diff --git a/linter_exclusions.yml b/linter_exclusions.yml index 85c81f4eb4c..e42c6e52093 100644 --- a/linter_exclusions.yml +++ b/linter_exclusions.yml @@ -37,9 +37,6 @@ aks create: node_public_ip_prefix_id: rule_exclusions: - option_length_too_long - enable_pod_security_policy: - rule_exclusions: - - option_length_too_long enable_private_cluster: rule_exclusions: - option_length_too_long @@ -135,12 +132,6 @@ aks update: cluster_autoscaler_profile: rule_exclusions: - option_length_too_long - disable_pod_security_policy: - rule_exclusions: - - option_length_too_long - enable_pod_security_policy: - rule_exclusions: - - option_length_too_long load_balancer_idle_timeout: rule_exclusions: - option_length_too_long diff --git a/src/aks-preview/HISTORY.rst b/src/aks-preview/HISTORY.rst index 9468c464f0c..64b917ff75f 100644 --- a/src/aks-preview/HISTORY.rst +++ b/src/aks-preview/HISTORY.rst @@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to Pending +++++++ +18.0.0b1 ++++++++ +* [BREAKING CHANGE] Remove `--enable-pod-security-policy` and `--disable-pod-security-policy` as it's deprecated. + 17.0.0b4 ++++++++ * Reset vm_size and count to None for `az aks update --migrate-vmas-to-vms` diff --git a/src/aks-preview/azext_aks_preview/_help.py b/src/aks-preview/azext_aks_preview/_help.py index c8332ec1276..3159926fa2d 100644 --- a/src/aks-preview/azext_aks_preview/_help.py +++ b/src/aks-preview/azext_aks_preview/_help.py @@ -304,10 +304,6 @@ - name: --vm-set-type type: string short-summary: Agent pool vm set type. VirtualMachineScaleSets, AvailabilitySet or VirtualMachines(Preview). - - name: --enable-pod-security-policy - type: bool - short-summary: Enable pod security policy. - long-summary: --enable-pod-security-policy is deprecated. See https://aka.ms/aks/psp for details. - name: --node-resource-group type: string short-summary: The node resource group is the resource group where all customer's resources will be created in, such as virtual machines. @@ -864,14 +860,6 @@ type: string short-summary: How outbound traffic will be configured for a cluster. long-summary: This option will change the way how the outbound connections are managed in the AKS cluster. Available options are loadbalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting, none and block. For custom vnet, loadbalancer, userAssignedNATGateway and userDefinedRouting are supported. For aks managed vnet, loadbalancer, managedNATGateway and userDefinedRouting are supported. - - name: --enable-pod-security-policy - type: bool - short-summary: Enable pod security policy. - long-summary: --enable-pod-security-policy is deprecated. See https://aka.ms/aks/psp for details. - - name: --disable-pod-security-policy - type: bool - short-summary: Disable pod security policy - long-summary: PodSecurityPolicy is deprecated. See https://aka.ms/aks/psp for details. - name: --nrg-lockdown-restriction-level type: string short-summary: Restriction level on the managed node resource. @@ -1279,8 +1267,6 @@ text: az aks update --disable-cluster-autoscaler -g MyResourceGroup -n MyManagedCluster - name: Update min-count or max-count for cluster autoscaler. text: az aks update --update-cluster-autoscaler --min-count 1 --max-count 10 -g MyResourceGroup -n MyManagedCluster - - name: Disable pod security policy. - text: az aks update --disable-pod-security-policy -g MyResourceGroup -n MyManagedCluster - name: Update a kubernetes cluster with standard SKU load balancer to use two AKS created IPs for the load balancer outbound connection usage. text: az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 - name: Update a kubernetes cluster with standard SKU load balancer to use the provided public IPs for the load balancer outbound connection usage. diff --git a/src/aks-preview/azext_aks_preview/_params.py b/src/aks-preview/azext_aks_preview/_params.py index 1e9adf722ee..8eae78df041 100644 --- a/src/aks-preview/azext_aks_preview/_params.py +++ b/src/aks-preview/azext_aks_preview/_params.py @@ -767,13 +767,6 @@ def load_arguments(self, _): c.argument("pod_cidrs") c.argument("service_cidrs") c.argument("load_balancer_managed_outbound_ipv6_count", type=int) - c.argument( - "enable_pod_security_policy", - action="store_true", - deprecate_info=c.deprecate( - target="--enable-pod-security-policy", hide=True - ), - ) c.argument("enable_pod_identity", action="store_true") c.argument("enable_pod_identity_with_kubenet", action="store_true") c.argument("enable_workload_identity", action="store_true") @@ -1196,14 +1189,6 @@ def load_arguments(self, _): ) c.argument("load_balancer_managed_outbound_ipv6_count", type=int) c.argument("outbound_type", arg_type=get_enum_type(outbound_types)) - c.argument( - "enable_pod_security_policy", - action="store_true", - deprecate_info=c.deprecate( - target="--enable-pod-security-policy", hide=True - ), - ) - c.argument("disable_pod_security_policy", action="store_true", is_preview=True) c.argument("enable_pod_identity", action="store_true") c.argument("enable_pod_identity_with_kubenet", action="store_true") c.argument("disable_pod_identity", action="store_true") diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py index 6b5957e5bc0..b6c3cfe2945 100644 --- a/src/aks-preview/azext_aks_preview/custom.py +++ b/src/aks-preview/azext_aks_preview/custom.py @@ -478,7 +478,6 @@ def aks_create( pod_cidrs=None, service_cidrs=None, load_balancer_managed_outbound_ipv6_count=None, - enable_pod_security_policy=False, enable_pod_identity=False, enable_pod_identity_with_kubenet=False, enable_workload_identity=False, @@ -686,8 +685,6 @@ def aks_update( network_dataplane=None, ip_families=None, pod_cidr=None, - enable_pod_security_policy=False, - disable_pod_security_policy=False, enable_pod_identity=False, enable_pod_identity_with_kubenet=False, disable_pod_identity=False, diff --git a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py index 56e2a54ad11..6a7dfa50ad4 100644 --- a/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py +++ b/src/aks-preview/azext_aks_preview/managed_cluster_decorator.py @@ -986,76 +986,6 @@ def get_force_upgrade(self) -> Union[bool, None]: return not disable_force_upgrade return None - def _get_enable_pod_security_policy(self, enable_validation: bool = False) -> bool: - """Internal function to obtain the value of enable_pod_security_policy. - - This function supports the option of enable_validation. When enabled, if both enable_pod_security_policy and - disable_pod_security_policy are specified, raise a MutuallyExclusiveArgumentError. - - :return: bool - """ - # read the original value passed by the command - enable_pod_security_policy = self.raw_param.get("enable_pod_security_policy") - # In create mode, try to read the property value corresponding to the parameter from the `mc` object. - if self.decorator_mode == DecoratorMode.CREATE: - if ( - self.mc and - self.mc.enable_pod_security_policy is not None - ): - enable_pod_security_policy = self.mc.enable_pod_security_policy - - # this parameter does not need dynamic completion - # validation - if enable_validation: - if enable_pod_security_policy and self._get_disable_pod_security_policy(enable_validation=False): - raise MutuallyExclusiveArgumentError( - "Cannot specify --enable-pod-security-policy and " - "--disable-pod-security-policy at the same time." - ) - return enable_pod_security_policy - - def get_enable_pod_security_policy(self) -> bool: - """Obtain the value of enable_pod_security_policy. - - This function will verify the parameter by default. If both enable_pod_security_policy and - disable_pod_security_policy are specified, raise a MutuallyExclusiveArgumentError. - - :return: bool - """ - return self._get_enable_pod_security_policy(enable_validation=True) - - def _get_disable_pod_security_policy(self, enable_validation: bool = False) -> bool: - """Internal function to obtain the value of disable_pod_security_policy. - - This function supports the option of enable_validation. When enabled, if both enable_pod_security_policy and - disable_pod_security_policy are specified, raise a MutuallyExclusiveArgumentError. - - :return: bool - """ - # read the original value passed by the command - disable_pod_security_policy = self.raw_param.get("disable_pod_security_policy") - # We do not support this option in create mode, therefore we do not read the value from `mc`. - - # this parameter does not need dynamic completion - # validation - if enable_validation: - if disable_pod_security_policy and self._get_enable_pod_security_policy(enable_validation=False): - raise MutuallyExclusiveArgumentError( - "Cannot specify --enable-pod-security-policy and " - "--disable-pod-security-policy at the same time." - ) - return disable_pod_security_policy - - def get_disable_pod_security_policy(self) -> bool: - """Obtain the value of disable_pod_security_policy. - - This function will verify the parameter by default. If both enable_pod_security_policy and - disable_pod_security_policy are specified, raise a MutuallyExclusiveArgumentError. - - :return: bool - """ - return self._get_disable_pod_security_policy(enable_validation=True) - # pylint: disable=unused-argument def _get_enable_managed_identity( self, enable_validation: bool = False, read_only: bool = False @@ -3082,16 +3012,6 @@ def set_up_addon_profiles(self, mc: ManagedCluster) -> ManagedCluster: mc.addon_profiles = addon_profiles return mc - def set_up_pod_security_policy(self, mc: ManagedCluster) -> ManagedCluster: - """Set up pod security policy for the ManagedCluster object. - - :return: the ManagedCluster object - """ - self._ensure_mc(mc) - - mc.enable_pod_security_policy = self.context.get_enable_pod_security_policy() - return mc - def set_up_pod_identity_profile(self, mc: ManagedCluster) -> ManagedCluster: """Set up pod identity profile for the ManagedCluster object. @@ -3631,8 +3551,6 @@ def construct_mc_profile_preview(self, bypass_restore_defaults: bool = False) -> # DO NOT MOVE: keep this on top, construct the default ManagedCluster profile mc = self.construct_mc_profile_default(bypass_restore_defaults=True) - # set up pod security policy - mc = self.set_up_pod_security_policy(mc) # set up pod identity profile mc = self.set_up_pod_identity_profile(mc) # set up workload identity profile @@ -4560,20 +4478,6 @@ def update_kube_proxy_config(self, mc: ManagedCluster) -> ManagedCluster: return mc - def update_pod_security_policy(self, mc: ManagedCluster) -> ManagedCluster: - """Update pod security policy for the ManagedCluster object. - - :return: the ManagedCluster object - """ - self._ensure_mc(mc) - - if self.context.get_enable_pod_security_policy(): - mc.enable_pod_security_policy = True - - if self.context.get_disable_pod_security_policy(): - mc.enable_pod_security_policy = False - return mc - def update_pod_identity_profile(self, mc: ManagedCluster) -> ManagedCluster: """Update pod identity profile for the ManagedCluster object. @@ -5384,8 +5288,6 @@ def update_mc_profile_preview(self) -> ManagedCluster: # DO NOT MOVE: keep this on top, fetch and update the default ManagedCluster profile mc = self.update_mc_profile_default() - # update pod security policy - mc = self.update_pod_security_policy(mc) # update pod identity profile mc = self.update_pod_identity_profile(mc) # update workload identity profile diff --git a/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py b/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py index a691104e0c8..4df591433c6 100644 --- a/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py +++ b/src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py @@ -704,70 +704,6 @@ def test_get_load_balancer_backend_pool_type(self): ) self.assertEqual(ctx.get_load_balancer_backend_pool_type(), "nodeIP") - def test_get_enable_pod_security_policy(self): - # default - ctx_1 = AKSPreviewManagedClusterContext( - self.cmd, - AKSManagedClusterParamDict({"enable_pod_security_policy": False}), - self.models, - decorator_mode=DecoratorMode.CREATE, - ) - self.assertEqual(ctx_1.get_enable_pod_security_policy(), False) - mc = self.models.ManagedCluster( - location="test_location", - enable_pod_security_policy=True, - ) - ctx_1.attach_mc(mc) - self.assertEqual(ctx_1.get_enable_pod_security_policy(), True) - - # custom value - ctx_2 = AKSPreviewManagedClusterContext( - self.cmd, - AKSManagedClusterParamDict( - { - "enable_pod_security_policy": True, - "disable_pod_security_policy": True, - } - ), - self.models, - decorator_mode=DecoratorMode.UPDATE, - ) - # fail on mutually exclusive enable_pod_security_policy and disable_pod_security_policy - with self.assertRaises(MutuallyExclusiveArgumentError): - ctx_2.get_enable_pod_security_policy() - - def test_get_disable_pod_security_policy(self): - # default - ctx_1 = AKSPreviewManagedClusterContext( - self.cmd, - AKSManagedClusterParamDict({"disable_pod_security_policy": False}), - self.models, - decorator_mode=DecoratorMode.UPDATE, - ) - self.assertEqual(ctx_1.get_disable_pod_security_policy(), False) - mc = self.models.ManagedCluster( - location="test_location", - enable_pod_security_policy=False, - ) - ctx_1.attach_mc(mc) - self.assertEqual(ctx_1.get_disable_pod_security_policy(), False) - - # custom value - ctx_2 = AKSPreviewManagedClusterContext( - self.cmd, - AKSManagedClusterParamDict( - { - "enable_pod_security_policy": True, - "disable_pod_security_policy": True, - } - ), - self.models, - decorator_mode=DecoratorMode.UPDATE, - ) - # fail on mutually exclusive enable_pod_security_policy and disable_pod_security_policy - with self.assertRaises(MutuallyExclusiveArgumentError): - ctx_2.get_disable_pod_security_policy() - def test_get_network_plugin(self): # default ctx_1 = AKSPreviewManagedClusterContext( @@ -4643,43 +4579,6 @@ def test_set_up_http_proxy_config(self): ) self.assertEqual(dec_mc_1, ground_truth_mc_1) - def test_set_up_pod_security_policy(self): - # default value in `aks_create` - dec_1 = AKSPreviewManagedClusterCreateDecorator( - self.cmd, - self.client, - { - "enable_pod_security_policy": False, - }, - CUSTOM_MGMT_AKS_PREVIEW, - ) - mc_1 = self.models.ManagedCluster(location="test_location") - dec_1.context.attach_mc(mc_1) - # fail on passing the wrong mc object - with self.assertRaises(CLIInternalError): - dec_1.set_up_pod_security_policy(None) - dec_mc_1 = dec_1.set_up_pod_security_policy(mc_1) - ground_truth_mc_1 = self.models.ManagedCluster( - location="test_location", enable_pod_security_policy=False - ) - self.assertEqual(dec_mc_1, ground_truth_mc_1) - - # custom value - dec_2 = AKSPreviewManagedClusterCreateDecorator( - self.cmd, - self.client, - {"enable_pod_security_policy": True}, - CUSTOM_MGMT_AKS_PREVIEW, - ) - mc_2 = self.models.ManagedCluster(location="test_location") - dec_2.context.attach_mc(mc_2) - dec_mc_2 = dec_2.set_up_pod_security_policy(mc_2) - ground_truth_mc_2 = self.models.ManagedCluster( - location="test_location", - enable_pod_security_policy=True, - ) - self.assertEqual(dec_mc_2, ground_truth_mc_2) - def test_set_up_pod_identity_profile(self): # default value in `aks_create` dec_1 = AKSPreviewManagedClusterCreateDecorator( @@ -5580,7 +5479,6 @@ def test_construct_mc_profile_preview(self): network_profile=network_profile_1, identity=identity_1, disable_local_accounts=False, - enable_pod_security_policy=False, storage_profile=storage_profile_1, sku=baseSKU, kind="Base", @@ -6588,78 +6486,6 @@ def test_update_http_proxy_config(self): ) self.assertEqual(dec_mc_1, ground_truth_mc_1) - def test_update_pod_security_policy(self): - # default value in `aks_update` - dec_1 = AKSPreviewManagedClusterUpdateDecorator( - self.cmd, - self.client, - { - "enable_pod_security_policy": False, - "disable_pod_security_policy": False, - }, - CUSTOM_MGMT_AKS_PREVIEW, - ) - mc_1 = self.models.ManagedCluster( - location="test_location", - enable_pod_security_policy=True, - ) - dec_1.context.attach_mc(mc_1) - # fail on passing the wrong mc object - with self.assertRaises(CLIInternalError): - dec_1.update_pod_security_policy(None) - - dec_mc_1 = dec_1.update_pod_security_policy(mc_1) - ground_truth_mc_1 = self.models.ManagedCluster( - location="test_location", - enable_pod_security_policy=True, - ) - self.assertEqual(dec_mc_1, ground_truth_mc_1) - - # custom value - dec_2 = AKSPreviewManagedClusterUpdateDecorator( - self.cmd, - self.client, - { - "enable_pod_security_policy": True, - "disable_pod_security_policy": False, - }, - CUSTOM_MGMT_AKS_PREVIEW, - ) - mc_2 = self.models.ManagedCluster( - location="test_location", - enable_pod_security_policy=False, - ) - dec_2.context.attach_mc(mc_2) - dec_mc_2 = dec_2.update_pod_security_policy(mc_2) - ground_truth_mc_2 = self.models.ManagedCluster( - location="test_location", - enable_pod_security_policy=True, - ) - self.assertEqual(dec_mc_2, ground_truth_mc_2) - - # custom value - dec_3 = AKSPreviewManagedClusterUpdateDecorator( - self.cmd, - self.client, - { - "enable_pod_security_policy": False, - "disable_pod_security_policy": True, - }, - CUSTOM_MGMT_AKS_PREVIEW, - ) - - mc_3 = self.models.ManagedCluster( - location="test_location", - enable_pod_security_policy=True, - ) - dec_3.context.attach_mc(mc_3) - dec_mc_3 = dec_3.update_pod_security_policy(mc_3) - ground_truth_mc_3 = self.models.ManagedCluster( - location="test_location", - enable_pod_security_policy=False, - ) - self.assertEqual(dec_mc_3, ground_truth_mc_3) - def test_update_pod_identity_profile(self): # default value in `aks_update` dec_1 = AKSPreviewManagedClusterUpdateDecorator( diff --git a/src/aks-preview/setup.py b/src/aks-preview/setup.py index d7262f924be..758addd81ca 100644 --- a/src/aks-preview/setup.py +++ b/src/aks-preview/setup.py @@ -9,7 +9,7 @@ from setuptools import setup, find_packages -VERSION = "17.0.0b4" +VERSION = "18.0.0b1" CLASSIFIERS = [ "Development Status :: 4 - Beta",