Skip to content

[AKS] Add mesh Istio CNI commands for az aks mesh #9286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yanzhudd merged 11 commits into from
Oct 22, 2025
Merged

[AKS] Add mesh Istio CNI commands for az aks mesh #9286

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
efacebb
[AKS] Add mesh Istio CNI commands for az aks mesh
Oct 10, 2025
ea12094
add unit tests
Oct 10, 2025
b31e731
add live test case
Oct 10, 2025
2b67d0f
fix linting
Oct 10, 2025
988bb4b
fixes description
Oct 10, 2025
728d64a
bump VERSION
Oct 10, 2025
62fec0a
use correct AFEC flag
Oct 14, 2025
748b73f
move pending to new version
Oct 20, 2025
fcdd8ae
Update src/aks-preview/azext_aks_preview/managed_cluster_decorator.py
german1608 Oct 21, 2025
92e6e4b
wrap help message
Oct 22, 2025
c1f93f6
Update HISTORY.rst
german1608 Oct 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/aks-preview/HISTORY.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,11 @@ To release a new version, please select a new version number (usually plus 1 to

Pending
+++++++

19.0.0b5
+++++++
* `az aks get-credentials`: Convert device code mode kubeconfig to Azure CLI token format to bypass conditional access login blocks.
* Add `enable-istio-cni` and `disable-istio-cni` commands under `az aks mesh`.

19.0.0b4
+++++++
Expand Down
2 changes: 2 additions & 0 deletions src/aks-preview/azext_aks_preview/_consts.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -334,6 +334,8 @@
CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_ROLLBACK = "Rollback"
CONST_AZURE_SERVICE_MESH_DEFAULT_EGRESS_NAMESPACE = "aks-istio-egress"
CONST_AZURE_SERVICE_MESH_MAX_EGRESS_NAME_LENGTH = 253
CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS = "InitContainers"
CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING = "CNIChaining"

# Node Provisioning Mode Consts
CONST_NODE_PROVISIONING_MODE_MANUAL = "Manual"
Expand Down
24 changes: 24 additions & 0 deletions src/aks-preview/azext_aks_preview/_help.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3554,6 +3554,30 @@
text: az aks mesh upgrade rollback --resource-group MyResourceGroup --name MyManagedCluster
"""

helps['aks mesh enable-istio-cni'] = """
type: command
short-summary: Enable Istio CNI chaining for Azure Service Mesh proxy redirection mechanism.
long-summary: >
This command enables Istio CNI chaining as the proxy redirection mechanism
for Azure Service Mesh. CNI chaining provides better security and performance
compared to init containers by using CNI plugins to set up traffic redirection.
examples:
- name: Enable Istio CNI chaining for Azure Service Mesh.
text: az aks mesh enable-istio-cni --resource-group MyResourceGroup --name MyManagedCluster
"""

helps['aks mesh disable-istio-cni'] = """
type: command
short-summary: Disable Istio CNI chaining for Azure Service Mesh proxy redirection mechanism.
long-summary: >
This command disables Istio CNI chaining and reverts to using init
containers as the proxy redirection mechanism for Azure Service Mesh. This
is the traditional method using privileged init containers to set up
iptables rules.
examples:
- name: Disable Istio CNI chaining for Azure Service Mesh.
text: az aks mesh disable-istio-cni --resource-group MyResourceGroup --name MyManagedCluster
"""

helps['aks approuting'] = """
type: group
Expand Down
10 changes: 10 additions & 0 deletions src/aks-preview/azext_aks_preview/commands.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -441,6 +441,16 @@ def load_command_table(self, _):
"aks_mesh_get_upgrades",
table_transformer=aks_mesh_upgrades_table_format,
)
g.custom_command(
"enable-istio-cni",
"aks_mesh_enable_istio_cni",
supports_no_wait=True,
)
g.custom_command(
"disable-istio-cni",
"aks_mesh_disable_istio_cni",
supports_no_wait=True,
)

# AKS mesh upgrade commands
with self.command_group(
Expand Down
34 changes: 34 additions & 0 deletions src/aks-preview/azext_aks_preview/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3972,6 +3972,38 @@ def aks_mesh_upgrade_rollback(
mesh_upgrade_command=CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_ROLLBACK)


def aks_mesh_enable_istio_cni(
Copy link
Copy Markdown
Contributor

@deveshdama deveshdama Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs no_wait parameter
command declares supports_no_wait=True but functions don't accept the parameter.

Copy link
Copy Markdown
Contributor Author

@german1608 german1608 Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of the others aks mesh commands uses supports_no_wait

azure-cli-extensions/src/aks-preview/azext_aks_preview/custom.py

Lines 3753 to 3764 in efacebb

def aks_mesh_enable(
cmd,
client,
resource_group_name,
name,
revision=None,
key_vault_id=None,
ca_cert_object_name=None,
ca_key_object_name=None,
root_cert_object_name=None,
cert_chain_object_name=None,
):

All the other commands declare supports_no_wait

azure-cli-extensions/src/aks-preview/azext_aks_preview/commands.py

Line 404 in efacebb

g.custom_command("enable", "aks_mesh_enable", supports_no_wait=True)

Copy link
Copy Markdown
Contributor

@deveshdama deveshdama Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is surprising. even though command declares supports_no_wait but the func is called without the param, its being defaulted to false. maybe that's the default behavior.
@FumingZhang might know better here but I am okay with the change as long as its consistent with other az aks mesh commands.

Copy link
Copy Markdown
Member

@FumingZhang FumingZhang Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems there is a gap between the declaration and implementation. It's fine to leave it as is for this PR, but it would be better to address the issue in a future PR. Supporting the --no-wait option is straightforward; you just need to wrap the SDK call using the sdk_no_wait(no_wait, <sdk-call>, <params>) function provided by azure-cli.

cmd,
client,
resource_group_name,
name,
):
"""Enable Istio CNI chaining for the Azure Service Mesh proxy redirection mechanism."""
return _aks_mesh_update(
cmd,
client,
resource_group_name,
name,
enable_istio_cni=True,
)


def aks_mesh_disable_istio_cni(
cmd,
client,
resource_group_name,
name,
):
"""Disable Istio CNI chaining for the Azure Service Mesh proxy redirection mechanism."""
return _aks_mesh_update(
cmd,
client,
resource_group_name,
name,
disable_istio_cni=True,
)


def _aks_mesh_get_supported_revisions(
cmd,
client,
Expand Down Expand Up @@ -4006,6 +4038,8 @@ def _aks_mesh_update(
revision=None,
yes=False,
mesh_upgrade_command=None,
enable_istio_cni=None,
disable_istio_cni=None,
):
raw_parameters = locals()

Expand Down
44 changes: 44 additions & 0 deletions src/aks-preview/azext_aks_preview/managed_cluster_decorator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@
CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_ROLLBACK,
CONST_AZURE_SERVICE_MESH_UPGRADE_COMMAND_START,
CONST_AZURE_SERVICE_MESH_DEFAULT_EGRESS_NAMESPACE,
CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING,
CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS,
CONST_LOAD_BALANCER_SKU_BASIC,
CONST_MANAGED_CLUSTER_SKU_NAME_BASE,
CONST_MANAGED_CLUSTER_SKU_NAME_AUTOMATIC,
Expand Down Expand Up @@ -3233,6 +3235,45 @@ def _handle_enable_disable_asm(self, new_profile: ServiceMeshProfile) -> Tuple[S

return new_profile, updated

def _handle_istio_cni_asm(self, new_profile: ServiceMeshProfile) -> Tuple[ServiceMeshProfile, bool]:
"""Handle enable/disable Istio CNI proxy redirection mechanism."""
updated = False
enable_istio_cni = self.raw_param.get("enable_istio_cni", False)
disable_istio_cni = self.raw_param.get("disable_istio_cni", False)

if enable_istio_cni and disable_istio_cni:
raise MutuallyExclusiveArgumentError(
"Cannot specify --enable-istio-cni and "
"--disable-istio-cni at the same time."
)

# Check if service mesh is enabled before allowing CNI changes
if enable_istio_cni or disable_istio_cni:
if new_profile is None or new_profile.mode == CONST_AZURE_SERVICE_MESH_MODE_DISABLED:
raise ArgumentUsageError(
"Istio has not been enabled for this cluster, please refer to https://aka.ms/asm-aks-addon-docs "
"for more details on enabling Azure Service Mesh."
)

# Ensure istio profile exists
if new_profile.istio is None:
new_profile.istio = self.models.IstioServiceMesh() # pylint: disable=no-member

# Ensure components exist
if new_profile.istio.components is None:
new_profile.istio.components = self.models.IstioComponents() # pylint: disable=no-member

if enable_istio_cni:
Copy link
Copy Markdown
Contributor

@SanyaKochhar SanyaKochhar Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems like enable = cni, disable = init containers. Makes me wonder: could there be more modes? Do we want --istio-cni-mode=<EXPLICIT ENUM> instead?

Copy link
Copy Markdown
Contributor Author

@german1608 german1608 Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't foresee more modes for proxy redirection mechanism. If we go down the --istio-cni-mode, I suppose we should add it under az aks mesh enable? Feels like a weird UX.

Copy link
Copy Markdown
Contributor Author

@german1608 german1608 Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reason I say feels weird UX is because user can opt-out/opt-in arbitrarily, and re-using az aks mesh for that seems awkwards.

Copy link
Copy Markdown
Contributor

@SanyaKochhar SanyaKochhar Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, fair enough.

new_profile.istio.components.proxy_redirection_mechanism = \
CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_CNI_CHAINING
updated = True
elif disable_istio_cni:
new_profile.istio.components.proxy_redirection_mechanism = \
CONST_AZURE_SERVICE_MESH_PROXY_REDIRECTION_INIT_CONTAINERS
updated = True

return new_profile, updated

# pylint: disable=too-many-branches,too-many-locals,too-many-statements
def update_azure_service_mesh_profile(self) -> ServiceMeshProfile:
""" Update azure service mesh profile.
Expand Down Expand Up @@ -3267,6 +3308,9 @@ def update_azure_service_mesh_profile(self) -> ServiceMeshProfile:
new_profile, updated_upgrade_asm = self._handle_upgrade_asm(new_profile)
updated |= updated_upgrade_asm

new_profile, updated_istio_cni = self._handle_istio_cni_asm(new_profile)
updated |= updated_istio_cni

if updated:
return new_profile
return self.mc.service_mesh_profile
Expand Down
Loading
Loading