[AKS] az aks create/update: Add --enable-container-network-logs parameter (#32700)

Author: carlotaarvela

src/azure-cli/azure/cli/command_modules/acs/_help.py

@@ -329,7 +329,7 @@
     short-summary: Resource ID of Azure Monitor Private Link scope for Monitoring Addon.
   - name: --enable-high-log-scale-mode
     type: bool
-    short-summary: Enable High Log Scale Mode for Container Logs.
+    short-summary: Enable High Log Scale Mode for Container Logs. Auto-enabled when --enable-container-network-logs is specified.
   - name: --sku
     type: string
     short-summary: Specify SKU name for managed clusters. Use '--sku base' enables a base managed cluster. Use '--sku automatic' enables an automatic managed cluster.
@@ -588,6 +588,9 @@
   - name: --acns-advanced-networkpolicies
     type: string
     short-summary: Enable advanced network policies (None, FQDN or L7) on a cluster when enabling advanced networking features with "--enable-acns".
+  - name: --enable-container-network-logs
+    type: bool
+    short-summary: Enable container network log collection functionalities on a cluster. Automatically enables --enable-high-log-scale-mode.
   - name: --nrg-lockdown-restriction-level
     type: string
     short-summary: Restriction level on the managed node resource group.
@@ -1089,6 +1092,12 @@
   - name: --acns-advanced-networkpolicies
     type: string
     short-summary: Enable advanced network policies (None, FQDN or L7) on a cluster when enabling advanced networking features with "--enable-acns".
+  - name: --enable-container-network-logs
+    type: bool
+    short-summary: Enable container network log collection functionalities on a cluster. Automatically enables --enable-high-log-scale-mode.
+  - name: --disable-container-network-logs
+    type: bool
+    short-summary: Disable container network log collection functionalities on a cluster.
   - name: --nrg-lockdown-restriction-level
     type: string
     short-summary: Restriction level on the managed node resource group.
@@ -1261,7 +1270,7 @@
     short-summary: Resource ID of Azure Monitor Private Link scope for Monitoring Addon.
   - name: --enable-high-log-scale-mode
     type: bool
-    short-summary: Enable High Log Scale Mode for Container Logs.
+    short-summary: Enable High Log Scale Mode for Container Logs. Auto-enabled when --enable-container-network-logs is specified.
   - name: --appgw-name
     type: string
     short-summary: Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.

src/azure-cli/azure/cli/command_modules/acs/_params.py

@@ -604,6 +604,7 @@ def load_arguments(self, _):
         c.argument('disable_acns_observability', action='store_true')
         c.argument('disable_acns_security', action='store_true')
         c.argument("acns_advanced_networkpolicies", arg_type=get_enum_type(advanced_networkpolicies))
+        c.argument('enable_container_network_logs', action='store_true')
         c.argument("if_match")
         c.argument("if_none_match")
         # node provisioning
@@ -661,6 +662,8 @@ def load_arguments(self, _):
         c.argument('disable_acns_observability', action='store_true')
         c.argument('disable_acns_security', action='store_true')
         c.argument("acns_advanced_networkpolicies", arg_type=get_enum_type(advanced_networkpolicies))
+        c.argument('enable_container_network_logs', action='store_true')
+        c.argument('disable_container_network_logs', action='store_true')
         # private cluster parameters
         c.argument('enable_apiserver_vnet_integration', action='store_true')
         c.argument('apiserver_subnet_id', validator=validate_apiserver_subnet_id)

src/azure-cli/azure/cli/command_modules/acs/addonconfiguration.py

@@ -198,6 +198,7 @@
     "Microsoft-ContainerInventory",
     "Microsoft-ContainerNodeInventory",
     "Microsoft-Perf",
+    "Microsoft-ContainerNetworkLogs",
 ]
 
 

src/azure-cli/azure/cli/command_modules/acs/custom.py

@@ -934,17 +934,18 @@ def aks_create(
     disable_acns_observability=None,
     disable_acns_security=None,
     acns_advanced_networkpolicies=None,
+    enable_container_network_logs=None,
     # network isoalted cluster
     bootstrap_artifact_source=CONST_ARTIFACT_SOURCE_DIRECT,
     bootstrap_container_registry_resource_id=None,
     # addons
     enable_addons=None,
     workspace_resource_id=None,
     enable_msi_auth_for_monitoring=True,
-    enable_syslog=False,
+    enable_syslog=None,
     data_collection_settings=None,
     ampls_resource_id=None,
-    enable_high_log_scale_mode=False,
+    enable_high_log_scale_mode=None,
     aci_subnet_name=None,
     appgw_name=None,
     appgw_subnet_cidr=None,
@@ -1161,6 +1162,8 @@ def aks_update(
     disable_acns_observability=None,
     disable_acns_security=None,
     acns_advanced_networkpolicies=None,
+    enable_container_network_logs=None,
+    disable_container_network_logs=None,
     # network isoalted cluster
     bootstrap_artifact_source=None,
     bootstrap_container_registry_resource_id=None,
@@ -1557,10 +1560,10 @@ def aks_enable_addons(cmd, client, resource_group_name, name, addons,
                       enable_secret_rotation=False,
                       rotation_poll_interval=None,
                       enable_msi_auth_for_monitoring=True,
-                      enable_syslog=False,
+                      enable_syslog=None,
                       data_collection_settings=None,
                       ampls_resource_id=None,
-                      enable_high_log_scale_mode=False,
+                      enable_high_log_scale_mode=None,
                       no_wait=False,):
     instance = client.get(resource_group_name, name)
     msi_auth = False

src/azure-cli/azure/cli/command_modules/acs/linter_exclusions.yml

@@ -91,6 +91,9 @@ aks create:
       enable_static_egress_gateway:
         rule_exclusions:
           - option_length_too_long
+      enable_container_network_logs:
+        rule_exclusions:
+          - option_length_too_long
 aks enable-addons:
   parameters:
       appgw_watch_namespace:
@@ -209,6 +212,12 @@ aks update:
       disable_static_egress_gateway:
         rule_exclusions:
           - option_length_too_long
+      enable_container_network_logs:
+        rule_exclusions:
+          - option_length_too_long
+      disable_container_network_logs:
+        rule_exclusions:
+          - option_length_too_long
 aks nodepool add:
   parameters:
       disable_windows_outbound_nat:

src/azure-cli/azure/cli/command_modules/acs/managed_cluster_decorator.py

@@ -2593,6 +2593,89 @@ def get_acns_advanced_networkpolicies(self) -> Union[str, None]:
                 )
         return self.raw_param.get("acns_advanced_networkpolicies")
 
+    def get_container_network_logs(self, mc: ManagedCluster) -> Union[bool, None]:
+        """Get the enablement of container network logs
+
+        :return: bool or None"""
+        enable_cnl = self.raw_param.get("enable_container_network_logs")
+        disable_cnl = self.raw_param.get("disable_container_network_logs")
+        if enable_cnl is None and disable_cnl is None:
+            return None
+        if enable_cnl and disable_cnl:
+            raise MutuallyExclusiveArgumentError(
+                "Cannot specify --enable-container-network-logs and "
+                "--disable-container-network-logs at the same time."
+            )
+
+        # Check if monitoring is being enabled via enable_addons parameter (for create scenarios)
+        enable_addons = self.raw_param.get("enable_addons")
+        monitoring_via_enable_addons = enable_addons and "monitoring" in enable_addons
+
+        # Check if monitoring is already enabled on the cluster
+        monitoring_on_cluster = (
+            mc.addon_profiles and
+            mc.addon_profiles.get("omsagent") and
+            mc.addon_profiles["omsagent"].enabled
+        )
+
+        # Check if ACNS is being enabled or already enabled
+        acns_enabled = (
+            self.raw_param.get("enable_acns", False) or
+            (mc.network_profile and mc.network_profile.advanced_networking and
+             mc.network_profile.advanced_networking.enabled)
+        )
+
+        # Check if network dataplane is set to cilium (either via parameter or already on the cluster)
+        network_dataplane_param = self.raw_param.get("network_dataplane")
+        network_dataplane_cluster = None
+        if mc.network_profile is not None:
+            network_dataplane_cluster = getattr(mc.network_profile, "network_dataplane", None)
+        network_dataplane = network_dataplane_param or network_dataplane_cluster
+        cilium_enabled = safe_lower(network_dataplane) == "cilium"
+
+        monitoring_enabled = monitoring_via_enable_addons or monitoring_on_cluster
+
+        if enable_cnl and (not acns_enabled or not monitoring_enabled or not cilium_enabled):
+            raise InvalidArgumentValueError(
+                "Container network logs requires ACNS to be enabled, the monitoring addon to be enabled, "
+                "and the cilium network dataplane."
+            )
+        enable_cnl = bool(enable_cnl) if enable_cnl is not None else False
+        disable_cnl = bool(disable_cnl) if disable_cnl is not None else False
+        return enable_cnl or not disable_cnl
+
+    def get_enable_high_log_scale_mode(self) -> Union[bool, None]:
+        """Obtain the value of enable_high_log_scale_mode.
+
+        This method automatically enables high log scale mode when container network logs are enabled.
+        It validates that the user has not explicitly disabled high log scale mode when CNL is enabled.
+
+        Note: ACNS and monitoring addon validation is handled in get_container_network_logs().
+
+        :return: bool or None
+        """
+        # Read the original value passed by the command
+        enable_high_log_scale_mode = self.raw_param.get("enable_high_log_scale_mode")
+
+        # Check if container network logs are being enabled
+        enable_container_network_logs = self.raw_param.get("enable_container_network_logs")
+
+        # If container network logs are being enabled, auto-enable high log scale mode
+        if enable_container_network_logs:
+            # If user explicitly set enable_high_log_scale_mode to False, raise an error
+            if enable_high_log_scale_mode is False:
+                raise MutuallyExclusiveArgumentError(
+                    "Cannot explicitly disable --enable-high-log-scale-mode when "
+                    "--enable-container-network-logs is specified. Container network logs "
+                    "requires high log scale mode to be enabled."
+                )
+
+            # Auto-enable high log scale mode
+            return True
+
+        # If container network logs are not being enabled, return the original value
+        return enable_high_log_scale_mode
+
     def _get_pod_cidr_and_service_cidr_and_dns_service_ip_and_docker_bridge_address_and_network_policy(
         self, enable_validation: bool = False
     ) -> Tuple[
@@ -3025,21 +3108,6 @@ def get_enable_syslog(self) -> Union[bool, None]:
         # this parameter does not need validation
         return enable_syslog
 
-    def get_enable_high_log_scale_mode(self) -> Union[bool, None]:
-        """Obtain the value of enable_high_log_scale_mode.
-
-        Note: The arg type of this parameter supports three states (True, False or None), but the corresponding default
-        value in entry function is not None.
-
-        :return: bool or None
-        """
-        # read the original value passed by the command
-        enable_high_log_scale_mode = self.raw_param.get("enable_high_log_scale_mode")
-
-        # this parameter does not need dynamic completion
-        # this parameter does not need validation
-        return enable_high_log_scale_mode
-
     def get_data_collection_settings(self) -> Union[str, None]:
         """Obtain the value of data_collection_settings.
 
@@ -6657,6 +6725,22 @@ def set_up_addon_profiles(self, mc: ManagedCluster) -> ManagedCluster:
             addon_profiles[
                 CONST_AZURE_KEYVAULT_SECRETS_PROVIDER_ADDON_NAME
             ] = self.build_azure_keyvault_secrets_provider_addon_profile()
+
+        # Set up container network logs if enabled
+        container_network_logs_enabled = self.context.get_container_network_logs(mc)
+        if container_network_logs_enabled is not None:
+            monitoring_addon_profile = addon_profiles.get(CONST_MONITORING_ADDON_NAME)
+            if monitoring_addon_profile:
+                config = monitoring_addon_profile.config or {}
+                config["enableRetinaNetworkFlags"] = str(container_network_logs_enabled)
+                monitoring_addon_profile.config = config
+
+        # Trigger validation for high log scale mode when container network logs are enabled.
+        # This ensures proper error messages are raised before cluster creation if the user
+        # explicitly disables high log scale mode while enabling container network logs.
+        if self.context.raw_param.get("enable_container_network_logs"):
+            self.context.get_enable_high_log_scale_mode()
+
         mc.addon_profiles = addon_profiles
         return mc
 
@@ -8233,6 +8317,31 @@ def update_network_profile_advanced_networking(self, mc: ManagedCluster) -> Mana
             mc.network_profile.advanced_networking = acns
         return mc
 
+    def update_monitoring_profile_flow_logs(self, mc: ManagedCluster) -> ManagedCluster:
+        """Update monitor profile for the ManagedCluster object for flow logs.
+
+        :return: the ManagedCluster object
+        """
+        self._ensure_mc(mc)
+
+        # Trigger validation for high log scale mode when container network logs are enabled.
+        # This ensures proper error messages are raised before cluster update if the user
+        # explicitly disables high log scale mode while enabling container network logs.
+        if self.context.raw_param.get("enable_container_network_logs"):
+            self.context.get_enable_high_log_scale_mode()
+
+        container_network_logs_enabled = self.context.get_container_network_logs(mc)
+        if container_network_logs_enabled is not None:
+            if mc.addon_profiles:
+                addon_consts = self.context.get_addon_consts()
+                CONST_MONITORING_ADDON_NAME = addon_consts.get("CONST_MONITORING_ADDON_NAME")
+                monitoring_addon_profile = mc.addon_profiles.get(CONST_MONITORING_ADDON_NAME)
+                if monitoring_addon_profile:
+                    config = monitoring_addon_profile.config or {}
+                    config["enableRetinaNetworkFlags"] = str(container_network_logs_enabled)
+                    mc.addon_profiles[CONST_MONITORING_ADDON_NAME].config = config
+        return mc
+
     def update_http_proxy_config(self, mc: ManagedCluster) -> ManagedCluster:
         """Set up http proxy config for the ManagedCluster object.
 
@@ -9518,6 +9627,8 @@ def update_mc_profile_default(self) -> ManagedCluster:
         mc = self.update_network_profile(mc)
         # update network profile with acns
         mc = self.update_network_profile_advanced_networking(mc)
+        # update monitoring profile flow logs
+        mc = self.update_monitoring_profile_flow_logs(mc)
         # update aad profile
         mc = self.update_aad_profile(mc)
         # update oidc issuer profile

src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_aks_commands.py

@@ -13162,7 +13162,56 @@ def test_aks_create_with_enable_acns_complex(
             "aks delete -g {resource_group} -n {name} --yes --no-wait",
             checks=[self.is_empty()],
         )
-    
+
+    @live_only()
+    @AllowLargeResponse()
+    @AKSCustomResourceGroupPreparer(
+        random_name_length=17,
+        name_prefix="clitest",
+        location="eastus2euap",
+    )
+    def test_aks_create_acns_with_flow_logs(
+        self, resource_group, resource_group_location
+    ):
+        # reset the count so in replay mode the random names will start with 0
+        self.test_resources_count = 0
+        # kwargs for string formatting
+        aks_name = self.create_random_name("cliakstest", 16)
+        self.kwargs.update(
+            {
+                "resource_group": resource_group,
+                "name": aks_name,
+                "location": resource_group_location,
+                "resource_type": "Microsoft.ContainerService/ManagedClusters",
+                "ssh_key_value": self.generate_ssh_keys(),
+            }
+        )
+
+        # create: enable acns with enable container network logs and enable high log scale mode
+        create_cmd = (
+            "aks create --resource-group={resource_group} --name={name} --location={location} "
+            "--ssh-key-value={ssh_key_value} --node-count=1 --tier standard "
+            "--network-plugin azure --network-dataplane=cilium --network-plugin-mode overlay "
+            "--enable-acns "
+            "--enable-container-network-logs "
+            "--enable-addons monitoring "
+            "--enable-high-log-scale-mode "
+            "--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AdvancedNetworkingPreview "
+        )
+        self.cmd(
+            create_cmd,
+            checks=[
+                self.check("provisioningState", "Succeeded"),
+                self.check("networkProfile.advancedNetworking.observability.enabled", True),
+            ],
+        )
+
+        # delete
+        self.cmd(
+            "aks delete -g {resource_group} -n {name} --yes --no-wait",
+            checks=[self.is_empty()],
+        )
+
     @AllowLargeResponse()
     @AKSCustomResourceGroupPreparer(
         random_name_length=17,