AzureArcForKubernetes · vineeth-thumma · Sep 29, 2025 · Mar 18, 2025 · Mar 25, 2025 · Apr 10, 2025
@@ -2,6 +2,12 @@
 
 Release History
 ===============
+1.10.10
++++++
+* Deprecated '--app-id' and '--app-secret' RBAC parameters from the extension by adding them to _breaking_change.py.
+* Bug fix for https://github.com/Azure/azure-cli-extensions/issues/8498.
+* Update warning to use the latest kubelogin version which has support for generating PoP token.
+
 1.10.9
 ++++++
 * Added support for associating and disassociating gateways in CLI and updated SDK version to '2025-08-01-preview'.
@@ -78,7 +84,7 @@ Release History
 ++++++
 * New api version 2024-07-1-preview added
 * Adding functionality for workload identity feature.
-* Cluster create and update waits for agent state 
+* Cluster create and update waits for agent state
 
 1.7.3
 ++++++

@@ -0,0 +1,8 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+from azure.cli.core.breaking_change import register_argument_deprecate
+
+register_argument_deprecate("connectedk8s enable-features", "--app-id")
+register_argument_deprecate("connectedk8s enable-features", "--app-secret")
@@ -1056,10 +1056,10 @@ def arm_exception_handler(
         status_code = ex.status_code
         if status_code == 404 and return_if_not_found:
             return
-        if status_code is not None and status_code // 100 == 4:
+        if status_code and status_code // 100 == 4:
             telemetry.set_user_fault()
         telemetry.set_exception(exception=ex, fault_type=fault_type, summary=summary)
-        if status_code is not None and status_code // 100 == 5:
+        if status_code and status_code // 100 == 5:
             raise AzureInternalError(
                 "Http response error occured while making ARM request: "
                 + str(ex)

@@ -2993,6 +2993,10 @@ def enable_features(
         utils.check_features_to_update(features)
     )
 
+    # Initialize these variables to ensure they are always defined, preventing UnboundLocalError if only a subset of features is enabled.
+    final_enable_cl = False
+    custom_locations_oid = None
+
     # Check if cluster is private link enabled
     connected_cluster = client.get(resource_group_name, cluster_name)
 
@@ -3152,8 +3156,9 @@ def enable_features(
         #  apps for authN/authZ.
         cmd_helm_upgrade.extend(["--set", "systemDefaultValues.guard.authnMode=arc"])
         logger.warning(
-            "Please use the kubelogin version v0.0.32 or higher which has support for generating PoP token(s). "
-            "This is needed by guard running in 'arc' authN mode."
+            "[Azure RBAC] For secure authentication, ensure you have the latest kubelogin installed which supports PoP tokens. "
+            "This is required for Azure RBAC. Download or upgrade at: https://github.com/Azure/kubelogin/releases. "
+            "If you encounter authentication errors, please verify your kubelogin version and refer to the documentation: https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/azure-rbac"
         )
         cmd_helm_upgrade.extend(
             [

@@ -13,7 +13,7 @@
 # TODO: Confirm this is the right version number you want and it matches your
 # HISTORY.rst entry.
 
-VERSION = "1.10.9"
+VERSION = "1.10.10"
 
 # The full list of classifiers is available at
 # https://pypi.python.org/pypi?%3Aaction=list_classifiers

diff --git a/testing/pipeline/k8s-custom-pipelines.yml b/testing/pipeline/k8s-custom-pipelines.yml
@@ -28,6 +28,10 @@ stages:
     parameters:
       jobName: BasicOnboardingTest
       path: ./test/configurations/BasicOnboarding.Tests.ps1
+  - template: ./templates/run-test.yml
+    parameters:
+      jobName: EnableDisableFeaturesTest
+      path: ./test/configurations/EnableDisableFeatures.Tests.ps1
   - template: ./templates/run-test.yml
     parameters:
       jobName: AutoUpdateTest
@@ -177,13 +181,12 @@ stages:
           pip install pytest
           cd /home/vsts/work/1/s/src/connectedk8s/azext_connectedk8s/tests/unittests
           pytest --junitxml=test-results.xml
-
         displayName: 'Run UnitTests test'
       - task: PublishTestResults@2
         inputs:
           testResultsFormat: 'JUnit'
           testResultsFiles: '**/test-results.xml'
-          failTaskOnFailedTests: true        
+          failTaskOnFailedTests: true
   - job: SourceTests
     displayName: "Integration Tests, Build Tests"
     pool:

diff --git a/testing/pipeline/templates/run-test.yml b/testing/pipeline/templates/run-test.yml
@@ -41,7 +41,7 @@ jobs:
       azdev extension build $(EXTENSION_NAME)
     workingDirectory: $(CLI_REPO_PATH)
     displayName: "Setup and Build Extension with azdev"
-      
+
   - bash: |
       K8S_CONFIG_VERSION=$(ls ${EXTENSION_FILE_NAME}* | cut -d "-" -f2)
       echo "##vso[task.setvariable variable=K8S_CONFIG_VERSION]$K8S_CONFIG_VERSION"
@@ -60,7 +60,7 @@ jobs:
                         --arg AKS_CLUSTER_NAME "$AKS_CLUSTER_NAME" \
                         --arg ARC_CLUSTER_NAME "$ARC_CLUSTER_NAME" \
                         --arg K8S_CONFIG_VERSION "$K8S_CONFIG_VERSION" \
-                        '{subscriptionId: $SUB_ID, resourceGroup: $RG, aksClusterName: $AKS_CLUSTER_NAME, arcClusterName: $ARC_CLUSTER_NAME, extensionVersion: {"connectedk8s": $K8S_CONFIG_VERSION}}')
+                        '{subscriptionId: $SUB_ID, resourceGroup: $RG, aksClusterName: $AKS_CLUSTER_NAME, arcClusterName: $ARC_CLUSTER_NAME, extensionVersion: {"connectedk8s": $K8S_CONFIG_VERSION}, customLocationsOid: "51dfe1e8-70c6-4de5-a08e-e18aff23d815"}')
         echo $JSON_STRING > settings.json
         cat settings.json
     workingDirectory: $(TEST_PATH)
@@ -74,7 +74,6 @@ jobs:
       chmod +x ./kind
       ./kind create cluster
     displayName: "Create and Start the Kind cluster"
-
   - bash: |
       curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
     displayName: "Upgrade az to latest version"
@@ -94,7 +93,6 @@ jobs:
       inlineScript: |
         .\Bootstrap.ps1 -CI
       workingDirectory: $(TEST_PATH)
-
   - task: AzureCLI@2
     displayName: Run the Test Suite for ${{ parameters.path }}
     inputs:

diff --git a/testing/test/configurations/BasicOnboarding.Tests.ps1 b/testing/test/configurations/BasicOnboarding.Tests.ps1
@@ -10,7 +10,7 @@ Describe 'Basic Onboarding Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
@@ -34,7 +34,7 @@ Describe 'Basic Onboarding Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)

diff --git a/testing/test/configurations/EnableDisableFeatures.Tests.ps1 b/testing/test/configurations/EnableDisableFeatures.Tests.ps1
@@ -0,0 +1,111 @@
+Describe 'ConnectedK8s Enable Disable Features Scenario' {
+    BeforeAll {
+        . $PSScriptRoot/../helper/Constants.ps1
+
+        function Invoke-AzCommand {
+            param (
+                [string]$Command
+            )
+            Write-Host "Executing: $Command" -ForegroundColor Yellow
+            $result = Invoke-Expression $Command
+            return $result
+        }
+
+        function Wait-ForProvisioning {
+            param (
+                [string]$expectedProvisioningState,
+                [string]$expectedAutoUpdate
+            )
+            $n = 0
+            do {
+                $output = Invoke-AzCommand "az connectedk8s show -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup)"
+                $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
+                $provisioningState = ($output | ConvertFrom-Json).provisioningState
+                $autoUpdate = $jsonOutput.RootElement.GetProperty("arcAgentProfile").GetProperty("agentAutoUpgrade").GetString()
+                Write-Host "Provisioning State: $provisioningState"
+                Write-Host "Auto Update: $autoUpdate"
+                if ($provisioningState -eq $expectedProvisioningState -and $autoUpdate -eq $expectedAutoUpdate) {
+                    break
+                }
+                Start-Sleep -Seconds 10
+                $n += 1
+            } while ($n -le $MAX_RETRY_ATTEMPTS)
+            $n | Should -BeLessOrEqual $MAX_RETRY_ATTEMPTS
+        }
+    }
+
+    It 'Onboard Connected cluster with no features enabled' {
+        Invoke-AzCommand "az connectedk8s connect -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) -l $ARC_LOCATION --no-wait"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable azure-rbac feature' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features azure-rbac"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable azure-rbac feature' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features azure-rbac --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable cluster-connect feature' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable cluster-connect feature' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable custom-locations feature' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features custom-locations --custom-locations-oid $($ENVCONFIG.customLocationsOid)"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable custom-locations feature' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features custom-locations --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Enable all features (cluster-connect, custom-locations, azure-rbac) together' {
+        Invoke-AzCommand "az connectedk8s enable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect custom-locations azure-rbac --custom-locations-oid $($ENVCONFIG.customLocationsOid)"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It 'Disable all features (cluster-connect, custom-locations, azure-rbac) together' {
+        Invoke-AzCommand "az connectedk8s disable-features -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) --features cluster-connect custom-locations azure-rbac --yes"
+        $? | Should -BeTrue
+        Start-Sleep -Seconds 10
+        Wait-ForProvisioning -expectedProvisioningState $SUCCEEDED -expectedAutoUpdate "Enabled"
+    }
+
+    It "Delete the connected instance" {
+        Invoke-AzCommand "az connectedk8s delete -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup) -y"
+        $? | Should -BeTrue
+
+        # Wait for deletion to propagate through the resource model
+        Start-Sleep -Seconds 30
+
+        # Configuration should be removed from the resource model - expect ResourceNotFound error
+        $output = Invoke-AzCommand "az connectedk8s show -n $($ENVCONFIG.arcClusterName) -g $($ENVCONFIG.resourceGroup)" 2>&1
+        $output | Should -Match "ResourceNotFound"
+    }
+}
diff --git a/testing/test/configurations/Gateway.Tests.ps1 b/testing/test/configurations/Gateway.Tests.ps1
@@ -12,7 +12,7 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
@@ -36,12 +36,12 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
             $provisioningState = ($output | ConvertFrom-Json).provisioningState
-            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean() 
+            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean()
             Write-Host "Provisioning State: $provisioningState"
             Write-Host "Gateway Status: $gatewayStatus"
             if ($provisioningState -eq $SUCCEEDED -and $gatewayStatus -eq $false) {
@@ -60,7 +60,7 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
@@ -84,12 +84,12 @@ Describe 'Onboarding with Gateway Scenario' {
 
         # Loop and retry until the configuration installs
         $n = 0
-        do 
+        do
         {
             $output = az connectedk8s show -n $ENVCONFIG.arcClusterName -g $ENVCONFIG.resourceGroup
             $jsonOutput = [System.Text.Json.JsonDocument]::Parse($output)
             $provisioningState = ($output | ConvertFrom-Json).provisioningState
-            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean() 
+            $gatewayStatus = $jsonOutput.RootElement.GetProperty("gateway").GetProperty("enabled").GetBoolean()
             Write-Host "Provisioning State: $provisioningState"
             Write-Host "Gateway Status: $gatewayStatus"
             if ($provisioningState -eq $SUCCEEDED -and $gatewayStatus -eq $false) {