From c230646258d4b56efb7d44eb7a0230f2943da6f6 Mon Sep 17 00:00:00 2001
From: Tongyao Si <tosi@microsoft.com>
Date: Fri, 5 Apr 2019 00:05:45 +0800
Subject: [PATCH] Add pod security policy support (#604)

---
 src/aks-preview/HISTORY.md                   |  4 +++
 src/aks-preview/README.md                    | 27 ++++++++++++++++++++
 src/aks-preview/azext_aks_preview/_help.py   | 13 ++++++++++
 src/aks-preview/azext_aks_preview/_params.py |  3 +++
 src/aks-preview/azext_aks_preview/custom.py  | 22 +++++++++++++---
 5 files changed, 66 insertions(+), 3 deletions(-)

diff --git a/src/aks-preview/HISTORY.md b/src/aks-preview/HISTORY.md
index 4a165585655..1905e80504e 100644
--- a/src/aks-preview/HISTORY.md
+++ b/src/aks-preview/HISTORY.md
@@ -2,6 +2,10 @@
 
 Release History
 ===============
+0.3.1
++++++
+* Add support of pod security policy.
+
 0.3.0
 +++++
 * Add support of feature `--node-zones`
diff --git a/src/aks-preview/README.md b/src/aks-preview/README.md
index 6cc9f70c67f..2e12ff671bd 100644
--- a/src/aks-preview/README.md
+++ b/src/aks-preview/README.md
@@ -99,4 +99,31 @@ az aks create \
     -n MyManagedCluster \
     --enable-VMSS \
     --node-zones 1 2 3
+```
+
+#### Enable pod security policy for new cluster
+*Examples:*
+```
+az aks create \
+    -g MyResourceGroup \
+    -n MyManagedCluster \
+    --enable-pod-security-policy \
+```
+
+#### Enable pod security policy for existing cluster
+*Examples:*
+```
+az aks update \
+    -g MyResourceGroup \
+    -n MyManagedCluster \
+    --enable-pod-security-policy \
+```
+
+#### Disable pod security policy for existing cluster
+*Examples:*
+```
+az aks update \
+    -g MyResourceGroup \
+    -n MyManagedCluster \
+    --disable-pod-security-policy \
 ```
\ No newline at end of file
diff --git a/src/aks-preview/azext_aks_preview/_help.py b/src/aks-preview/azext_aks_preview/_help.py
index f69a48938ec..ef9247f351b 100644
--- a/src/aks-preview/azext_aks_preview/_help.py
+++ b/src/aks-preview/azext_aks_preview/_help.py
@@ -142,6 +142,9 @@
         - name: --enable-vmss
           type: bool
           short-summary: (PREVIEW) Enable VMSS agent type.
+        - name: --enable-pod-security-policy
+          type: bool
+          short-summary: (PREVIEW) Enable pod security policy.
     examples:
         - name: Create a Kubernetes cluster with an existing SSH public key.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
@@ -197,6 +200,12 @@
         - name: --api-server-authorized-ip-ranges
           type: str
           short-summary: List of authorized IP ranges (separated by comma) for apiserver. Set to "" for disabling it.
+        - name: --enable-pod-security-policy
+          type: bool
+          short-summary: (PREVIEW) Enable pod security policy.
+        - name: --disable-pod-security-policy
+          type: bool
+          short-summary: (PREVIEW) Disable pod security policy.
     examples:
       - name: Enable cluster-autoscaler within node count range [1,5]
         text: az aks update --enable-cluster-autoscaler --min-count 1 --max-count 5 -g MyResourceGroup -n MyManagedCluster
@@ -206,6 +215,10 @@
         text: az aks update --update-cluster-autoscaler --min-count 1 --max-count 10 -g MyResourceGroup -n MyManagedCluster
       - name: Enable authorized IP ranges for apiserver.
         text: az aks update --api-server-authorized-ip-ranges 172.0.0.10/16,168.10.0.10/18 -g MyResourceGroup -n MyManagedCluster
+      - name: Enable pod security policy.
+        text: az aks update --enable-pod-security-policy -g MyResourceGroup -n MyManagedCluster
+      - name: Disable pod security policy.
+        text: az aks update --disable-pod-security-policy -g MyResourceGroup -n MyManagedCluster
 """
 
 helps['aks nodepool'] = """
diff --git a/src/aks-preview/azext_aks_preview/_params.py b/src/aks-preview/azext_aks_preview/_params.py
index 793d4c5e245..46c7474e785 100644
--- a/src/aks-preview/azext_aks_preview/_params.py
+++ b/src/aks-preview/azext_aks_preview/_params.py
@@ -67,6 +67,7 @@ def load_arguments(self, _):
         c.argument('max_count', type=int, validator=validate_nodes_count)
         c.argument('enable_vmss', action='store_true')
         c.argument('node_zones', zones_type, options_list='--node-zones', help='(PREVIEW) Space-separated list of availability zones where agent nodes will be placed.')
+        c.argument('enable_pod_security_policy', action='store_true')
 
     with self.argument_context('aks update') as c:
         c.argument('enable_cluster_autoscaler', options_list=["--enable-cluster-autoscaler", "-e"], action='store_true')
@@ -75,6 +76,8 @@ def load_arguments(self, _):
         c.argument('min_count', type=int, validator=validate_nodes_count)
         c.argument('max_count', type=int, validator=validate_nodes_count)
         c.argument('api_server_authorized_ip_ranges', type=str, validator=validate_ip_ranges)
+        c.argument('enable_pod_security_policy', action='store_true')
+        c.argument('disable_pod_security_policy', action='store_true')
 
     with self.argument_context('aks scale') as c:
         c.argument('nodepool_name', type=str,
diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py
index 5eb8c9a9e3e..8bf8494ca1b 100644
--- a/src/aks-preview/azext_aks_preview/custom.py
+++ b/src/aks-preview/azext_aks_preview/custom.py
@@ -379,6 +379,7 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value,  # pylint:
                tags=None,
                node_zones=None,
                generate_ssh_keys=False,  # pylint: disable=unused-argument
+               enable_pod_security_policy=False,
                no_wait=False):
     if not no_ssh_key:
         try:
@@ -484,7 +485,8 @@ def aks_create(cmd, client, resource_group_name, name, ssh_key_value,  # pylint:
         service_principal_profile=service_principal_profile,
         network_profile=network_profile,
         addon_profiles=addon_profiles,
-        aad_profile=aad_profile)
+        aad_profile=aad_profile,
+        enable_pod_security_policy=bool(enable_pod_security_policy))
 
     # Due to SPN replication latency, we do a few retries here
     max_retry = 30
@@ -506,12 +508,17 @@ def aks_update(cmd, client, resource_group_name, name, enable_cluster_autoscaler
                disable_cluster_autoscaler=False,
                update_cluster_autoscaler=False,
                min_count=None, max_count=None, no_wait=False,
-               api_server_authorized_ip_ranges=None):
+               api_server_authorized_ip_ranges=None,
+               enable_pod_security_policy=False,
+               disable_pod_security_policy=False):
     update_flags = enable_cluster_autoscaler + disable_cluster_autoscaler + update_cluster_autoscaler
-    if update_flags != 1 and api_server_authorized_ip_ranges is None:
+    if update_flags != 1 and api_server_authorized_ip_ranges is None and \
+       (enable_pod_security_policy is False and disable_pod_security_policy is False):
         raise CLIError('Please specify "--enable-cluster-autoscaler" or '
                        '"--disable-cluster-autoscaler" or '
                        '"--update-cluster-autoscaler" or '
+                       '"--enable-pod-security-policy" or '
+                       '"--disable-pod-security-policy" or '
                        '"--api-server-authorized-ip-ranges"')
 
     # TODO: change this approach when we support multiple agent pools.
@@ -554,6 +561,15 @@ def aks_update(cmd, client, resource_group_name, name, enable_cluster_autoscaler
         instance.agent_pool_profiles[0].min_count = None
         instance.agent_pool_profiles[0].max_count = None
 
+    if enable_pod_security_policy and disable_pod_security_policy:
+        raise CLIError('Cannot specify --enable-pod-security-policy and --disable-pod-security-policy '
+                       'at the same time.')
+
+    if enable_pod_security_policy:
+        instance.enable_pod_security_policy = True
+    if disable_pod_security_policy:
+        instance.enable_pod_security_policy = False
+
     if api_server_authorized_ip_ranges is not None:
         instance.api_server_authorized_ip_ranges = []
         if api_server_authorized_ip_ranges != "":