AzureSDKAutomation
diff --git a/‎src/aks-preview/azext_aks_preview/_format.py‎
Lines changed: 35 additions & 0 deletions b/‎src/aks-preview/azext_aks_preview/_format.py‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎src/aks-preview/azext_aks_preview/_help.py‎
Lines changed: 62 additions & 1 deletion b/‎src/aks-preview/azext_aks_preview/_help.py‎
Lines changed: 62 additions & 1 deletion
diff --git a/‎src/aks-preview/azext_aks_preview/_params.py‎
Lines changed: 51 additions & 1 deletion b/‎src/aks-preview/azext_aks_preview/_params.py‎
Lines changed: 51 additions & 1 deletion
diff --git a/‎src/aks-preview/azext_aks_preview/_validators.py‎
Lines changed: 51 additions & 0 deletions b/‎src/aks-preview/azext_aks_preview/_validators.py‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎src/aks-preview/azext_aks_preview/commands.py‎
Lines changed: 17 additions & 0 deletions b/‎src/aks-preview/azext_aks_preview/commands.py‎
Lines changed: 17 additions & 0 deletions
@@ -140,4 +140,39 @@ def _func_set_preview(self, version):  # pylint: disable=no-self-use
             except(TypeError, ValueError):
                 return version
 
+        @functions.signature({'types': ['object']})
+        def _func_pprint_labels(self, labels):  # pylint: disable=no-self-use
+            """Custom JMESPath `pprint_labels` function that pretty print labels"""
+            if not labels:
+                return ''
+            return ' '.join([
+                '{}={}'.format(k, labels[k])
+                for k in sorted(labels.keys())
+            ])
+
     return CustomFunctions()
+
+
+def aks_pod_identity_exceptions_table_format(result):
+    """Format pod identity exceptions results as a summary for display with "-o table"."""
+    preview = {}
+    parsed = compile_jmes("""podIdentityProfile.userAssignedIdentityExceptions[].{
+        name: name,
+        namespace: namespace,
+        PodLabels: podLabels | pprint_labels(@)
+    }""")
+    # use ordered dicts so headers are predictable
+    return parsed.search(result, Options(dict_cls=OrderedDict, custom_functions=_custom_functions(preview)))
+
+
+def aks_pod_identities_table_format(result):
+    """Format pod identities results as a summary for display with "-o table"."""
+    preview = {}
+    parsed = compile_jmes("""podIdentityProfile.userAssignedIdentities[].{
+        name: name,
+        namespace: namespace,
+        provisioningState: provisioningState
+        identity: identity.resourceId
+    }""")
+    # use ordered dicts so headers are predictable
+    return parsed.search(result, Options(dict_cls=OrderedDict, custom_functions=_custom_functions(preview)))
@@ -291,6 +291,9 @@
         - name: --linux-os-config
           type: string
           short-summary: OS configurations for Linux agent nodes.
+        - name: --enable-pod-identity
+          type: bool
+          short-summary: (PREVIEW) Enable pod identity addon.
     examples:
         - name: Create a Kubernetes cluster with an existing SSH public key.
           text: az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
@@ -443,6 +446,12 @@
         - name: --assign-identity
           type: string
           short-summary: (PREVIEW) Specify an existing user assigned identity to manage cluster resource group.
+        - name: --enable-pod-identity
+          type: bool
+          short-summary: (PREVIEW) Enable Pod Identity addon for cluster.
+        - name: --disable-pod-identity
+          type: bool
+          short-summary: (PREVIEW) Disable Pod Identity addon for cluster.
     examples:
       - name: Enable cluster-autoscaler within node count range [1,5]
         text: az aks update --enable-cluster-autoscaler --min-count 1 --max-count 5 -g MyResourceGroup -n MyManagedCluster
@@ -480,6 +489,10 @@
         text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity
       - name: Update the cluster to use user assigned managed identity in control plane.
         text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>
+      - name: Enable pod identity addon.
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --enable-pod-identity
+      - name: Disable pod identity addon.
+        text: az aks update -g MyResourceGroup -n MyManagedCluster --disable-pod-identity
 """
 
 helps['aks kollect'] = """
@@ -537,7 +550,7 @@
 
 helps['aks nodepool'] = """
     type: group
-    short-summary: Commands to manage node pools in Kubernetes kubernetes cluster.
+    short-summary: Commands to manage node pools in managed Kubernetes cluster.
 """
 helps['aks nodepool show'] = """
     type: command
@@ -809,3 +822,51 @@
     short-summary: Rotate certificates and keys on a managed Kubernetes cluster
     long-summary: Kubernetes will be unavailable during cluster certificate rotation.
 """
+
+helps['aks pod-identity'] = """
+    type: group
+    short-summary: Commands to manage pod identities in managed Kubernetes cluster.
+"""
+
+helps['aks pod-identity add'] = """
+    type: command
+    short-summary: Add a pod identity to a managed Kubernetes cluster
+    examples:
+    - name: Add pod identity
+      text: az aks pod-identity add --cluster-name MyManagedCluster --resource-group MyResourceGroup --namespace my-namespace --name my-identity --identity-resource-id <my-identity-resource-id>
+"""
+
+helps['aks pod-identity delete'] = """
+    type: command
+    short-summary: Remove a pod identity from a managed Kubernetes cluster
+"""
+
+helps['aks pod-identity list'] = """
+    type: command
+    short-summary: List pod identities in a managed Kubernetes cluster
+"""
+
+helps['aks pod-identity exception'] = """
+    type: group
+    short-summary: Commands to manage pod identity exceptions in managed Kubernetes cluster.
+"""
+
+helps['aks pod-identity exception add'] = """
+    type: command
+    short-summary: Add a pod identity exception to a managed Kubernetes cluster
+"""
+
+helps['aks pod-identity exception delete'] = """
+    type: command
+    short-summary: Remove a pod identity exception from a managed Kubernetes cluster
+"""
+
+helps['aks pod-identity exception update'] = """
+    type: command
+    short-summary: Update a pod identity exception in a managed Kubernetes cluster
+"""
+
+helps['aks pod-identity exception list'] = """
+    type: command
+    short-summary: List pod identity exceptions in a managed Kubernetes cluster
+"""
@@ -22,7 +22,8 @@
     validate_load_balancer_outbound_ips, validate_load_balancer_outbound_ip_prefixes,
     validate_taints, validate_priority, validate_eviction_policy, validate_spot_max_price, validate_acr, validate_user,
     validate_load_balancer_outbound_ports, validate_load_balancer_idle_timeout, validate_nodepool_tags,
-    validate_nodepool_labels, validate_vnet_subnet_id, validate_pod_subnet_id, validate_max_surge, validate_assign_identity, validate_addons)
+    validate_nodepool_labels, validate_vnet_subnet_id, validate_pod_subnet_id, validate_max_surge, validate_assign_identity, validate_addons,
+    validate_pod_identity_pod_labels, validate_pod_identity_resource_name, validate_pod_identity_resource_namespace)
 from ._consts import CONST_OUTBOUND_TYPE_LOAD_BALANCER, \
     CONST_OUTBOUND_TYPE_USER_DEFINED_ROUTING, CONST_SCALE_SET_PRIORITY_REGULAR, CONST_SCALE_SET_PRIORITY_SPOT, \
     CONST_SPOT_EVICTION_POLICY_DELETE, CONST_SPOT_EVICTION_POLICY_DEALLOCATE, \
@@ -115,6 +116,7 @@ def load_arguments(self, _):
         c.argument('auto_upgrade_channel', arg_type=get_enum_type([CONST_RAPID_UPGRADE_CHANNEL, CONST_STABLE_UPGRADE_CHANNEL, CONST_PATCH_UPGRADE_CHANNEL, CONST_NONE_UPGRADE_CHANNEL]))
         c.argument('kubelet_config', type=str)
         c.argument('linux_os_config', type=str)
+        c.argument('enable_pod_identity', action='store_true')
 
     with self.argument_context('aks update') as c:
         c.argument('enable_cluster_autoscaler', options_list=["--enable-cluster-autoscaler", "-e"], action='store_true')
@@ -138,6 +140,8 @@ def load_arguments(self, _):
         c.argument('auto_upgrade_channel', arg_type=get_enum_type([CONST_RAPID_UPGRADE_CHANNEL, CONST_STABLE_UPGRADE_CHANNEL, CONST_PATCH_UPGRADE_CHANNEL, CONST_NONE_UPGRADE_CHANNEL]))
         c.argument('enable_managed_identity', action='store_true')
         c.argument('assign_identity', type=str, validator=validate_assign_identity)
+        c.argument('enable_pod_identity', action='store_true')
+        c.argument('disable_pod_identity', action='store_true')
         c.argument('yes', options_list=['--yes', '-y'], help='Do not prompt for confirmation.', action='store_true')
 
     with self.argument_context('aks scale') as c:
@@ -208,6 +212,52 @@ def load_arguments(self, _):
         c.argument('path', options_list=['--file', '-f'], type=file_type, completer=FilesCompleter(),
                    default=os.path.join(os.path.expanduser('~'), '.kube', 'config'))
 
+    with self.argument_context('aks pod-identity') as c:
+        c.argument('cluster_name', type=str, help='The cluster name.')
+
+    with self.argument_context('aks pod-identity add') as c:
+        c.argument('identity_name', type=str, options_list=['--name', '-n'], default=None, required=False,
+                   help='The pod identity name. Generate if not specified.',
+                   validator=validate_pod_identity_resource_name('identity_name', required=False))
+        c.argument('identity_namespace', type=str, options_list=['--namespace'], help='The pod identity namespace.')
+        c.argument('identity_resource_id', type=str, options_list=['--identity-resource-id'], help='Resource id of the identity to use.')
+
+    with self.argument_context('aks pod-identity delete') as c:
+        c.argument('identity_name', type=str, options_list=['--name', '-n'], default=None, required=True,
+                   help='The pod identity name.',
+                   validator=validate_pod_identity_resource_name('identity_name', required=True))
+        c.argument('identity_namespace', type=str, options_list=['--namespace'], help='The pod identity namespace.')
+
+    with self.argument_context('aks pod-identity exception add') as c:
+        c.argument('exc_name', type=str, options_list=['--name', '-n'], default=None, required=False,
+                   help='The pod identity exception name. Generate if not specified.',
+                   validator=validate_pod_identity_resource_name('exc_name', required=False))
+        c.argument('exc_namespace', type=str, options_list=['--namespace'], required=True,
+                   help='The pod identity exception namespace.',
+                   validator=validate_pod_identity_resource_namespace)
+        c.argument('pod_labels', nargs='*', required=True,
+                   help='space-separated labels: key=value [key=value ...].',
+                   validator=validate_pod_identity_pod_labels)
+
+    with self.argument_context('aks pod-identity exception delete') as c:
+        c.argument('exc_name', type=str, options_list=['--name', '-n'], required=True,
+                   help='The pod identity exception name to remove.',
+                   validator=validate_pod_identity_resource_name('exc_name', required=True))
+        c.argument('exc_namespace', type=str, options_list=['--namespace'], required=True,
+                   help='The pod identity exception namespace to remove.',
+                   validator=validate_pod_identity_resource_namespace)
+
+    with self.argument_context('aks pod-identity exception update') as c:
+        c.argument('exc_name', type=str, options_list=['--name', '-n'], required=True,
+                   help='The pod identity exception name to remove.',
+                   validator=validate_pod_identity_resource_name('exc_name', required=True))
+        c.argument('exc_namespace', type=str, options_list=['--namespace'], required=True,
+                   help='The pod identity exception namespace to remove.',
+                   validator=validate_pod_identity_resource_namespace)
+        c.argument('pod_labels', nargs='*', required=True,
+                   help='pod labels in key=value [key=value ...].',
+                   validator=validate_pod_identity_pod_labels)
+
 
 def _get_default_install_location(exe_name):
     system = platform.system()
 
@@ -418,3 +418,54 @@ def validate_addons(namespace):
 
             raise CLIError(
                 f"The addon \"{addon_arg}\" is not a recognized addon option. Did you mean {matches}? Possible options: {all_addons}")  # pylint:disable=line-too-long
+
+
+def validate_pod_identity_pod_labels(namespace):
+    if not hasattr(namespace, 'pod_labels'):
+        return
+    labels = namespace.pod_labels
+
+    if labels is None:
+        # no specify any labels
+        namespace.pod_labels = {}
+        return
+
+    if isinstance(labels, list):
+        labels_dict = {}
+        for item in labels:
+            labels_dict.update(validate_label(item))
+        after_validation_labels = labels_dict
+    else:
+        after_validation_labels = validate_label(labels)
+
+    namespace.pod_labels = after_validation_labels
+
+
+def validate_pod_identity_resource_name(attr_name, required):
+    "Validate custom resource name for pod identity addon."
+
+    def validator(namespace):
+        if not hasattr(namespace, attr_name):
+            return
+
+        attr_value = getattr(namespace, attr_name)
+        if not attr_value:
+            if required:
+                raise CLIError('--name is required')
+            # set empty string for the resource name
+            attr_value = ''
+
+        setattr(namespace, attr_name, attr_value)
+
+    return validator
+
+
+def validate_pod_identity_resource_namespace(namespace):
+    "Validate custom resource name for pod identity addon."
+    if not hasattr(namespace, 'namespace'):
+        return
+
+    namespace_value = namespace.namespace
+    if not namespace_value:
+        # namespace cannot be empty
+        raise CLIError('--namespace is required')
@@ -13,6 +13,8 @@
 from ._format import aks_agentpool_list_table_format
 from ._format import aks_versions_table_format
 from ._format import aks_upgrades_table_format
+from ._format import aks_pod_identities_table_format
+from ._format import aks_pod_identity_exceptions_table_format
 
 
 def load_command_table(self, _):
@@ -70,3 +72,18 @@ def load_command_table(self, _):
         g.custom_command('update', 'aks_agentpool_update', supports_no_wait=True)
         g.custom_command('delete', 'aks_agentpool_delete', supports_no_wait=True)
         g.custom_command('get-upgrades', 'aks_agentpool_get_upgrade_profile')
+
+    # AKS pod identity commands
+    with self.command_group('aks pod-identity', managed_clusters_sdk, client_factory=cf_managed_clusters) as g:
+        g.custom_command('add', 'aks_pod_identity_add')
+        g.custom_command('delete', 'aks_pod_identity_delete')
+        g.custom_command('list', 'aks_pod_identity_list',
+                         table_transformer=aks_pod_identities_table_format)
+
+    # AKS pod identity exception commands
+    with self.command_group('aks pod-identity exception', managed_clusters_sdk, client_factory=cf_managed_clusters) as g:
+        g.custom_command('add', 'aks_pod_identity_exception_add')
+        g.custom_command('delete', 'aks_pod_identity_exception_delete')
+        g.custom_command('update', 'aks_pod_identity_exception_update')
+        g.custom_command('list', 'aks_pod_identity_exception_list',
+                         table_transformer=aks_pod_identity_exceptions_table_format)