[AKS] az aks create/update Add support for ACNS performance (#33018)

Author: santhoshmprabhu

src/azure-cli/azure/cli/command_modules/acs/_consts.py

@@ -144,6 +144,10 @@
 CONST_NETWORK_POD_IP_ALLOCATION_MODE_DYNAMIC_INDIVIDUAL = "DynamicIndividual"
 CONST_NETWORK_POD_IP_ALLOCATION_MODE_STATIC_BLOCK = "StaticBlock"
 
+# advanced container networking services (ACNS) datapath acceleration mode
+CONST_ACNS_DATAPATH_ACCELERATION_MODE_BPFVETH = "BpfVeth"
+CONST_ACNS_DATAPATH_ACCELERATION_MODE_NONE = "None"
+
 # consts for addons
 # http application routing
 CONST_HTTP_APPLICATION_ROUTING_ADDON_NAME = "httpApplicationRouting"

src/azure-cli/azure/cli/command_modules/acs/_help.py

@@ -591,6 +591,9 @@
   - name: --enable-container-network-logs
     type: bool
     short-summary: Enable container network log collection functionalities on a cluster. Automatically enables --enable-high-log-scale-mode.
+  - name: --acns-datapath-acceleration-mode
+    type: string
+    short-summary: Set the datapath acceleration mode for Azure Container Networking Solution (ACNS) Performance. Valid values are 'BpfVeth' and 'None'.
   - name: --acns-transit-encryption-type
     type: string
     short-summary: Set transit encryption type for ACNS security.
@@ -1102,6 +1105,9 @@
   - name: --disable-container-network-logs
     type: bool
     short-summary: Disable container network log collection functionalities on a cluster.
+  - name: --acns-datapath-acceleration-mode
+    type: string
+    short-summary: Set the datapath acceleration mode for Azure Container Networking Solution (ACNS) Performance. Valid values are 'BpfVeth' and 'None'.
   - name: --acns-transit-encryption-type
     type: string
     short-summary: Set transit encryption type for ACNS security.

src/azure-cli/azure/cli/command_modules/acs/_params.py

@@ -25,6 +25,7 @@
     CONST_NETWORK_PLUGIN_MODE_OVERLAY, CONST_NETWORK_PLUGIN_NONE,
     CONST_NETWORK_POD_IP_ALLOCATION_MODE_DYNAMIC_INDIVIDUAL,
     CONST_NETWORK_POD_IP_ALLOCATION_MODE_STATIC_BLOCK,
+    CONST_ACNS_DATAPATH_ACCELERATION_MODE_BPFVETH, CONST_ACNS_DATAPATH_ACCELERATION_MODE_NONE,
     CONST_NODE_IMAGE_UPGRADE_CHANNEL, CONST_NONE_UPGRADE_CHANNEL,
     CONST_NODE_OS_CHANNEL_NODE_IMAGE,
     CONST_NODE_OS_CHANNEL_NONE,
@@ -370,6 +371,12 @@
     CONST_WORKLOAD_RUNTIME_KATA_VM_ISOLATION,
 ]
 
+# consts for acns datapath acceleration mode
+acns_datapath_acceleration_modes = [
+    CONST_ACNS_DATAPATH_ACCELERATION_MODE_BPFVETH,
+    CONST_ACNS_DATAPATH_ACCELERATION_MODE_NONE
+]
+
 
 def load_arguments(self, _):
     acr_arg_type = CLIArgumentType(metavar='ACR_NAME_OR_RESOURCE_ID')
@@ -612,6 +619,11 @@ def load_arguments(self, _):
         c.argument('disable_acns_security', action='store_true')
         c.argument("acns_advanced_networkpolicies", arg_type=get_enum_type(advanced_networkpolicies))
         c.argument('enable_container_network_logs', action='store_true')
+        c.argument(
+            "acns_datapath_acceleration_mode",
+            arg_type=get_enum_type(acns_datapath_acceleration_modes),
+            help="Set the datapath acceleration mode for Azure Container Networking Solution (ACNS). Valid values are 'BpfVeth' and 'None'."
+        )
         c.argument('acns_transit_encryption_type', arg_type=get_enum_type(transit_encryption_types))
         c.argument("if_match")
         c.argument("if_none_match")
@@ -672,6 +684,11 @@ def load_arguments(self, _):
         c.argument("acns_advanced_networkpolicies", arg_type=get_enum_type(advanced_networkpolicies))
         c.argument('enable_container_network_logs', action='store_true')
         c.argument('disable_container_network_logs', action='store_true')
+        c.argument(
+            "acns_datapath_acceleration_mode",
+            arg_type=get_enum_type(acns_datapath_acceleration_modes),
+            help="Set the datapath acceleration mode for Azure Container Networking Solution (ACNS). Valid values are 'BpfVeth' and 'None'."
+        )
         c.argument('acns_transit_encryption_type', arg_type=get_enum_type(transit_encryption_types))
         # private cluster parameters
         c.argument('enable_apiserver_vnet_integration', action='store_true')

src/azure-cli/azure/cli/command_modules/acs/custom.py

@@ -935,6 +935,7 @@ def aks_create(
     disable_acns_security=None,
     acns_advanced_networkpolicies=None,
     enable_container_network_logs=None,
+    acns_datapath_acceleration_mode=None,
     acns_transit_encryption_type=None,
     # network isoalted cluster
     bootstrap_artifact_source=CONST_ARTIFACT_SOURCE_DIRECT,
@@ -1165,6 +1166,7 @@ def aks_update(
     acns_advanced_networkpolicies=None,
     enable_container_network_logs=None,
     disable_container_network_logs=None,
+    acns_datapath_acceleration_mode=None,
     acns_transit_encryption_type=None,
     # network isoalted cluster
     bootstrap_artifact_source=None,
@@ -1408,7 +1410,7 @@ def _update_upgrade_settings(cmd, instance,
                     f"{upgrade_override_until} is not a valid datatime format."
                 )
         elif force_upgrade:
-            default_extended_until = datetime.datetime.now(datetime.UTC) + datetime.timedelta(days=3)
+            default_extended_until = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=3)
             if existing_until is None or existing_until.timestamp() < default_extended_until.timestamp():
                 instance.upgrade_settings.override_settings.until = default_extended_until
     return instance

src/azure-cli/azure/cli/command_modules/acs/linter_exclusions.yml

@@ -76,6 +76,9 @@ aks create:
       acns_advanced_networkpolicies:
         rule_exclusions:
           - option_length_too_long
+      acns_datapath_acceleration_mode:
+        rule_exclusions:
+          - option_length_too_long
       acns_transit_encryption_type:
         rule_exclusions:
         - option_length_too_long
@@ -194,6 +197,9 @@ aks update:
       acns_advanced_networkpolicies:
         rule_exclusions:
           - option_length_too_long
+      acns_datapath_acceleration_mode:
+        rule_exclusions:
+          - option_length_too_long
       acns_transit_encryption_type:
         rule_exclusions:
         - option_length_too_long

src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py

@@ -48,6 +48,8 @@
     CONST_NONE_UPGRADE_CHANNEL,
     CONST_AVAILABILITY_SET,
     CONST_VIRTUAL_MACHINES,
+    CONST_ACNS_DATAPATH_ACCELERATION_MODE_BPFVETH,
+    CONST_ACNS_DATAPATH_ACCELERATION_MODE_NONE
 )
 from azure.cli.command_modules.acs.azurecontainerstorage._consts import (
     CONST_ACSTOR_EXT_INSTALLATION_NAME,
@@ -2531,19 +2533,20 @@ def get_network_dataplane(self) -> Union[str, None]:
         """
         return self.raw_param.get("network_dataplane")
 
-    def get_acns_enablement(self) -> Tuple[
+    def get_acns_enablement_with_perf(self) -> Tuple[
         Union[bool, None],
         Union[bool, None],
         Union[bool, None],
+        Union[bool, None]
     ]:
         """Get the enablement of acns
 
-        :return: Tuple of 3 elements which can be bool or None
+        :return: Tuple of 4 elements which can be bool or None
         """
         enable_acns = self.raw_param.get("enable_acns")
         disable_acns = self.raw_param.get("disable_acns")
         if enable_acns is None and disable_acns is None:
-            return None, None, None
+            return None, None, None, None
         if enable_acns and disable_acns:
             raise MutuallyExclusiveArgumentError(
                 "Cannot specify --enable-acns and "
@@ -2553,17 +2556,22 @@ def get_acns_enablement(self) -> Tuple[
         disable_acns = bool(disable_acns) if disable_acns is not None else False
         acns = enable_acns or not disable_acns
         acns_observability = self.get_acns_observability()
+        acns_datapath_acceleration_mode = self.get_acns_datapath_acceleration_mode()
+        acns_perf_enabled = None
+        if acns_datapath_acceleration_mode is not None:
+            acns_perf_enabled = acns_datapath_acceleration_mode == CONST_ACNS_DATAPATH_ACCELERATION_MODE_BPFVETH
         acns_security = self.get_acns_security()
-        if acns and (acns_observability is False and acns_security is False):
+        if acns and (acns_observability is False and acns_security is False and acns_perf_enabled is not True):
             raise MutuallyExclusiveArgumentError(
-                "Cannot disable both observability and security when enabling ACNS. "
+                "Cannot disable observability, security, and performance acceleration when enabling ACNS. "
                 "Please enable at least one of them or disable ACNS with --disable-acns."
             )
-        if not acns and (acns_observability is not None or acns_security is not None):
+        if not acns and (acns_observability is not None or acns_security is not None or
+                         acns_datapath_acceleration_mode is not None):
             raise MutuallyExclusiveArgumentError(
                 "--disable-acns does not use any additional acns arguments."
             )
-        return acns, acns_observability, acns_security
+        return acns, acns_observability, acns_security, acns_perf_enabled
 
     def get_acns_observability(self) -> Union[bool, None]:
         """Get the enablement of acns observability
@@ -2579,6 +2587,28 @@ def get_acns_security(self) -> Union[bool, None]:
         disable_acns_security = self.raw_param.get("disable_acns_security")
         return not bool(disable_acns_security) if disable_acns_security is not None else None
 
+    def get_acns_datapath_acceleration_mode(self) -> Union[str, None]:
+        """Get the value of acns_datapath_acceleration_mode
+
+        :return: str or None
+        """
+        disable_acns = self.raw_param.get("disable_acns")
+        enable_acns = self.raw_param.get("enable_acns")
+        acns_datapath_acceleration_mode = self.raw_param.get("acns_datapath_acceleration_mode")
+        if acns_datapath_acceleration_mode is not None and \
+                acns_datapath_acceleration_mode != CONST_ACNS_DATAPATH_ACCELERATION_MODE_NONE:
+            if disable_acns:
+                raise MutuallyExclusiveArgumentError(
+                    "--disable-acns cannot be used with --acns-performance-acceleration-mode."
+                )
+            # Require explicit ACNS enablement when specifying a datapath acceleration mode on create
+            if self.decorator_mode == DecoratorMode.CREATE and not enable_acns:
+                raise ArgumentUsageError(
+                    "--acns-datapath-acceleration-mode can only be used when ACNS is enabled. "
+                    "Please specify --enable-acns."
+                )
+        return acns_datapath_acceleration_mode
+
     def get_acns_advanced_networkpolicies(self) -> Union[str, None]:
         """Get the value of acns_advanced_networkpolicies
         :return: str or None
@@ -2842,7 +2872,8 @@ def get_addon_consts(self) -> Dict[str, str]:
             CONST_MONITORING_USING_AAD_MSI_AUTH,
             CONST_OPEN_SERVICE_MESH_ADDON_NAME, CONST_ROTATION_POLL_INTERVAL,
             CONST_SECRET_ROTATION_ENABLED, CONST_VIRTUAL_NODE_ADDON_NAME,
-            CONST_VIRTUAL_NODE_SUBNET_NAME)
+            CONST_VIRTUAL_NODE_SUBNET_NAME
+        )
 
         addon_consts = {}
         addon_consts["ADDONS"] = ADDONS
@@ -6380,8 +6411,8 @@ def set_up_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
 
         network_dataplane = self.context.get_network_dataplane()
 
-        (acns_enabled, acns_observability, acns_security) = self.context.get_acns_enablement()
         acns_advanced_networkpolicies = self.context.get_acns_advanced_networkpolicies()
+        (acns_enabled, acns_observability, acns_security, acns_perf_enabled) = self.context.get_acns_enablement_with_perf()
         acns_transit_encryption = self.context.get_acns_transit_encryption_type()
         if acns_enabled is not None:
             acns = self.models.AdvancedNetworking(
@@ -6402,6 +6433,10 @@ def set_up_network_profile(self, mc: ManagedCluster) -> ManagedCluster:
                     )
                 else:
                     acns.security.advanced_network_policies = acns_advanced_networkpolicies
+            if acns_perf_enabled is not None:
+                if acns.performance is None:
+                    acns.performance = self.models.AdvancedNetworkingPerformance()
+                acns.performance.acceleration_mode = self.context.get_acns_datapath_acceleration_mode()
             if acns_transit_encryption is not None:
                 if acns.security is None:
                     acns.security = self.models.AdvancedNetworkingSecurity()
@@ -8312,8 +8347,8 @@ def update_network_profile_advanced_networking(self, mc: ManagedCluster) -> Mana
         :return: the ManagedCluster object
         """
         self._ensure_mc(mc)
-        (acns_enabled, acns_observability, acns_security) = self.context.get_acns_enablement()
         acns_advanced_networkpolicies = self.context.get_acns_advanced_networkpolicies()
+        (acns_enabled, acns_observability, acns_security, acns_perf_enabled) = self.context.get_acns_enablement_with_perf()
         acns_transit_encryption = self.context.get_acns_transit_encryption_type()
         if acns_enabled is not None:
             acns = self.models.AdvancedNetworking(
@@ -8334,6 +8369,18 @@ def update_network_profile_advanced_networking(self, mc: ManagedCluster) -> Mana
                     )
                 else:
                     acns.security.advanced_network_policies = acns_advanced_networkpolicies
+            if acns_perf_enabled is not None:
+                acns.performance = self.models.AdvancedNetworkingPerformance(
+                    acceleration_mode=self.context.get_acns_datapath_acceleration_mode(),
+                )
+            elif not acns_enabled:
+                acns.performance = self.models.AdvancedNetworkingPerformance(
+                    acceleration_mode=CONST_ACNS_DATAPATH_ACCELERATION_MODE_NONE,
+                )
+            elif mc.network_profile.advanced_networking is not None:
+                acns.performance = mc.network_profile.advanced_networking.performance
+
+        if acns_enabled is not None:
             if acns_transit_encryption is not None:
                 if acns.security is None:
                     acns.security = self.models.AdvancedNetworkingSecurity()