[AKS] Remove --enable-pod-security-policy as it's deprecated

Author: bingosummer

linter_exclusions.yml

@@ -37,9 +37,6 @@ aks create:
     node_public_ip_prefix_id:
       rule_exclusions:
         - option_length_too_long
-    enable_pod_security_policy:
-      rule_exclusions:
-      - option_length_too_long
     enable_private_cluster:
       rule_exclusions:
       - option_length_too_long
@@ -138,9 +135,6 @@ aks update:
     disable_pod_security_policy:
       rule_exclusions:
       - option_length_too_long
-    enable_pod_security_policy:
-      rule_exclusions:
-      - option_length_too_long
     load_balancer_idle_timeout:
       rule_exclusions:
       - option_length_too_long

src/aks-preview/HISTORY.rst

@@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 
+18.0.0b1
++++++++
+* [BREAKING CHANGE] Remove "--enable-pod-security-policy" as it's deprecated.
+
 17.0.0b2
 ++++++++
 * Add option `--migrate-vmas-to-vms` to `az aks update`

src/aks-preview/azext_aks_preview/_help.py

@@ -304,10 +304,6 @@
         - name: --vm-set-type
           type: string
           short-summary: Agent pool vm set type. VirtualMachineScaleSets, AvailabilitySet or VirtualMachines(Preview).
-        - name: --enable-pod-security-policy
-          type: bool
-          short-summary: Enable pod security policy.
-          long-summary: --enable-pod-security-policy is deprecated. See https://aka.ms/aks/psp for details.
         - name: --node-resource-group
           type: string
           short-summary: The node resource group is the resource group where all customer's resources will be created in, such as virtual machines.
@@ -864,10 +860,6 @@
           type: string
           short-summary: How outbound traffic will be configured for a cluster.
           long-summary: This option will change the way how the outbound connections are managed in the AKS cluster. Available options are loadbalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting, none and block. For custom vnet, loadbalancer, userAssignedNATGateway and userDefinedRouting are supported. For aks managed vnet, loadbalancer, managedNATGateway and userDefinedRouting are supported.
-        - name: --enable-pod-security-policy
-          type: bool
-          short-summary: Enable pod security policy.
-          long-summary: --enable-pod-security-policy is deprecated. See https://aka.ms/aks/psp for details.
         - name: --disable-pod-security-policy
           type: bool
           short-summary: Disable pod security policy

src/aks-preview/azext_aks_preview/_params.py

@@ -767,13 +767,6 @@ def load_arguments(self, _):
         c.argument("pod_cidrs")
         c.argument("service_cidrs")
         c.argument("load_balancer_managed_outbound_ipv6_count", type=int)
-        c.argument(
-            "enable_pod_security_policy",
-            action="store_true",
-            deprecate_info=c.deprecate(
-                target="--enable-pod-security-policy", hide=True
-            ),
-        )
         c.argument("enable_pod_identity", action="store_true")
         c.argument("enable_pod_identity_with_kubenet", action="store_true")
         c.argument("enable_workload_identity", action="store_true")
@@ -1196,13 +1189,6 @@ def load_arguments(self, _):
         )
         c.argument("load_balancer_managed_outbound_ipv6_count", type=int)
         c.argument("outbound_type", arg_type=get_enum_type(outbound_types))
-        c.argument(
-            "enable_pod_security_policy",
-            action="store_true",
-            deprecate_info=c.deprecate(
-                target="--enable-pod-security-policy", hide=True
-            ),
-        )
         c.argument("disable_pod_security_policy", action="store_true", is_preview=True)
         c.argument("enable_pod_identity", action="store_true")
         c.argument("enable_pod_identity_with_kubenet", action="store_true")

src/aks-preview/azext_aks_preview/custom.py

@@ -478,7 +478,6 @@ def aks_create(
     pod_cidrs=None,
     service_cidrs=None,
     load_balancer_managed_outbound_ipv6_count=None,
-    enable_pod_security_policy=False,
     enable_pod_identity=False,
     enable_pod_identity_with_kubenet=False,
     enable_workload_identity=False,
@@ -686,7 +685,6 @@ def aks_update(
     network_dataplane=None,
     ip_families=None,
     pod_cidr=None,
-    enable_pod_security_policy=False,
     disable_pod_security_policy=False,
     enable_pod_identity=False,
     enable_pod_identity_with_kubenet=False,

src/aks-preview/azext_aks_preview/managed_cluster_decorator.py

@@ -986,75 +986,23 @@ def get_force_upgrade(self) -> Union[bool, None]:
             return not disable_force_upgrade
         return None
 
-    def _get_enable_pod_security_policy(self, enable_validation: bool = False) -> bool:
-        """Internal function to obtain the value of enable_pod_security_policy.
-
-        This function supports the option of enable_validation. When enabled, if both enable_pod_security_policy and
-        disable_pod_security_policy are specified, raise a MutuallyExclusiveArgumentError.
-
-        :return: bool
-        """
-        # read the original value passed by the command
-        enable_pod_security_policy = self.raw_param.get("enable_pod_security_policy")
-        # In create mode, try to read the property value corresponding to the parameter from the `mc` object.
-        if self.decorator_mode == DecoratorMode.CREATE:
-            if (
-                self.mc and
-                self.mc.enable_pod_security_policy is not None
-            ):
-                enable_pod_security_policy = self.mc.enable_pod_security_policy
-
-        # this parameter does not need dynamic completion
-        # validation
-        if enable_validation:
-            if enable_pod_security_policy and self._get_disable_pod_security_policy(enable_validation=False):
-                raise MutuallyExclusiveArgumentError(
-                    "Cannot specify --enable-pod-security-policy and "
-                    "--disable-pod-security-policy at the same time."
-                )
-        return enable_pod_security_policy
-
-    def get_enable_pod_security_policy(self) -> bool:
-        """Obtain the value of enable_pod_security_policy.
-
-        This function will verify the parameter by default. If both enable_pod_security_policy and
-        disable_pod_security_policy are specified, raise a MutuallyExclusiveArgumentError.
-
-        :return: bool
-        """
-        return self._get_enable_pod_security_policy(enable_validation=True)
-
-    def _get_disable_pod_security_policy(self, enable_validation: bool = False) -> bool:
+    def _get_disable_pod_security_policy(self) -> bool:
         """Internal function to obtain the value of disable_pod_security_policy.
 
-        This function supports the option of enable_validation. When enabled, if both enable_pod_security_policy and
-        disable_pod_security_policy are specified, raise a MutuallyExclusiveArgumentError.
-
         :return: bool
         """
         # read the original value passed by the command
         disable_pod_security_policy = self.raw_param.get("disable_pod_security_policy")
         # We do not support this option in create mode, therefore we do not read the value from `mc`.
 
-        # this parameter does not need dynamic completion
-        # validation
-        if enable_validation:
-            if disable_pod_security_policy and self._get_enable_pod_security_policy(enable_validation=False):
-                raise MutuallyExclusiveArgumentError(
-                    "Cannot specify --enable-pod-security-policy and "
-                    "--disable-pod-security-policy at the same time."
-                )
         return disable_pod_security_policy
 
     def get_disable_pod_security_policy(self) -> bool:
         """Obtain the value of disable_pod_security_policy.
 
-        This function will verify the parameter by default. If both enable_pod_security_policy and
-        disable_pod_security_policy are specified, raise a MutuallyExclusiveArgumentError.
-
         :return: bool
         """
-        return self._get_disable_pod_security_policy(enable_validation=True)
+        return self._get_disable_pod_security_policy()
 
     # pylint: disable=unused-argument
     def _get_enable_managed_identity(
@@ -3082,16 +3030,6 @@ def set_up_addon_profiles(self, mc: ManagedCluster) -> ManagedCluster:
         mc.addon_profiles = addon_profiles
         return mc
 
-    def set_up_pod_security_policy(self, mc: ManagedCluster) -> ManagedCluster:
-        """Set up pod security policy for the ManagedCluster object.
-
-        :return: the ManagedCluster object
-        """
-        self._ensure_mc(mc)
-
-        mc.enable_pod_security_policy = self.context.get_enable_pod_security_policy()
-        return mc
-
     def set_up_pod_identity_profile(self, mc: ManagedCluster) -> ManagedCluster:
         """Set up pod identity profile for the ManagedCluster object.
 
@@ -3631,8 +3569,6 @@ def construct_mc_profile_preview(self, bypass_restore_defaults: bool = False) ->
         # DO NOT MOVE: keep this on top, construct the default ManagedCluster profile
         mc = self.construct_mc_profile_default(bypass_restore_defaults=True)
 
-        # set up pod security policy
-        mc = self.set_up_pod_security_policy(mc)
         # set up pod identity profile
         mc = self.set_up_pod_identity_profile(mc)
         # set up workload identity profile
@@ -4567,9 +4503,6 @@ def update_pod_security_policy(self, mc: ManagedCluster) -> ManagedCluster:
         """
         self._ensure_mc(mc)
 
-        if self.context.get_enable_pod_security_policy():
-            mc.enable_pod_security_policy = True
-
         if self.context.get_disable_pod_security_policy():
             mc.enable_pod_security_policy = False
         return mc

src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py

@@ -704,38 +704,6 @@ def test_get_load_balancer_backend_pool_type(self):
         )
         self.assertEqual(ctx.get_load_balancer_backend_pool_type(), "nodeIP")
 
-    def test_get_enable_pod_security_policy(self):
-        # default
-        ctx_1 = AKSPreviewManagedClusterContext(
-            self.cmd,
-            AKSManagedClusterParamDict({"enable_pod_security_policy": False}),
-            self.models,
-            decorator_mode=DecoratorMode.CREATE,
-        )
-        self.assertEqual(ctx_1.get_enable_pod_security_policy(), False)
-        mc = self.models.ManagedCluster(
-            location="test_location",
-            enable_pod_security_policy=True,
-        )
-        ctx_1.attach_mc(mc)
-        self.assertEqual(ctx_1.get_enable_pod_security_policy(), True)
-
-        # custom value
-        ctx_2 = AKSPreviewManagedClusterContext(
-            self.cmd,
-            AKSManagedClusterParamDict(
-                {
-                    "enable_pod_security_policy": True,
-                    "disable_pod_security_policy": True,
-                }
-            ),
-            self.models,
-            decorator_mode=DecoratorMode.UPDATE,
-        )
-        # fail on mutually exclusive enable_pod_security_policy and disable_pod_security_policy
-        with self.assertRaises(MutuallyExclusiveArgumentError):
-            ctx_2.get_enable_pod_security_policy()
-
     def test_get_disable_pod_security_policy(self):
         # default
         ctx_1 = AKSPreviewManagedClusterContext(
@@ -752,22 +720,6 @@ def test_get_disable_pod_security_policy(self):
         ctx_1.attach_mc(mc)
         self.assertEqual(ctx_1.get_disable_pod_security_policy(), False)
 
-        # custom value
-        ctx_2 = AKSPreviewManagedClusterContext(
-            self.cmd,
-            AKSManagedClusterParamDict(
-                {
-                    "enable_pod_security_policy": True,
-                    "disable_pod_security_policy": True,
-                }
-            ),
-            self.models,
-            decorator_mode=DecoratorMode.UPDATE,
-        )
-        # fail on mutually exclusive enable_pod_security_policy and disable_pod_security_policy
-        with self.assertRaises(MutuallyExclusiveArgumentError):
-            ctx_2.get_disable_pod_security_policy()
-
     def test_get_network_plugin(self):
         # default
         ctx_1 = AKSPreviewManagedClusterContext(
@@ -4643,43 +4595,6 @@ def test_set_up_http_proxy_config(self):
         )
         self.assertEqual(dec_mc_1, ground_truth_mc_1)
 
-    def test_set_up_pod_security_policy(self):
-        # default value in `aks_create`
-        dec_1 = AKSPreviewManagedClusterCreateDecorator(
-            self.cmd,
-            self.client,
-            {
-                "enable_pod_security_policy": False,
-            },
-            CUSTOM_MGMT_AKS_PREVIEW,
-        )
-        mc_1 = self.models.ManagedCluster(location="test_location")
-        dec_1.context.attach_mc(mc_1)
-        # fail on passing the wrong mc object
-        with self.assertRaises(CLIInternalError):
-            dec_1.set_up_pod_security_policy(None)
-        dec_mc_1 = dec_1.set_up_pod_security_policy(mc_1)
-        ground_truth_mc_1 = self.models.ManagedCluster(
-            location="test_location", enable_pod_security_policy=False
-        )
-        self.assertEqual(dec_mc_1, ground_truth_mc_1)
-
-        # custom value
-        dec_2 = AKSPreviewManagedClusterCreateDecorator(
-            self.cmd,
-            self.client,
-            {"enable_pod_security_policy": True},
-            CUSTOM_MGMT_AKS_PREVIEW,
-        )
-        mc_2 = self.models.ManagedCluster(location="test_location")
-        dec_2.context.attach_mc(mc_2)
-        dec_mc_2 = dec_2.set_up_pod_security_policy(mc_2)
-        ground_truth_mc_2 = self.models.ManagedCluster(
-            location="test_location",
-            enable_pod_security_policy=True,
-        )
-        self.assertEqual(dec_mc_2, ground_truth_mc_2)
-
     def test_set_up_pod_identity_profile(self):
         # default value in `aks_create`
         dec_1 = AKSPreviewManagedClusterCreateDecorator(
@@ -5580,7 +5495,6 @@ def test_construct_mc_profile_preview(self):
             network_profile=network_profile_1,
             identity=identity_1,
             disable_local_accounts=False,
-            enable_pod_security_policy=False,
             storage_profile=storage_profile_1,
             sku=baseSKU,
             kind="Base",
@@ -6594,7 +6508,6 @@ def test_update_pod_security_policy(self):
             self.cmd,
             self.client,
             {
-                "enable_pod_security_policy": False,
                 "disable_pod_security_policy": False,
             },
             CUSTOM_MGMT_AKS_PREVIEW,
@@ -6615,34 +6528,11 @@ def test_update_pod_security_policy(self):
         )
         self.assertEqual(dec_mc_1, ground_truth_mc_1)
 
-        # custom value
-        dec_2 = AKSPreviewManagedClusterUpdateDecorator(
-            self.cmd,
-            self.client,
-            {
-                "enable_pod_security_policy": True,
-                "disable_pod_security_policy": False,
-            },
-            CUSTOM_MGMT_AKS_PREVIEW,
-        )
-        mc_2 = self.models.ManagedCluster(
-            location="test_location",
-            enable_pod_security_policy=False,
-        )
-        dec_2.context.attach_mc(mc_2)
-        dec_mc_2 = dec_2.update_pod_security_policy(mc_2)
-        ground_truth_mc_2 = self.models.ManagedCluster(
-            location="test_location",
-            enable_pod_security_policy=True,
-        )
-        self.assertEqual(dec_mc_2, ground_truth_mc_2)
-
         # custom value
         dec_3 = AKSPreviewManagedClusterUpdateDecorator(
             self.cmd,
             self.client,
             {
-                "enable_pod_security_policy": False,
                 "disable_pod_security_policy": True,
             },
             CUSTOM_MGMT_AKS_PREVIEW,