feat: network isolated cluster skip cse download#8077
Conversation
fseldow
requested review from
AbelHu,
Devinwong,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
juan-lee,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
There was a problem hiding this comment.
Pull request overview
This PR updates the Windows provisioning flow for network-isolated clusters so the node bootstrap can skip downloading the Windows CSE scripts package (which may be unreachable) and instead use a cached scripts zip baked into the VHD.
Changes:
- Add
Install-CachedScriptshelper to locate and expand a cachedaks-windows-cse-scripts-current.zipfrom the VHD cache. - Update
kuberneteswindowssetup.ps1to skip CSE scripts download whenBootstrapProfileContainerRegistryServeris set and install from cache instead. - Add Pester unit tests covering the new cached-scripts install behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| parts/windows/windowscsehelper.ps1 | Adds a new error code and introduces Install-CachedScripts to expand cached CSE scripts from the VHD cache. |
| parts/windows/kuberneteswindowssetup.ps1 | Alters script acquisition logic to avoid downloading in network-isolated mode and use cached scripts. |
| parts/windows/windowscsehelper.tests.ps1 | Adds unit tests validating cached scripts are expanded and proper exit behavior when missing. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
| # Dot-source cse scripts with functions that are called in this script | ||
| . c:\AzureData\windows\azurecnifunc.ps1 | ||
| . c:\AzureData\windows\calicofunc.ps1 |
There was a problem hiding this comment.
azurecnifunc.ps1 and the other CSE function scripts are dot-sourced directly from C:\AzureData\windows after being populated from the remote CSE package URL (CSEScriptsPackageUrl) without any integrity verification. If an attacker can compromise or misconfigure the CSE package endpoint or URL, they can supply a malicious ZIP so that arbitrary PowerShell code is executed here under the node’s provisioning context. To harden this, ensure the downloaded CSE package is pinned to an immutable version and validated (e.g., via a baked-in hash or code-signing check) before expanding it into C:\AzureData\windows and dot-sourcing these scripts.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
What this PR does / why we need it:
feat: network isolated cluster skip cse download because network isolated cluster cannot download scripts from packages.aks.microsoft.com
Which issue(s) this PR fixes:
Fixes #