[AKS] az aks safeguards: Add command group to manage deployment safeguards#31793
[AKS] az aks safeguards: Add command group to manage deployment safeguards#31793
az aks safeguards: Add command group to manage deployment safeguards#31793Conversation
NickKeller
requested review from
FumingZhang,
jsntcy,
yanzhudd and
zhoxing-ms
as code owners
️✔️AzureCLI-FullTest
|
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| aks safeguards | sub group aks safeguards added |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
There was a problem hiding this comment.
Pull Request Overview
Adds a new “aks safeguards” command group to the core AKS CLI, migrating functionality from the extension into the main azure-cli repository.
- Introduces AAZ-based command implementations and custom wrappers for
create,show,update,delete,list, andwait. - Registers the new command group in
commands.pyand loads it via the ACS module’s initializer. - Provides an end-to-end scenario test covering the full CRUD lifecycle of deployment safeguards.
Reviewed Changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_aks_safeguards.py | Adds a scenario test for the full safeguards lifecycle |
| src/azure-cli/azure/cli/command_modules/acs/custom.py | Implements argument validation and custom command classes |
| src/azure-cli/azure/cli/command_modules/acs/commands.py | Registers the new aks safeguards commands in the CLI table |
| src/azure-cli/azure/cli/command_modules/acs/aaz/latest/aks/safeguards/ | Adds generated AAZ command and operation definitions for safeguards |
| src/azure-cli/azure/cli/command_modules/acs/init.py | Loads AAZ commands when the ACS module initializes |
Comments suppressed due to low confidence (3)
src/azure-cli/azure/cli/command_modules/acs/custom.py:146
- [nitpick] Add a space after the period before 'You may provide...', and correct the mismatched quote around 'name' for clarity in the help text.
help="The name of the resource group. You can configure the default group using az configure --defaults group=`<name>`. You may provide either 'managed_cluster' or both 'resource_group' and 'name', but not both",
src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_aks_safeguards.py:16
- [nitpick] Remove the TODO comment or implement the remaining tests to avoid leaving placeholder comments in the scenario test.
# TODO: add tests here
src/azure-cli/azure/cli/command_modules/acs/custom.py:123
- The function
get_loggeris used without importing it. Add the appropriate import, for examplefrom knack.log import get_logger, to avoid a NameError.
logger = get_logger(__name__)
microsoft-github-policy-service
bot
added
Auto-Assign
FumingZhang
left a comment
FumingZhang
left a comment
There was a problem hiding this comment.
Queued live test for case test_aks_deployment_safeguards to validate the change, the test failed with following error,
raise AAZInvalidValueError("Expect <class 'dict'>, got {} ({})".format(data, type(data)))E azure.cli.core.aaz.exceptions.AAZInvalidValueError: Expect <class 'dict'>, got {"eTag":"8f1dd5e3-7f38-4fc0-8f4e-8d182c991fb0","id":"/subscriptions/79a7390d-3a85-432d-9f6f-a11a703c8b83/resourceGroups/cli-qxps/providers/Microsoft.ContainerService/managedClusters/akssafeguards-neobhd/providers/Microsoft.ContainerService/deploymentSafeguards/default","name":"default","properties":{"level":"Warn","provisioningState":"Succeeded","systemExcludedNamespaces":["kube-system","calico-system","tigera-system","gatekeeper-system"]},"type":"Microsoft.ContainerService/deploymentSafeguards"} (<class 'str'>)
I am not very familiar with aaz, and I am not sure whether there is a problem with the case or a configuration problem with the live test pipeline, because this live test is designed for non-aaz mode commands in test_aks_commands.py.
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
Yep, that's a known error with my service for now, not an error with aaz. We have a fix deployed in staging, so I queued up a test for that:https://dev.azure.com/msazure/CloudNativeCompute/_build/results?buildId=130078326&view=results. Looks like the test framework isn't obfuscating the subscription id properly? The error you saw will be fixed with the new official release which will be rolling soon |
|
The test actually passed when executed in live mode, but failed when executed in replay mode, apparently because it did not handle some variable substitutions well, and I suppose failures in replay mode can be ignored.
|
|
@yanzhudd any objections to this PR? |
yanzhudd
changed the title
az aks safeguards: Add command group to manage deployment safeguards
…eguards/_create.py Co-authored-by: Yan Zhu <105691024+yanzhudd@users.noreply.github.com>
…eguards/_delete.py Co-authored-by: Yan Zhu <105691024+yanzhudd@users.noreply.github.com>
|
@yanzhudd I've addressed your comments, thanks! |
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
FumingZhang
left a comment
FumingZhang
left a comment
There was a problem hiding this comment.
CI failed with following error, please update the API version used in your recording file.
raise AssertionError(ex)E AssertionError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/acs/tests/latest/recordings/test_aks_deployment_safeguards.yaml') in your current record mode ('once').
E No match for the request (<Request (PUT) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli-000001/providers/Microsoft.ContainerService/managedClusters/akssafeguards-000002?api-version=2025-05-01>) was found.
E Found 1 similar requests with 1 different matcher(s) :
E
E 1 - (<Request (PUT) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli-000001/providers/Microsoft.ContainerService/managedClusters/akssafeguards-000002?api-version=2025-04-01>)..)
E Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path']
E Matchers failed :
E _custom_request_query_matcher - assertion failure :
E None
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
@yanzhudd can you please take another look? |
Related command
az aks
Description
Previously I had created a PR to azure-cli-extensions to add an "aks-safeguards" extension. However, after discussion with PMs, the decision was to move it to the core cli experience to be next to the rest of the GA "az aks" implementations
Testing Guide
az aks safeguards create -g rg1 -n clustername --level WarnHistory Notes
[Component Name 1] BREAKING CHANGE:
az command a: Make some customer-facing breaking change[Component Name 2]
az command b: Add some customer-facing featureThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.