[AKS] default RBAC to true and deprecate "--enable-rbac" argument

src/command_modules/azure-cli-acs/HISTORY.rst

@@ -4,11 +4,13 @@ Release History
 ===============
 
 2.1.2
-++++++
++++++
+* Breaking change: Enable Kubernetes role-based access control by default.
+* Add a `--disable-rbac` argument and deprecate `--enable-rbac` since it's the default now.
 * Updated options for `az aks browse` command. Added `--listen-port` support.
 
 2.1.1
-++++++
++++++
 * Updated options of `az aks use-dev-spaces` command. Added `--update` support.
 * `az aks get-credentials --admin` won't replace the user context in $HOME/.kube/config
 * expose read-only "nodeResourceGroup" property on managed clusters

src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_help.py

@@ -212,9 +212,12 @@
             These addons are available:
                 http_application_routing - configure ingress with automatic public DNS name creation.
                 monitoring - turn on Log Analytics monitoring. Requires "--workspace-resource-id".
+        - name: --disable-rbac
+          type: bool
+          short-summary: Disable Kubernetes Role-Based Access Control.
         - name: --enable-rbac -r
-          type: string
-          short-summary: Enable Kubernetes Role-Based Access Control.
+          type: bool
+          short-summary: "[DEPRECATED: RBAC is on by default. Use --disable-rbac to disable it.] Enable Kubernetes Role-Based Access Control."
         - name: --max-pods -m
           type: int
           short-summary: The maximum number of pods deployable to a node.

src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/_params.py

@@ -163,7 +163,8 @@ def load_arguments(self, _):
         c.argument('dns_service_ip')
         c.argument('docker_bridge_address')
         c.argument('enable_addons', options_list=['--enable-addons', '-a'])
-        c.argument('enable_rbac', options_list=['--enable-rbac', '-r'])
+        c.argument('disable_rbac', action='store_true')
+        c.argument('enable_rbac', action='store_true', options_list=['--enable-rbac', '-r'])
         c.argument('max_pods', type=int, options_list=['--max-pods', '-m'])
         c.argument('network_plugin')
         c.argument('no_ssh_key', options_list=['--no-ssh-key', '-x'])

src/command_modules/azure-cli-acs/azure/cli/command_modules/acs/custom.py

@@ -1331,7 +1331,8 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value,  # pylint:
                node_count=3,
                service_principal=None, client_secret=None,
                no_ssh_key=False,
-               enable_rbac=False,
+               disable_rbac=None,
+               enable_rbac=None,
                network_plugin=None,
                pod_cidr=None,
                service_cidr=None,
@@ -1434,11 +1435,15 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value,  # pylint:
             tenant_id=aad_tenant_id
         )
 
+    # Check that both --disable-rbac and --enable-rbac weren't provided
+    if all([disable_rbac, enable_rbac]):
+        raise CLIError('specify either "--disable-rbac" or "--enable-rbac", not both.')
+
     mc = ManagedCluster(
         location=location, tags=tags,
         dns_prefix=dns_name_prefix,
         kubernetes_version=kubernetes_version,
-        enable_rbac=enable_rbac,
+        enable_rbac=False if disable_rbac else True,
         agent_pool_profiles=[agent_pool_profile],
         linux_profile=linux_profile,
         service_principal_profile=service_principal_profile,