[aks-preview] az aks bastion: fix tunnel when Bastion is in a different subscription#9953
[aks-preview] az aks bastion: fix tunnel when Bastion is in a different subscription#9953FumingZhang wants to merge 2 commits into
Conversation
Use the subscription from the bastion resource ID for the internal 'az network bastion tunnel' command so that bastion hosts located in a different subscription than the AKS cluster work correctly. Fixes Azure/azure-cli#33579
️✔️Azure CLI Extensions Breaking Change Test
|
|
Hi @FumingZhang, |
microsoft-github-policy-service
Bot
requested review from
jsntcy,
kairu-ms,
necusjz,
yanzhudd,
yonzhan and
zhoxing-ms
There was a problem hiding this comment.
✅ Ready to approve
The changes are small, targeted, and align with the described root cause by correctly scoping the tunnel command to the Bastion subscription without altering same-subscription behavior.
Note: this review does not count toward required approvals for merging.
Pull request overview
Fixes az aks bastion tunnel creation when the Bastion host is specified via resource ID and lives in a different subscription than the AKS cluster, by ensuring the inner az network bastion tunnel invocation uses the Bastion subscription (while cluster lookup remains on the cluster subscription).
Changes:
- Extend
BastionResourceto carry asubscriptionvalue. - Preserve the subscription from a Bastion resource ID (fallback to the cluster subscription for name-/list-based discovery).
- Use the Bastion subscription (when available) for
az network bastion tunnel --subscription ...argument construction.
File summaries
| File | Description |
|---|---|
| src/aks-preview/HISTORY.rst | Records the bastion cross-subscription tunnel fix in the pending changelog. |
| src/aks-preview/azext_aks_preview/bastion/bastion.py | Preserves Bastion subscription from resource IDs and uses it when launching the tunnel command. |
Copilot's findings
- Files reviewed: 2/2 changed files
- Comments generated: 1
Note
Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
Related command
az aks bastionDescription
Fixes Azure/azure-cli#33579.
When
az aks bastionis invoked with a--bastionresource ID whose Bastion host lives in a different subscription than the AKS cluster (e.g. a hub/spoke topology where Bastion is centralized in a hub subscription), the command fails:Root cause
aks_bastionresolves a singlesubscription_id = get_subscription_id(cmd.cli_ctx)(the AKS cluster subscription) and forwards it to the internalaz network bastion tunnelcall. The subscription embedded in the provided Bastion resource ID was discarded, so the tunnel was created against the cluster subscription instead of the Bastion's subscription, producing an incorrect command such as:This regressed in
21.0.0b4(changelog: "Fix--subscriptionnot being passed to internalaz network bastion tunnel..."), which started passing a subscription but used the cluster subscription for everything.Fix
BastionResourcenow carries the Bastion's ownsubscription.aks_bastion_parse_bastion_resourcepreservessubscriptionfrom the Bastion resource ID (falling back to the cluster subscription for name-/list-based discovery in the node resource group)._aks_bastion_launch_tunneluses the Bastion's subscription for the inneraz network bastion tunnelcommand, while the AKSclient.get()continues to use the cluster subscription.Same-subscription scenarios are unchanged.
General Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)About Extension Publish
The change is recorded under the Pending section of
src/aks-preview/HISTORY.rst;src/index.jsonis not modified.