Skip to content

Commit

Permalink
{aks} Add Windows gMSAv2 support (#3987)
Browse files Browse the repository at this point in the history
  • Loading branch information
AbelHu authored Oct 20, 2021
1 parent 9b3f2ba commit 711996b
Show file tree
Hide file tree
Showing 9 changed files with 2,626 additions and 6 deletions.
4 changes: 4 additions & 0 deletions src/aks-preview/HISTORY.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

Release History
===============
0.5.37
+++++
* Add Windows gMSA v2 support. Add parameters `--enable-windows-gmsa`, `--gmsa-dns-server` and `--gmsa-root-domain-name`

0.5.36
+++++
* Update to use 2021-09-01 api-version
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,9 @@
"test_aks_create_and_update_with_managed_nat_gateway_outbound",
"test_aks_create_with_http_proxy_config",
"test_aks_nodepool_add_with_workload_runtime",
"test_aks_nodepool_add_with_gpu_instance_profile"
"test_aks_nodepool_add_with_gpu_instance_profile",
"test_aks_create_with_windows_gmsa",
"test_aks_update_with_windows_gmsa"
]
}
}
38 changes: 38 additions & 0 deletions src/aks-preview/azext_aks_preview/_help.py
Original file line number Diff line number Diff line change
Expand Up @@ -358,6 +358,21 @@
- name: --gpu-instance-profile
type: string
short-summary: GPU instance profile to partition multi-gpu Nvidia GPUs.
- name: --enable-windows-gmsa
type: bool
short-summary: Enable Windows gmsa.
- name: --gmsa-dns-server
type: string
short-summary: Specify DNS server for Windows gmsa for this cluster.
long-summary: |-
You do not need to set this if you have set DNS server in the VNET used by the cluster.
You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
- name: --gmsa-root-domain-name
type: string
short-summary: Specify root domain name for Windows gmsa for this cluster.
long-summary: |-
You do not need to set this if you have set DNS server in the VNET used by the cluster.
You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
examples:
- name: Create a Kubernetes cluster with an existing SSH public key.
text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
Expand Down Expand Up @@ -407,6 +422,10 @@
text: az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac
- name: Create a kubernetes cluster with a specific os-sku
text: az aks create -g MyResourceGroup -n MyManagedCluster --os-sku Ubuntu
- name: Create a kubernetes cluster with enabling Windows gmsa and with setting DNS server in the vnet used by the cluster.
text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa
- name: Create a kubernetes cluster with enabling Windows gmsa but without setting DNS server in the vnet used by the cluster.
text: az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"
""".format(sp_cache=AKS_SERVICE_PRINCIPAL_CACHE)

helps['aks scale'] = """
Expand Down Expand Up @@ -587,6 +606,21 @@
- name: --disable-public-fqdn
type: bool
short-summary: Disable public fqdn feature for private cluster.
- name: --enable-windows-gmsa
type: bool
short-summary: Enable Windows gmsa on cluster.
- name: --gmsa-dns-server
type: string
short-summary: Specify DNS server for Windows gmsa on cluster.
long-summary: |-
You do not need to set this if you have set DNS server in the VNET used by the cluster.
You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
- name: --gmsa-root-domain-name
type: string
short-summary: Specify root domain name for Windows gmsa on cluster.
long-summary: |-
You do not need to set this if you have set DNS server in the VNET used by the cluster.
You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
examples:
- name: Enable cluster-autoscaler within node count range [1,5]
text: az aks update --enable-cluster-autoscaler --min-count 1 --max-count 5 -g MyResourceGroup -n MyManagedCluster
Expand Down Expand Up @@ -638,6 +672,10 @@
text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-azure-rbac
- name: Disable Azure RBAC in a managed AAD AKS cluster
text: az aks update -g MyResourceGroup -n MyManagedCluster --disable-azure-rbac
- name: Enable Windows gmsa for a kubernetes cluster with setting DNS server in the vnet used by the cluster.
text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa
- name: Enable Windows gmsa for a kubernetes cluster without setting DNS server in the vnet used by the cluster.
text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"
"""

helps['aks kollect'] = """
Expand Down
6 changes: 6 additions & 0 deletions src/aks-preview/azext_aks_preview/_params.py
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,9 @@ def load_arguments(self, _):
c.argument('assign_kubelet_identity', type=str, validator=validate_assign_kubelet_identity)
c.argument('disable_local_accounts', action='store_true')
c.argument('gpu_instance_profile', arg_type=get_enum_type(gpu_instance_profiles))
c.argument('enable_windows_gmsa', action='store_true', options_list=['--enable-windows-gmsa'])
c.argument('gmsa_dns_server', options_list=['--gmsa-dns-server'])
c.argument('gmsa_root_domain_name', options_list=['--gmsa-root-domain-name'])
c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
c.argument('workload_runtime', arg_type=get_enum_type(workload_runtimes), default=CONST_WORKLOAD_RUNTIME_OCI_CONTAINER)

Expand Down Expand Up @@ -183,6 +186,9 @@ def load_arguments(self, _):
c.argument('windows_admin_password', options_list=['--windows-admin-password'])
c.argument('disable_local_accounts', action='store_true')
c.argument('enable_local_accounts', action='store_true')
c.argument('enable_windows_gmsa', action='store_true', options_list=['--enable-windows-gmsa'])
c.argument('gmsa_dns_server', options_list=['--gmsa-dns-server'])
c.argument('gmsa_root_domain_name', options_list=['--gmsa-root-domain-name'])
c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')

with self.argument_context('aks scale') as c:
Expand Down
55 changes: 51 additions & 4 deletions src/aks-preview/azext_aks_preview/custom.py
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,8 @@
ManagedClusterPodIdentityProfile,
ManagedClusterPodIdentity,
ManagedClusterPodIdentityException,
UserAssignedIdentity)
UserAssignedIdentity,
WindowsGmsaProfile)
from ._client_factory import cf_resource_groups
from ._client_factory import get_auth_management_client
from ._client_factory import get_graph_rbac_management_client
Expand Down Expand Up @@ -821,6 +822,9 @@ def aks_create(cmd, # pylint: disable=too-many-locals,too-many-statements,to
assign_kubelet_identity=None,
workload_runtime=None,
gpu_instance_profile=None,
enable_windows_gmsa=False,
gmsa_dns_server=None,
gmsa_root_domain_name=None,
yes=False):
if not no_ssh_key:
try:
Expand Down Expand Up @@ -925,10 +929,30 @@ def aks_create(cmd, # pylint: disable=too-many-locals,too-many-statements,to
windows_license_type = 'Windows_Server'

windows_profile = ManagedClusterWindowsProfile(
# [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="no secret in next line")]
admin_username=windows_admin_username,
admin_password=windows_admin_password,
license_type=windows_license_type)

if enable_windows_gmsa:
windows_profile.gmsa_profile = WindowsGmsaProfile(
enabled=True)
if gmsa_dns_server is not None and gmsa_root_domain_name is not None:
windows_profile.gmsa_profile.dns_server = gmsa_dns_server
windows_profile.gmsa_profile.root_domain_name = gmsa_root_domain_name
elif gmsa_dns_server is None and gmsa_root_domain_name is None:
msg = ('Please assure that you have set the DNS server in the vnet used by the cluster when not specifying --gmsa-dns-server and --gmsa-root-domain-name')
from knack.prompting import prompt_y_n
if not yes and not prompt_y_n(msg, default="n"):
return None
else:
raise ArgumentUsageError(
'You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time.')
else:
if gmsa_dns_server is not None or gmsa_root_domain_name is not None:
raise ArgumentUsageError(
'You only can set --gmsa-dns-server and --gmsa-root-domain-name when setting --enable-windows-gmsa.')

service_principal_profile = None
principal_obj = None
# If customer explicitly provides a service principal, disable managed identity.
Expand Down Expand Up @@ -1338,7 +1362,10 @@ def aks_update(cmd, # pylint: disable=too-many-statements,too-many-branches,
tags=None,
windows_admin_password=None,
enable_azure_rbac=False,
disable_azure_rbac=False):
disable_azure_rbac=False,
enable_windows_gmsa=False,
gmsa_dns_server=None,
gmsa_root_domain_name=None):
update_autoscaler = enable_cluster_autoscaler or disable_cluster_autoscaler or update_cluster_autoscaler
update_acr = attach_acr is not None or detach_acr is not None
update_pod_security = enable_pod_security_policy or disable_pod_security_policy
Expand Down Expand Up @@ -1377,7 +1404,8 @@ def aks_update(cmd, # pylint: disable=too-many-statements,too-many-branches,
not enable_local_accounts and \
not disable_local_accounts and \
not enable_public_fqdn and \
not disable_public_fqdn:
not disable_public_fqdn and \
not enable_windows_gmsa:
raise CLIError('Please specify "--enable-cluster-autoscaler" or '
'"--disable-cluster-autoscaler" or '
'"--update-cluster-autoscaler" or '
Expand Down Expand Up @@ -1412,7 +1440,8 @@ def aks_update(cmd, # pylint: disable=too-many-statements,too-many-branches,
'"--enable-local-accounts" or '
'"--disable-local-accounts" or '
'"--enable-public-fqdn" or '
'"--disable-public-fqdn"')
'"--disable-public-fqdn"'
'"--enble-windows-gmsa"')
instance = client.get(resource_group_name, name)

if update_autoscaler and len(instance.agent_pool_profiles) > 1:
Expand Down Expand Up @@ -1701,6 +1730,24 @@ def aks_update(cmd, # pylint: disable=too-many-statements,too-many-branches,
if windows_admin_password:
instance.windows_profile.admin_password = windows_admin_password

if enable_windows_gmsa:
instance.windows_profile.gmsa_profile = WindowsGmsaProfile(enabled=True)
if gmsa_dns_server is not None and gmsa_root_domain_name is not None:
instance.windows_profile.gmsa_profile.dns_server = gmsa_dns_server
instance.windows_profile.gmsa_profile.root_domain_name = gmsa_root_domain_name
elif gmsa_dns_server is None and gmsa_root_domain_name is None:
msg = ('Please assure that you have set the DNS server in the vnet used by the cluster when not specifying --gmsa-dns-server and --gmsa-root-domain-name')
from knack.prompting import prompt_y_n
if not yes and not prompt_y_n(msg, default="n"):
return None
else:
raise ArgumentUsageError(
'You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time.')
else:
if gmsa_dns_server is not None or gmsa_root_domain_name is not None:
raise ArgumentUsageError(
'You only can set --gmsa-dns-server and --gmsa-root-domain-name when setting --enable-windows-gmsa.')

headers = get_aks_custom_headers(aks_custom_headers)

return _put_managed_cluster_ensuring_permission(cmd,
Expand Down
Loading

0 comments on commit 711996b

Please sign in to comment.