Skip to content

{AKS} az aks bastion: Add command to enable connections to managed Kubernetes clusters via Azure Bastion. #8912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zhoxing-ms merged 1 commit into from
Jul 29, 2025
Merged

{AKS} az aks bastion: Add command to enable connections to managed Kubernetes clusters via Azure Bastion. #8912

zhoxing-ms merged 1 commit into from
Jul 29, 2025

Conversation

@FumingZhang
Copy link
Member

@FumingZhang FumingZhang commented Jun 30, 2025
edited
Loading

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

Introduce a new command: az aks bastion. This command utilizes the Bastion CLI extension to streamline secure access to AKS clusters. It performs the following actions:

  • Establishes a local Bastion tunnel.
  • Downloads the kubeconfig for the specified AKS cluster.
  • Updates the kubeconfig to route traffic through the local tunnel port.
  • Launches a new sub-shell with the modified kubeconfig, enabling seamless cluster access—especially useful when public access is restricted due to specific cluster features.

Limitations:

  • The Bastion host must be provisioned separately by the user within the same virtual network (VNet) as the AKS cluster and passed to the command.
  • On Windows, the sub-shell is launched using cmd.exe.

Bastion Resource Resolution Order:

  1. If the --bastion option is specified:
    • 1.1 Attempt to parse the value as a full resource ID to extract the Bastion name and resource group.
    • 1.2 If parsing as a resource ID fails, treat the value as a Bastion resource name and check for its existence in the cluster’s node resource group.
  2. If the --bastion option is not specified:
    • List all Bastion resources in the cluster’s node resource group. Use the first Bastion resource found (if multiple exist).

As shown in the screenshot below, users cannot directly access a private AKS cluster. However, with this command, they can securely connect to the cluster via a Bastion tunnel.
image

The screenshot below displays the most recent command prompt for the user experience.
image

General Guidelines

  • Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
  • Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
  • My extension version conforms to the Extension version schema

For new extensions:

About Extension Publish

There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update src/index.json automatically.
You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify src/index.json.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jun 30, 2025
edited
Loading

⚠️Azure CLI Extensions Breaking Change Test
⚠️aks-preview
rule cmd_name rule_message suggest_message
⚠️ 1001 - CmdAdd aks bastion cmd aks bastion added

@yonzhan
Copy link
Collaborator

yonzhan commented Jun 30, 2025

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link

github-actions bot commented Jun 30, 2025

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@github-actions
Copy link

github-actions bot commented Jun 30, 2025
edited
Loading

@github-actions github-actions bot added the release-version-block Updates do not qualify release version rules. NOTE: please do not edit it manually. label Jul 3, 2025
@FumingZhang FumingZhang force-pushed the fuming/aks-bastion-0630 branch from 8ff205c to e906c85 Compare July 3, 2025 05:37
@github-actions github-actions bot removed the release-version-block Updates do not qualify release version rules. NOTE: please do not edit it manually. label Jul 3, 2025
@FumingZhang FumingZhang force-pushed the fuming/aks-bastion-0630 branch from f967f5b to b0ca393 Compare July 3, 2025 07:44
@FumingZhang FumingZhang marked this pull request as ready for review July 3, 2025 14:37
Copilot AI review requested due to automatic review settings July 3, 2025 14:37
FumingZhang
FumingZhang commented Jul 3, 2025
View reviewed changes
Copy link
Member Author

@FumingZhang FumingZhang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Queued live test to validate the change. Test passed!

  • test_aks_bastion

Copilot AI reviewed Jul 3, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces the new az aks bastion command to enable connections to managed Kubernetes clusters via Azure Bastion.

  • Bumps extension version to 18.0.0b18 and updates history.
  • Implements and registers the aks bastion command (parameters, help, custom handler, and core logic).
  • Adds tests for bastion connectivity and verifies kubectl installation.

Reviewed Changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/aks-preview/setup.py Version bumped to 18.0.0b18
src/aks-preview/HISTORY.rst Added entry for aks bastion in changelog
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py Added _verify_kubectl_installation and new test for bastion
src/aks-preview/azext_aks_preview/_params.py Defined arguments for aks bastion
src/aks-preview/azext_aks_preview/_help.py Added CLI help for aks bastion
src/aks-preview/azext_aks_preview/commands.py Registered the aks bastion custom command
src/aks-preview/azext_aks_preview/custom.py Imported and wired up the aks_bastion handler
src/aks-preview/azext_aks_preview/bastion/bastion.py Core bastion tunnel implementation and cleanup
Comments suppressed due to low confidence (4)

src/aks-preview/azext_aks_preview/custom.py:102

  • [nitpick] The function name aks_batsion_clean_up appears to be a typo (batsion vs. bastion). Rename it to aks_bastion_clean_up for consistency.
    aks_batsion_clean_up

src/aks-preview/azext_aks_preview/_help.py:3860

  • [nitpick] The phrase "name of resource ID" is confusing. It should read "name or resource ID of a Bastion resource" to clarify.
          short-summary: The name of resource ID of a Bastion resource deployed to the node resource group of the current AKS cluster.

src/aks-preview/azext_aks_preview/bastion/bastion.py:267

  • [nitpick] The variable tunnel_proces looks like a typo. Consider renaming it to tunnel_process for clarity.
    tunnel_proces = None

src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py:181

  • The test uses both subprocess and tempfile but neither module is imported in this file. Please add import subprocess and import tempfile at the top.
    def _verify_kubectl_installation(self) -> bool:

src/aks-preview/azext_aks_preview/bastion/bastion.py
raise CLIInternalError(f"Failed to install bastion extension: {result.stderr}")


def aks_bastion_set_kubeconfig(kubeconfig_path, port):
Copy link

Copilot AI Jul 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before writing to kubeconfig_path, ensure its parent directory exists (e.g., os.makedirs(os.path.dirname(kubeconfig_path), exist_ok=True)) to avoid file-not-found errors.

Copilot uses AI. Check for mistakes.
@FumingZhang FumingZhang force-pushed the fuming/aks-bastion-0630 branch from 7f8c408 to 7771827 Compare July 16, 2025 06:58
@FumingZhang FumingZhang force-pushed the fuming/aks-bastion-0630 branch from acf94cc to b562917 Compare July 24, 2025 03:39
@FumingZhang
Copy link
Member Author

FumingZhang commented Jul 24, 2025

The failures in the CI checks would be fixed in a separate PR #8997.

@FumingZhang FumingZhang force-pushed the fuming/aks-bastion-0630 branch from 7043bca to 21b13f8 Compare July 25, 2025 06:53
@github-actions github-actions bot added the release-version-block Updates do not qualify release version rules. NOTE: please do not edit it manually. label Jul 25, 2025
@FumingZhang FumingZhang removed Network release-version-block Updates do not qualify release version rules. NOTE: please do not edit it manually. labels Jul 25, 2025
@FumingZhang
Copy link
Member Author

FumingZhang commented Jul 25, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jul 25, 2025

Azure Pipelines successfully started running 2 pipeline(s).

@FumingZhang FumingZhang force-pushed the fuming/aks-bastion-0630 branch from 21b13f8 to e2f4479 Compare July 28, 2025 05:12
@zhoxing-ms zhoxing-ms merged commit ecb6680 into Azure:main Jul 29, 2025
24 checks passed
@azclibot
Copy link
Collaborator

azclibot commented Jul 29, 2025

[Release] Update index.json for extension [ aks-preview-18.0.0b21 ] : https://dev.azure.com/msazure/One/_build/results?buildId=131951941&view=results

@cceneag
Copy link

cceneag commented Jul 29, 2025

👍

@FumingZhang FumingZhang deleted the fuming/aks-bastion-0630 branch September 10, 2025 03:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zhoxing-ms zhoxing-ms zhoxing-ms approved these changes

@yanzhudd yanzhudd Awaiting requested review from yanzhudd

@yonzhan yonzhan Awaiting requested review from yonzhan

@jsntcy jsntcy Awaiting requested review from jsntcy

@kairu-ms kairu-ms Awaiting requested review from kairu-ms

@necusjz necusjz Awaiting requested review from necusjz

@andyliuliming andyliuliming Awaiting requested review from andyliuliming andyliuliming is a code owner

Assignees

@necusjz necusjz

@zhoxing-ms zhoxing-ms

@yanzhudd yanzhudd

Labels

AKS Auto-Assign Auto assign by bot

Projects

None yet

Milestone

August 2025 (2025-08-05)

Development

Successfully merging this pull request may close these issues.

7 participants

@FumingZhang @yonzhan @azclibot @cceneag @zhoxing-ms @necusjz @yanzhudd