diff --git a/src/azure-cli/azure/cli/command_modules/acs/_help.py b/src/azure-cli/azure/cli/command_modules/acs/_help.py index 8ab18740353..f0e162f1de9 100644 --- a/src/azure-cli/azure/cli/command_modules/acs/_help.py +++ b/src/azure-cli/azure/cli/command_modules/acs/_help.py @@ -325,6 +325,9 @@ - name: --attach-acr type: string short-summary: Grant the 'acrpull' role assignment to the ACR specified by name or resource ID. + - name: --enable-private-cluster + type: string + short-summary: Enable private cluster. - name: --api-server-authorized-ip-ranges type: string short-summary: Comma seperated list of authorized apiserver IP ranges. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools. diff --git a/src/azure-cli/azure/cli/command_modules/acs/_helpers.py b/src/azure-cli/azure/cli/command_modules/acs/_helpers.py index 7a9d61558d0..b460d6ec0b3 100644 --- a/src/azure-cli/azure/cli/command_modules/acs/_helpers.py +++ b/src/azure-cli/azure/cli/command_modules/acs/_helpers.py @@ -8,13 +8,16 @@ from azure.mgmt.containerservice.v2019_11_01.models import ManagedClusterAPIServerAccessProfile -def _populate_api_server_access_profile(api_server_authorized_ip_ranges, instance=None): +def _populate_api_server_access_profile(api_server_authorized_ip_ranges, enable_private_cluster, instance=None): if instance is None or instance.api_server_access_profile is None: profile = ManagedClusterAPIServerAccessProfile() else: profile = instance.api_server_access_profile - if api_server_authorized_ip_ranges == "": + if enable_private_cluster: + profile.enable_private_cluster = True + + if api_server_authorized_ip_ranges is None or api_server_authorized_ip_ranges == "": authorized_ip_ranges = [] else: authorized_ip_ranges = [ip.strip() for ip in api_server_authorized_ip_ranges.split(",")] diff --git a/src/azure-cli/azure/cli/command_modules/acs/_params.py b/src/azure-cli/azure/cli/command_modules/acs/_params.py index 8e3b451cf5a..8d115b755a9 100644 --- a/src/azure-cli/azure/cli/command_modules/acs/_params.py +++ b/src/azure-cli/azure/cli/command_modules/acs/_params.py @@ -198,6 +198,7 @@ def load_arguments(self, _): c.argument('skip_subnet_role_assignment', action='store_true') c.argument('api_server_authorized_ip_ranges', type=str, validator=validate_ip_ranges) c.argument('attach_acr', acr_arg_type) + c.argument('enable_private_cluster', action='store_true') c.argument('nodepool_tags', nargs='*', validator=validate_nodepool_tags, help='space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.') with self.argument_context('aks update') as c: diff --git a/src/azure-cli/azure/cli/command_modules/acs/custom.py b/src/azure-cli/azure/cli/command_modules/acs/custom.py index 666157f2ef4..b0c5dd06f26 100644 --- a/src/azure-cli/azure/cli/command_modules/acs/custom.py +++ b/src/azure-cli/azure/cli/command_modules/acs/custom.py @@ -1680,6 +1680,7 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value, # pylint: zones=None, generate_ssh_keys=False, # pylint: disable=unused-argument api_server_authorized_ip_ranges=None, + enable_private_cluster=False, attach_acr=None, no_wait=False): _validate_ssh_key(no_ssh_key, ssh_key_value) @@ -1802,8 +1803,13 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value, # pylint: ) api_server_access_profile = None - if api_server_authorized_ip_ranges: - api_server_access_profile = _populate_api_server_access_profile(api_server_authorized_ip_ranges) + if enable_private_cluster and load_balancer_sku.lower() != "standard": + raise CLIError("Please use standard load balancer for private cluster") + if api_server_authorized_ip_ranges or enable_private_cluster: + api_server_access_profile = _populate_api_server_access_profile( + api_server_authorized_ip_ranges, + enable_private_cluster + ) # Check that both --disable-rbac and --enable-rbac weren't provided if all([disable_rbac, enable_rbac]): diff --git a/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_helpers.py b/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_helpers.py index 605421e559e..3bbd97afd77 100644 --- a/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_helpers.py +++ b/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_helpers.py @@ -10,14 +10,19 @@ class TestPopulateApiServerAccessProfile(unittest.TestCase): def test_single_cidr_with_spaces(self): api_server_authorized_ip_ranges = "0.0.0.0/32 " - profile = helpers._populate_api_server_access_profile(api_server_authorized_ip_ranges) + profile = helpers._populate_api_server_access_profile(api_server_authorized_ip_ranges, False) self.assertListEqual(profile.authorized_ip_ranges, ["0.0.0.0/32"]) def test_multi_cidr_with_spaces(self): api_server_authorized_ip_ranges = " 0.0.0.0/32 , 129.1.1.1/32" - profile = helpers._populate_api_server_access_profile(api_server_authorized_ip_ranges) + profile = helpers._populate_api_server_access_profile(api_server_authorized_ip_ranges, False) self.assertListEqual(profile.authorized_ip_ranges, ["0.0.0.0/32", "129.1.1.1/32"]) + def test_private_cluster(self): + profile = helpers._populate_api_server_access_profile(None, True) + self.assertListEqual(profile.authorized_ip_ranges, []) + self.assertEqual(profile.enable_private_cluster, True) + class TestSetVmSetType(unittest.TestCase): def test_archaic_k8_version(self):