Skip to content

Commit

Permalink
Disable local accounts for aks aad clusters
Browse files Browse the repository at this point in the history
  • Loading branch information
LochanRn committed Sep 19, 2023
1 parent 3e9f610 commit ba887fb
Show file tree
Hide file tree
Showing 15 changed files with 939 additions and 50 deletions.
4 changes: 4 additions & 0 deletions api/v1beta1/azuremanagedcontrolplane_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,10 @@ type AzureManagedControlPlaneSpec struct {
// OIDCIssuerProfile is the OIDC issuer profile of the Managed Cluster.
// +optional
OIDCIssuerProfile *OIDCIssuerProfile `json:"oidcIssuerProfile,omitempty"`

// DisableLocalAccounts - If set to true, getting static credential will be disabled for this cluster. Expected to only be used for AAD clusters.
// +optional
DisableLocalAccounts *bool `json:"disableLocalAccounts,omitempty"`
}

// HTTPProxyConfig is the HTTP proxy configuration for the cluster.
Expand Down
19 changes: 19 additions & 0 deletions api/v1beta1/azuremanagedcontrolplane_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,16 @@ func (mw *azureManagedControlPlaneWebhook) ValidateUpdate(ctx context.Context, o
}
}

if old.Spec.DisableLocalAccounts == nil &&
m.Spec.DisableLocalAccounts != nil &&
m.Spec.AADProfile == nil {
allErrs = append(allErrs,
field.Invalid(
field.NewPath("Spec", "DisableLocalAccounts"),
m.Spec.DisableLocalAccounts,
"DisableLocalAccounts can be set only for AAD enabled clusters"))
}

// Consider removing this once moves out of preview
// Updating outboundType after cluster creation (PREVIEW)
// https://learn.microsoft.com/en-us/azure/aks/egress-outboundtype#updating-outboundtype-after-cluster-creation-preview
Expand Down Expand Up @@ -290,6 +300,7 @@ func (m *AzureManagedControlPlane) Validate(cli client.Client) error {
m.validateAutoScalerProfile,
m.validateIdentity,
m.validateNetworkPluginMode,
m.validateDisableLocalAccounts,
}

var errs []error
Expand All @@ -302,6 +313,14 @@ func (m *AzureManagedControlPlane) Validate(cli client.Client) error {
return kerrors.NewAggregate(errs)
}

// validateVersion disabling local accounts for AAD based clusters.
func (m *AzureManagedControlPlane) validateDisableLocalAccounts(_ client.Client) error {
if m.Spec.DisableLocalAccounts != nil && m.Spec.AADProfile == nil {
return errors.New("DisableLocalAccounts should be set only for AAD enabled clusters")
}
return nil
}

// validateVersion validates the Kubernetes version.
func (m *AzureManagedControlPlane) validateVersion(_ client.Client) error {
if !kubeSemver.MatchString(m.Spec.Version) {
Expand Down
74 changes: 74 additions & 0 deletions api/v1beta1/azuremanagedcontrolplane_webhook_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -848,6 +848,30 @@ func TestAzureManagedControlPlane_ValidateCreate(t *testing.T) {
},
wantErr: false,
},
{
name: "DisableLocalAccounts cannot be set for non AAD clusters",
amcp: &AzureManagedControlPlane{
Spec: AzureManagedControlPlaneSpec{
Version: "v1.21.2",
DisableLocalAccounts: ptr.To[bool](true),
},
},
wantErr: true,
},
{
name: "DisableLocalAccounts can be set for AAD clusters",
amcp: &AzureManagedControlPlane{
Spec: AzureManagedControlPlaneSpec{
Version: "v1.21.2",
AADProfile: &AADProfile{
Managed: true,
AdminGroupObjectIDs: []string{"00000000-0000-0000-0000-000000000000"},
},
DisableLocalAccounts: ptr.To[bool](true),
},
},
wantErr: false,
},
}
client := mockClient{ReturnError: false}
for _, tc := range tests {
Expand Down Expand Up @@ -1609,6 +1633,56 @@ func TestAzureManagedControlPlane_ValidateUpdate(t *testing.T) {
},
wantErr: false,
},
{
name: "DisableLocalAccounts can be set only for AAD enabled clusters",
oldAMCP: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
Version: "v1.18.0",
AADProfile: &AADProfile{
Managed: true,
AdminGroupObjectIDs: []string{"00000000-0000-0000-0000-000000000000"},
},
},
},
amcp: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
Version: "v1.18.0",
DisableLocalAccounts: ptr.To[bool](true),
AADProfile: &AADProfile{
Managed: true,
AdminGroupObjectIDs: []string{"00000000-0000-0000-0000-000000000000"},
},
},
},
wantErr: false,
},
{
name: "DisableLocalAccounts cannot be set only for non AAD clusters",
oldAMCP: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
Version: "v1.18.0",
},
},
amcp: &AzureManagedControlPlane{
ObjectMeta: metav1.ObjectMeta{
Name: "test-cluster",
},
Spec: AzureManagedControlPlaneSpec{
Version: "v1.18.0",
DisableLocalAccounts: ptr.To[bool](true),
},
},
wantErr: true,
},
}
client := mockClient{ReturnError: false}
for _, tc := range tests {
Expand Down
5 changes: 5 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

52 changes: 42 additions & 10 deletions azure/scope/managedcontrolplane.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,10 +116,11 @@ func NewManagedControlPlaneScope(ctx context.Context, params ManagedControlPlane

// ManagedControlPlaneScope defines the basic context for an actuator to operate upon.
type ManagedControlPlaneScope struct {
Client client.Client
patchHelper *patch.Helper
kubeConfigData []byte
cache *ManagedControlPlaneCache
Client client.Client
patchHelper *patch.Helper
adminKubeConfigData []byte
userKubeConfigData []byte
cache *ManagedControlPlaneCache

AzureClients
Cluster *clusterv1.Cluster
Expand Down Expand Up @@ -462,6 +463,24 @@ func (s *ManagedControlPlaneScope) ManagedClusterAnnotations() map[string]string
return s.ControlPlane.Annotations
}

// IsLocalAcountsDisabled checks if local accounts are disabled for aad enabled managed clusters.
func (s *ManagedControlPlaneScope) IsLocalAcountsDisabled() bool {
if s.IsAADEnabled() &&
s.ControlPlane.Spec.DisableLocalAccounts != nil &&
*s.ControlPlane.Spec.DisableLocalAccounts {
return true
}
return false
}

// IsAADEnabled checks if azure active directory is enabled for managed clusters.
func (s *ManagedControlPlaneScope) IsAADEnabled() bool {
if s.ControlPlane.Spec.AADProfile != nil && s.ControlPlane.Spec.AADProfile.Managed {
return true
}
return false
}

// ManagedClusterSpec returns the managed cluster spec.
func (s *ManagedControlPlaneScope) ManagedClusterSpec() azure.ResourceSpecGetter {
managedClusterSpec := managedclusters.ManagedClusterSpec{
Expand Down Expand Up @@ -515,6 +534,9 @@ func (s *ManagedControlPlaneScope) ManagedClusterSpec() azure.ResourceSpecGetter
EnableAzureRBAC: s.ControlPlane.Spec.AADProfile.Managed,
AdminGroupObjectIDs: s.ControlPlane.Spec.AADProfile.AdminGroupObjectIDs,
}
if s.ControlPlane.Spec.DisableLocalAccounts != nil {
managedClusterSpec.DisableLocalAccounts = s.ControlPlane.Spec.DisableLocalAccounts
}
}

if s.ControlPlane.Spec.AddonProfiles != nil {
Expand Down Expand Up @@ -642,14 +664,24 @@ func (s *ManagedControlPlaneScope) MakeEmptyKubeConfigSecret() corev1.Secret {
}
}

// GetKubeConfigData returns a []byte that contains kubeconfig.
func (s *ManagedControlPlaneScope) GetKubeConfigData() []byte {
return s.kubeConfigData
// GetAdminKubeconfigData returns admin kubeconfig.
func (s *ManagedControlPlaneScope) GetAdminKubeconfigData() []byte {
return s.adminKubeConfigData
}

// SetAdminKubeconfigData sets adminKubeconfig data.
func (s *ManagedControlPlaneScope) SetAdminKubeconfigData(kubeConfigData []byte) {
s.adminKubeConfigData = kubeConfigData
}

// GetUserKubeconfigData returns user kubeconfig, required when using AAD with AKS cluster.
func (s *ManagedControlPlaneScope) GetUserKubeconfigData() []byte {
return s.userKubeConfigData
}

// SetKubeConfigData sets kubeconfig data.
func (s *ManagedControlPlaneScope) SetKubeConfigData(kubeConfigData []byte) {
s.kubeConfigData = kubeConfigData
// SetUserKubeconfigData sets userKubeconfig data.
func (s *ManagedControlPlaneScope) SetUserKubeconfigData(kubeConfigData []byte) {
s.userKubeConfigData = kubeConfigData
}

// SetKubeletIdentity sets the ID of the user-assigned identity for kubelet if not already set.
Expand Down
Loading

0 comments on commit ba887fb

Please sign in to comment.