cidr=None, @@ -1434,11 +1435,15 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value, # pylint: tenant_id=aad_tenant_id ) + # Check that both --disable-rbac and --enable-rbac weren't provided + if all([disable_rbac, enable_rbac]): + raise CLIError('specify either "--disable-rbac" or "--enable-rbac", not both.') + mc = ManagedCluster( location=location, tags=tags, dns_prefix=dns_name_prefix, kubernetes_version=kubernetes_version, - enable_rbac=enable_rbac, + enable_rbac=False if disable_rbac else True, agent_pool_profiles=[agent_pool_profile], linux_profile=linux_profile, service_principal_profile=service_principal_profile,