zachomedia · April 21, 2021 20:15
diff --git a/aks-engine.diff b/aks-engine.diff
 diff --git a/parts/k8s/addons/azure-network-policy.yaml b/parts/k8s/addons/azure-network-policy.yaml
 index 065e541ca..c86364366 100644
 --- a/parts/k8s/addons/azure-network-policy.yaml
 +++ b/parts/k8s/addons/azure-network-policy.yaml
 @@ -75,10 +75,15 @@ spec:
     spec:
       priorityClassName: system-node-critical
       tolerations:
 +      - operator: "Exists"
 +        effect: NoExecute
 +      - operator: "Exists"
 +        effect: NoSchedule
       - key: CriticalAddonsOnly
         operator: Exists
       nodeSelector:
 -        kubernetes.io/os: linux
 +        beta.kubernetes.io/os: linux
 +        kubernetes.io/role: agent
       containers:
         - name: azure-npm
           image: {{ContainerImage "azure-npm-daemonset"}}
 @@ -119,3 +124,17 @@ spec:
           path: /etc/protocols
           type: File
       serviceAccountName: azure-npm
 +---
 +apiVersion: v1
 +kind: Service
 +metadata:
 +  name: npm-metrics-cluster-service
 +  namespace: kube-system
 +  labels:
 +    app: npm-metrics
 +spec:
 +  selector:
 +    k8s-app: azure-npm
 +  ports:
 +    - port: 9000
 +      targetPort: 10091
 diff --git a/pkg/engine/storageaccounts.go b/pkg/engine/storageaccounts.go
 index d6c5caa36..441fdd56b 100644
 --- a/pkg/engine/storageaccounts.go
 +++ b/pkg/engine/storageaccounts.go
 @@ -26,6 +26,9 @@ func createStorageAccount(cs *api.ContainerService) StorageAccountARM {
 		Location: to.StringPtr("[variables('location')]"),
 		Name:     to.StringPtr("[variables('masterStorageAccountName')]"),
 		Type:     to.StringPtr("Microsoft.Storage/storageAccounts"),
 +		AccountProperties: &storage.AccountProperties{
 +			EnableHTTPSTrafficOnly: to.BoolPtr(true),
 +		},
 		Sku: &storage.Sku{
 			Name: storage.SkuName("[variables('vmSizesMap')[parameters('masterVMSize')].storageAccountType]"),
 		},
 @@ -46,6 +49,9 @@ func createJumpboxStorageAccount() StorageAccountARM {
 		Type:     to.StringPtr("Microsoft.Storage/storageAccounts"),
 		Name:     to.StringPtr("[variables('jumpboxStorageAccountName')]"),
 		Location: to.StringPtr("[variables('location')]"),
 +		AccountProperties: &storage.AccountProperties{
 +			EnableHTTPSTrafficOnly: to.BoolPtr(true),
 +		},
 		Sku: &storage.Sku{
 			Name: storage.SkuName("[variables('vmSizesMap')[parameters('jumpboxVMSize')].storageAccountType]"),
 		},
 @@ -66,6 +72,9 @@ func createKeyVaultStorageAccount() StorageAccountARM {
 			Type:     to.StringPtr("Microsoft.Storage/storageAccounts"),
 			Name:     to.StringPtr("[variables('clusterKeyVaultName')]"),
 			Location: to.StringPtr("[variables('location')]"),
 +			AccountProperties: &storage.AccountProperties{
 +				EnableHTTPSTrafficOnly: to.BoolPtr(true),
 +			},
 			Sku: &storage.Sku{
 				Name: storage.StandardLRS,
 			},
 @@ -98,6 +107,9 @@ func createAgentVMASStorageAccount(cs *api.ContainerService, profile *api.AgentP
 	storageAccount := storage.Account{
 		Type:     to.StringPtr("Microsoft.Storage/storageAccounts"),
 		Location: to.StringPtr("[variables('location')]"),
 +		AccountProperties: &storage.AccountProperties{
 +			EnableHTTPSTrafficOnly: to.BoolPtr(true),
 +		},
 		Sku: &storage.Sku{
 			Name: storage.SkuName(fmt.Sprintf("[variables('vmSizesMap')[variables('%sVMSize')].storageAccountType]", profile.Name)),
 		},
 diff --git a/pkg/engine/templates_generated.go b/pkg/engine/templates_generated.go
 index 59066496b..87f669d4f 100644
 --- a/pkg/engine/templates_generated.go
 +++ b/pkg/engine/templates_generated.go
 @@ -8265,10 +8265,15 @@ spec:
     spec:
       priorityClassName: system-node-critical
       tolerations:
 +      - operator: "Exists"
 +        effect: NoExecute
 +      - operator: "Exists"
 +        effect: NoSchedule
       - key: CriticalAddonsOnly
         operator: Exists
       nodeSelector:
 -        kubernetes.io/os: linux
 +        beta.kubernetes.io/os: linux
 +        kubernetes.io/role: agent
       containers:
         - name: azure-npm
           image: {{ContainerImage "azure-npm-daemonset"}}
 @@ -8309,6 +8314,20 @@ spec:
           path: /etc/protocols
           type: File
       serviceAccountName: azure-npm
 +---
 +apiVersion: v1
 +kind: Service
 +metadata:
 +  name: npm-metrics-cluster-service
 +  namespace: kube-system
 +  labels:
 +    app: npm-metrics
 +spec:
 +  selector:
 +    k8s-app: azure-npm
 +  ports:
 +    - port: 9000
 +      targetPort: 10091
 `)
 
 func k8sAddonsAzureNetworkPolicyYamlBytes() ([]byte, error) {
 diff --git a/pkg/engine/virtualmachines.go b/pkg/engine/virtualmachines.go
 index eb70a93a8..ef25a000c 100644
 --- a/pkg/engine/virtualmachines.go
 +++ b/pkg/engine/virtualmachines.go
 @@ -51,6 +51,7 @@ func CreateMasterVM(cs *api.ContainerService) VirtualMachineARM {
 		"orchestrator":       to.StringPtr("[variables('orchestratorNameVersionTag')]"),
 		"aksEngineVersion":   to.StringPtr("[parameters('aksEngineVersion')]"),
 		"poolName":           to.StringPtr("master"),
 +		"DoNotShutDownDays":  to.StringPtr("-1"),
 	}
 
 	if kubernetesConfig != nil && kubernetesConfig.IsContainerMonitoringAddonEnabled() {
	diff --git a/parts/k8s/addons/azure-network-policy.yaml b/parts/k8s/addons/azure-network-policy.yaml
	index 065e541ca..c86364366 100644
	--- a/parts/k8s/addons/azure-network-policy.yaml
	+++ b/parts/k8s/addons/azure-network-policy.yaml
	@@ -75,10 +75,15 @@ spec:
	spec:
	priorityClassName: system-node-critical
	tolerations:
	+ - operator: "Exists"
	+ effect: NoExecute
	+ - operator: "Exists"
	+ effect: NoSchedule
	- key: CriticalAddonsOnly
	operator: Exists
	nodeSelector:
	- kubernetes.io/os: linux
	+ beta.kubernetes.io/os: linux
	+ kubernetes.io/role: agent
	containers:
	- name: azure-npm
	image: {{ContainerImage "azure-npm-daemonset"}}
	@@ -119,3 +124,17 @@ spec:
	path: /etc/protocols
	type: File
	serviceAccountName: azure-npm
	+---
	+apiVersion: v1
	+kind: Service
	+metadata:
	+ name: npm-metrics-cluster-service
	+ namespace: kube-system
	+ labels:
	+ app: npm-metrics
	+spec:
	+ selector:
	+ k8s-app: azure-npm
	+ ports:
	+ - port: 9000
	+ targetPort: 10091
	diff --git a/pkg/engine/storageaccounts.go b/pkg/engine/storageaccounts.go
	index d6c5caa36..441fdd56b 100644
	--- a/pkg/engine/storageaccounts.go
	+++ b/pkg/engine/storageaccounts.go
	@@ -26,6 +26,9 @@ func createStorageAccount(cs *api.ContainerService) StorageAccountARM {
	Location: to.StringPtr("[variables('location')]"),
	Name: to.StringPtr("[variables('masterStorageAccountName')]"),
	Type: to.StringPtr("Microsoft.Storage/storageAccounts"),
	+ AccountProperties: &storage.AccountProperties{
	+ EnableHTTPSTrafficOnly: to.BoolPtr(true),
	+ },
	Sku: &storage.Sku{
	Name: storage.SkuName("[variables('vmSizesMap')[parameters('masterVMSize')].storageAccountType]"),
	},
	@@ -46,6 +49,9 @@ func createJumpboxStorageAccount() StorageAccountARM {
	Type: to.StringPtr("Microsoft.Storage/storageAccounts"),
	Name: to.StringPtr("[variables('jumpboxStorageAccountName')]"),
	Location: to.StringPtr("[variables('location')]"),
	+ AccountProperties: &storage.AccountProperties{
	+ EnableHTTPSTrafficOnly: to.BoolPtr(true),
	+ },
	Sku: &storage.Sku{
	Name: storage.SkuName("[variables('vmSizesMap')[parameters('jumpboxVMSize')].storageAccountType]"),
	},
	@@ -66,6 +72,9 @@ func createKeyVaultStorageAccount() StorageAccountARM {
	Type: to.StringPtr("Microsoft.Storage/storageAccounts"),
	Name: to.StringPtr("[variables('clusterKeyVaultName')]"),
	Location: to.StringPtr("[variables('location')]"),
	+ AccountProperties: &storage.AccountProperties{
	+ EnableHTTPSTrafficOnly: to.BoolPtr(true),
	+ },
	Sku: &storage.Sku{
	Name: storage.StandardLRS,
	},
	@@ -98,6 +107,9 @@ func createAgentVMASStorageAccount(cs api.ContainerService, profile api.AgentP
	storageAccount := storage.Account{
	Type: to.StringPtr("Microsoft.Storage/storageAccounts"),
	Location: to.StringPtr("[variables('location')]"),
	+ AccountProperties: &storage.AccountProperties{
	+ EnableHTTPSTrafficOnly: to.BoolPtr(true),
	+ },
	Sku: &storage.Sku{
	Name: storage.SkuName(fmt.Sprintf("[variables('vmSizesMap')[variables('%sVMSize')].storageAccountType]", profile.Name)),
	},
	diff --git a/pkg/engine/templates_generated.go b/pkg/engine/templates_generated.go
	index 59066496b..87f669d4f 100644
	--- a/pkg/engine/templates_generated.go
	+++ b/pkg/engine/templates_generated.go
	@@ -8265,10 +8265,15 @@ spec:
	spec:
	priorityClassName: system-node-critical
	tolerations:
	+ - operator: "Exists"
	+ effect: NoExecute
	+ - operator: "Exists"
	+ effect: NoSchedule
	- key: CriticalAddonsOnly
	operator: Exists
	nodeSelector:
	- kubernetes.io/os: linux
	+ beta.kubernetes.io/os: linux
	+ kubernetes.io/role: agent
	containers:
	- name: azure-npm
	image: {{ContainerImage "azure-npm-daemonset"}}
	@@ -8309,6 +8314,20 @@ spec:
	path: /etc/protocols
	type: File
	serviceAccountName: azure-npm
	+---
	+apiVersion: v1
	+kind: Service
	+metadata:
	+ name: npm-metrics-cluster-service
	+ namespace: kube-system
	+ labels:
	+ app: npm-metrics
	+spec:
	+ selector:
	+ k8s-app: azure-npm
	+ ports:
	+ - port: 9000
	+ targetPort: 10091
	`)

	func k8sAddonsAzureNetworkPolicyYamlBytes() ([]byte, error) {
	diff --git a/pkg/engine/virtualmachines.go b/pkg/engine/virtualmachines.go
	index eb70a93a8..ef25a000c 100644
	--- a/pkg/engine/virtualmachines.go
	+++ b/pkg/engine/virtualmachines.go
	@@ -51,6 +51,7 @@ func CreateMasterVM(cs *api.ContainerService) VirtualMachineARM {
	"orchestrator": to.StringPtr("[variables('orchestratorNameVersionTag')]"),
	"aksEngineVersion": to.StringPtr("[parameters('aksEngineVersion')]"),
	"poolName": to.StringPtr("master"),
	+ "DoNotShutDownDays": to.StringPtr("-1"),
	}

	if kubernetesConfig != nil && kubernetesConfig.IsContainerMonitoringAddonEnabled() {