Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AKS] Create default role assignments for automatic sku #7570

Merged
merged 12 commits into from
May 6, 2024
Merged

[AKS] Create default role assignments for automatic sku #7570

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
a3b02a8
Add role assignments for automatic sku
purpleran7 May 2, 2024
da7b0ae
update version
purpleran7 May 2, 2024
1ffdbe8
fix style
purpleran7 May 2, 2024
61c31c5
refactor
purpleran7 May 2, 2024
b3eeb58
refactor
purpleran7 May 2, 2024
e06cf02
refactor
purpleran7 May 2, 2024
7fabc6b
empty line
purpleran7 May 2, 2024
643902a
run recording
purpleran7 May 2, 2024
f2f3313
resolve comments
purpleran7 May 2, 2024
a97c9b2
Merge branch 'main' into main
purpleran7 May 6, 2024
a9b79cc
update version
purpleran7 May 6, 2024
e6d6f08
Update src/aks-preview/HISTORY.rst
FumingZhang May 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion src/aks-preview/HISTORY.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,15 @@ To release a new version, please select a new version number (usually plus 1 to
Pending
+++++++

3.0.0b12
++++++++
* Create three default role assignments for automatic sku clusters.
* "Azure Kubernetes Service RBAC Cluster Admin"
* "Azure Kubernetes Service RBAC Admin"
* "Azure Kubernetes Service Cluster User Role"

3.0.0b11
+++++++
++++++++
* Add `--enable-static-egress-gateway` to `az aks create` and `az aks update`.
* Add `--disable-static-egress-gateway` to `az aks update` command.
* Add `--gateway-prefix-size` to `az aks nodepool create` command.
Expand Down
37 changes: 36 additions & 1 deletion src/aks-preview/azext_aks_preview/managed_cluster_decorator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,10 @@
_is_pod_identity_addon_enabled,
_update_addon_pod_identity,
)
from azext_aks_preview._roleassignments import add_role_assignment
from azext_aks_preview._roleassignments import (
add_role_assignment,
_add_role_assignment_executor_new
)
from azext_aks_preview.agentpool_decorator import (
AKSPreviewAgentPoolAddDecorator,
AKSPreviewAgentPoolUpdateDecorator,
Expand All @@ -67,6 +70,7 @@
from azext_aks_preview.azuremonitormetrics.azuremonitorprofile import (
ensure_azure_monitor_profile_prerequisites,
)
from azure.cli.command_modules.acs._client_factory import get_graph_client
from azure.cli.command_modules.acs._consts import (
CONST_OUTBOUND_TYPE_LOAD_BALANCER,
CONST_OUTBOUND_TYPE_MANAGED_NAT_GATEWAY,
Expand Down Expand Up @@ -188,6 +192,7 @@ def external_functions(self) -> SimpleNamespace:
] = ensure_azure_monitor_profile_prerequisites
# temp workaround for the breaking change caused by default API version bump of the auth SDK
external_functions["add_role_assignment"] = add_role_assignment
external_functions["_add_role_assignment_executor_new"] = _add_role_assignment_executor_new
# azure container storage functions
external_functions["perform_enable_azure_container_storage"] = perform_enable_azure_container_storage
external_functions["perform_disable_azure_container_storage"] = perform_disable_azure_container_storage
Expand Down Expand Up @@ -3606,6 +3611,7 @@ def immediate_processing_after_request(self, mc: ManagedCluster) -> None:
"Could not create a role assignment for subnet. Are you an Owner on this subscription?"
)

# pylint: disable=too-many-locals
def postprocessing_after_mc_created(self, cluster: ManagedCluster) -> None:
"""Postprocessing performed after the cluster is created.

Expand Down Expand Up @@ -3751,6 +3757,35 @@ def postprocessing_after_mc_created(self, cluster: ManagedCluster) -> None:
is_called_from_extension=True,
)

# Add role assignments for automatic sku
if cluster.sku is not None and cluster.sku.name == "Automatic":
try:
user = get_graph_client(self.cmd.cli_ctx).signed_in_user_get()
except Exception as e: # pylint: disable=broad-except
logger.warning("Could not get signed in user: %s", str(e))
else:
self.context.external_functions._add_role_assignment_executor_new( # type: ignore # pylint: disable=protected-access
self.cmd,
"Azure Kubernetes Service RBAC Cluster Admin",
user["id"],
scope=cluster.id,
resolve_assignee=False,
)
self.context.external_functions._add_role_assignment_executor_new( # type: ignore # pylint: disable=protected-access
self.cmd,
"Azure Kubernetes Service RBAC Admin",
user["id"],
scope=cluster.id,
resolve_assignee=False,
)
self.context.external_functions._add_role_assignment_executor_new( # type: ignore # pylint: disable=protected-access
self.cmd,
"Azure Kubernetes Service Cluster User Role",
user["id"],
scope=cluster.id,
resolve_assignee=False,
)


class AKSPreviewManagedClusterUpdateDecorator(AKSManagedClusterUpdateDecorator):
def __init__(
Expand Down
Loading
Loading