Azure · yanzhudd · Nov 7, 2025 · Nov 6, 2025
@@ -12,9 +12,12 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 
-19.0.0b12
+19.0.0b13
 +++++++
+* `az aks update`: Set CMK property "enabled" to false and reserve other CMK properties for a PMK-enabled and CMK-disabled cluster.
 
+19.0.0b12
++++++++
 * `az aks create --workload-runtime KataVmIsolation`: Added the KataVmIsolation workload runtime value.
 
 19.0.0b11

@@ -6026,7 +6026,6 @@ def update_kms_pmk_cmk(self, mc: ManagedCluster) -> ManagedCluster:
         if self.context.get_disable_azure_keyvault_kms() or cmk_disabled_on_existing_cluster:
             if mc.security_profile is None:
                 mc.security_profile = self.models.ManagedClusterSecurityProfile()
-            mc.security_profile.azure_key_vault_kms = self.models.AzureKeyVaultKms()
             # set enabled to False
             mc.security_profile.azure_key_vault_kms.enabled = False
 

@@ -8726,6 +8726,7 @@ def test_update_kms_pmk_cmk(self):
         ground_truth_azure_key_vault_kms_7 = self.models.AzureKeyVaultKms(
             enabled=True,
             key_id="https://test-keyvault.vault.azure.net/keys/test-key",
+            key_vault_network_access="Public",
             key_vault_resource_id="/subscriptions/test-sub/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/test-keyvault",
         )
         ground_truth_kube_resource_encryption_profile_7 = self.models.KubernetesResourceObjectEncryptionProfile(
@@ -8788,8 +8789,11 @@ def test_update_kms_pmk_cmk(self):
         dec_mc_9 = dec_9.update_kms_pmk_cmk(mc_9)
 
         # should disable existing Azure Key Vault KMS
-        ground_truth_azure_key_vault_kms_9 = self.models.AzureKeyVaultKms()
-        ground_truth_azure_key_vault_kms_9.enabled = False
+        ground_truth_azure_key_vault_kms_9 = self.models.AzureKeyVaultKms(
+            enabled=False,
+            key_id="https://test-keyvault.vault.azure.net/keys/test-key",
+            key_vault_resource_id="/subscriptions/test-sub/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/test-keyvault",
+        )
         ground_truth_kube_resource_encryption_profile_9 = self.models.KubernetesResourceObjectEncryptionProfile(
             infrastructure_encryption="Enabled"
         )
@@ -8827,6 +8831,7 @@ def test_update_kms_pmk_cmk(self):
         ground_truth_azure_key_vault_kms_10 = self.models.AzureKeyVaultKms(
             enabled=True,
             key_id="https://test-keyvault.vault.azure.net/keys/test-key",
+            key_vault_network_access="Public",
             key_vault_resource_id="/subscriptions/test-sub/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/test-keyvault",
         )
         ground_truth_security_profile_10 = self.models.ManagedClusterSecurityProfile(
@@ -8839,7 +8844,7 @@ def test_update_kms_pmk_cmk(self):
         )
         self.assertEqual(dec_mc_10, ground_truth_mc_10)
 
-        # test enabling PMK on cluster with disabled CMK - should clear CMK properties
+        # test enabling PMK on cluster with disabled CMK
         dec_11 = AKSPreviewManagedClusterUpdateDecorator(
             self.cmd,
             self.client,
@@ -8853,6 +8858,7 @@ def test_update_kms_pmk_cmk(self):
             azure_key_vault_kms=self.models.AzureKeyVaultKms(
                 enabled=False,
                 key_id="https://test-keyvault.vault.azure.net/keys/test-key",
+                key_vault_network_access="Private",
                 key_vault_resource_id="/subscriptions/test-sub/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/test-keyvault",
             )
         )
@@ -8864,8 +8870,12 @@ def test_update_kms_pmk_cmk(self):
         dec_mc_11 = dec_11.update_kms_pmk_cmk(mc_11)
 
         # should clear CMK properties and enable PMK
-        ground_truth_azure_key_vault_kms_11 = self.models.AzureKeyVaultKms()
-        ground_truth_azure_key_vault_kms_11.enabled = False
+        ground_truth_azure_key_vault_kms_11 = self.models.AzureKeyVaultKms(
+            enabled=False,
+            key_id="https://test-keyvault.vault.azure.net/keys/test-key",
+            key_vault_network_access="Private",
+            key_vault_resource_id="/subscriptions/test-sub/resourceGroups/test-rg/providers/Microsoft.KeyVault/vaults/test-keyvault",
+        )
         ground_truth_kube_resource_encryption_profile_11 = self.models.KubernetesResourceObjectEncryptionProfile(
             infrastructure_encryption="Enabled"
         )

@@ -9,7 +9,7 @@
 
 from setuptools import find_packages, setup
 
-VERSION = "19.0.0b12"
+VERSION = "19.0.0b13"
 
 CLASSIFIERS = [
     "Development Status :: 4 - Beta",
-Original file line number
+Diff line change
@@ Expand Up @@
     Pending
     +++++++
-.0.0b12
+.0.0b13
     +++++++
+    * `az aks update`: Set CMK property "enabled" to false and reserve other CMK properties for a PMK-enabled and CMK-disabled cluster.
+.0.0b12
+    +++++++
     * `az aks create --workload-runtime KataVmIsolation`: Added the KataVmIsolation workload runtime value.
 .0.0b11
@@ Expand Down @@