Azure · jackfrancis · Aug 14, 2020 · Aug 6, 2020 · Aug 13, 2020
diff --git a/parts/k8s/cloud-init/artifacts/cse_config.sh b/parts/k8s/cloud-init/artifacts/cse_config.sh
@@ -566,7 +566,7 @@ configAddons() {
   {{if IsAzurePolicyAddonEnabled}}
   configAzurePolicyAddon
   {{end}}
-  {{- if not HasCustomPodSecurityPolicy}}
+  {{- if and (not HasCustomPodSecurityPolicy) IsPodSecurityPolicyAddonEnabled}}
   wait_for_file 1200 1 $POD_SECURITY_POLICY_SPEC || exit {{GetCSEErrorCode "ERR_FILE_WATCH_TIMEOUT"}}
   mkdir -p $ADDONS_DIR/init && cp $POD_SECURITY_POLICY_SPEC $ADDONS_DIR/init/ || exit {{GetCSEErrorCode "ERR_ADDONS_START_FAIL"}}
   {{- end}}

diff --git a/pkg/engine/armvariables_test.go b/pkg/engine/armvariables_test.go
@@ -209,6 +209,10 @@ func TestK8sVars(t *testing.T) {
 			Name:    common.AADPodIdentityAddonName,
 			Enabled: to.BoolPtr(true),
 		},
+		{
+			Name:    common.PodSecurityPolicyAddonName,
+			Enabled: to.BoolPtr(true),
+		},
 	}
 	varMap, err = GetKubernetesVariables(cs)
 	if err != nil {
@@ -254,7 +258,12 @@ func TestK8sVars(t *testing.T) {
 	}
 
 	// Test with ubuntu 16.04 distro
-	cs.Properties.OrchestratorProfile.KubernetesConfig.Addons = []api.KubernetesAddon{}
+	cs.Properties.OrchestratorProfile.KubernetesConfig.Addons = []api.KubernetesAddon{
+		{
+			Name:    common.PodSecurityPolicyAddonName,
+			Enabled: to.BoolPtr(true),
+		},
+	}
 	cs.Properties.AgentPoolProfiles[0].Distro = api.Ubuntu
 	cs.Properties.OrchestratorProfile.KubernetesConfig.UseManagedIdentity = false
 	varMap, err = GetKubernetesVariables(cs)
@@ -815,6 +824,10 @@ func TestK8sVars(t *testing.T) {
 				"appgw-sku": "WAF_v2",
 			},
 		},
+		{
+			Name:    common.PodSecurityPolicyAddonName,
+			Enabled: to.BoolPtr(true),
+		},
 	}
 
 	varMap, err = GetKubernetesVariables(cs)

diff --git a/pkg/engine/template_generator.go b/pkg/engine/template_generator.go
@@ -766,6 +766,9 @@ func getContainerServiceFuncMap(cs *api.ContainerService) template.FuncMap {
 		"IsDashboardAddonEnabled": func() bool {
 			return cs.Properties.OrchestratorProfile.KubernetesConfig.IsAddonEnabled(common.DashboardAddonName)
 		},
+		"IsPodSecurityPolicyAddonEnabled": func() bool {
+			return cs.Properties.OrchestratorProfile.KubernetesConfig.IsAddonEnabled(common.PodSecurityPolicyAddonName)
+		},
 		"GetAADPodIdentityTaintKey": func() string {
 			return common.AADPodIdentityTaintKey
 		},

diff --git a/pkg/engine/template_generator_test.go b/pkg/engine/template_generator_test.go
@@ -170,31 +170,32 @@ func TestGetContainerServiceFuncMap(t *testing.T) {
 	errorCodeStrings = append(errorCodeStrings, "ERR_HOLD_MY_BEER")
 	errorCodes = append(errorCodes, -1)
 	cases := []struct {
-		name                                  string
-		cs                                    *api.ContainerService
-		expectedHasCustomSearchDomain         bool
-		expectedGetSearchDomainName           string
-		expectedGetSearchDomainRealmUser      string
-		expectedGetSearchDomainRealmPassword  string
-		expectedHasCustomNodesDNS             bool
-		expectedGetHyperkubeImageReference    string
-		expectedGetTargetEnvironment          string
-		expectedIsNSeriesSKU                  bool
-		expectedIsDockerContainerRuntime      bool
-		expectedHasPrivateAzureRegistryServer bool
-		expectedGetPrivateAzureRegistryServer string
-		expectedGetSysctlDConfigKeyVals       string
-		expectedGetCSEErrorCodeVals           []int
-		expectedHasVHDDistroNodes             bool
-		expectedIsVHDDistroForAllNodes        bool
-		expectedHasClusterInitComponent       bool
-		expectedIsVirtualMachineScaleSets     bool
-		expectedUseManagedIdentity            bool
-		expectedHasKubeReservedCgroup         bool
-		expectedGetKubeReservedCgroup         string
-		expectedHasCustomPodSecurityPolicy    bool
-		expectedIsDashboardAddonEnabled       bool
-		expectedGetEtcdStorageLimitGB         int
+		name                                    string
+		cs                                      *api.ContainerService
+		expectedHasCustomSearchDomain           bool
+		expectedGetSearchDomainName             string
+		expectedGetSearchDomainRealmUser        string
+		expectedGetSearchDomainRealmPassword    string
+		expectedHasCustomNodesDNS               bool
+		expectedGetHyperkubeImageReference      string
+		expectedGetTargetEnvironment            string
+		expectedIsNSeriesSKU                    bool
+		expectedIsDockerContainerRuntime        bool
+		expectedHasPrivateAzureRegistryServer   bool
+		expectedGetPrivateAzureRegistryServer   string
+		expectedGetSysctlDConfigKeyVals         string
+		expectedGetCSEErrorCodeVals             []int
+		expectedHasVHDDistroNodes               bool
+		expectedIsVHDDistroForAllNodes          bool
+		expectedHasClusterInitComponent         bool
+		expectedIsVirtualMachineScaleSets       bool
+		expectedUseManagedIdentity              bool
+		expectedHasKubeReservedCgroup           bool
+		expectedGetKubeReservedCgroup           string
+		expectedHasCustomPodSecurityPolicy      bool
+		expectedIsDashboardAddonEnabled         bool
+		expectedIsPodSecurityPolicyAddonEnabled bool
+		expectedGetEtcdStorageLimitGB           int
 	}{
 		{
 			name: "1.15 release",
@@ -894,19 +895,20 @@ func TestGetContainerServiceFuncMap(t *testing.T) {
 					},
 				},
 			},
-			expectedHasCustomSearchDomain:        false,
-			expectedGetSearchDomainName:          "",
-			expectedGetSearchDomainRealmUser:     "",
-			expectedGetSearchDomainRealmPassword: "",
-			expectedHasCustomNodesDNS:            false,
-			expectedGetHyperkubeImageReference:   "hyperkube-amd64:v1.15.4",
-			expectedGetTargetEnvironment:         "AzurePublicCloud",
-			expectedIsNSeriesSKU:                 false,
-			expectedIsDockerContainerRuntime:     true,
-			expectedGetSysctlDConfigKeyVals:      "",
-			expectedGetCSEErrorCodeVals:          []int{-1},
-			expectedIsVirtualMachineScaleSets:    true,
-			expectedHasCustomPodSecurityPolicy:   true,
+			expectedHasCustomSearchDomain:           false,
+			expectedGetSearchDomainName:             "",
+			expectedGetSearchDomainRealmUser:        "",
+			expectedGetSearchDomainRealmPassword:    "",
+			expectedHasCustomNodesDNS:               false,
+			expectedGetHyperkubeImageReference:      "hyperkube-amd64:v1.15.4",
+			expectedGetTargetEnvironment:            "AzurePublicCloud",
+			expectedIsNSeriesSKU:                    false,
+			expectedIsDockerContainerRuntime:        true,
+			expectedGetSysctlDConfigKeyVals:         "",
+			expectedGetCSEErrorCodeVals:             []int{-1},
+			expectedIsVirtualMachineScaleSets:       true,
+			expectedHasCustomPodSecurityPolicy:      true,
+			expectedIsPodSecurityPolicyAddonEnabled: true,
 		},
 		{
 			name: "kubernetes-dashboard addon enabled",
@@ -1023,6 +1025,47 @@ func TestGetContainerServiceFuncMap(t *testing.T) {
 			expectedIsVirtualMachineScaleSets:    true,
 			expectedGetEtcdStorageLimitGB:        8589934592,
 		},
+		{
+			name: "pod-security-policy addon enabled",
+			cs: &api.ContainerService{
+				Properties: &api.Properties{
+					OrchestratorProfile: &api.OrchestratorProfile{
+						OrchestratorType:    api.Kubernetes,
+						OrchestratorVersion: "1.15.4",
+						KubernetesConfig: &api.KubernetesConfig{
+							ContainerRuntime:        api.Docker,
+							KubernetesImageBaseType: common.KubernetesImageBaseTypeGCR,
+							Addons: []api.KubernetesAddon{
+								{
+									Name:    common.PodSecurityPolicyAddonName,
+									Enabled: to.BoolPtr(true),
+								},
+							},
+						},
+					},
+					AgentPoolProfiles: []*api.AgentPoolProfile{
+						{
+							Name:                "pool1",
+							Count:               1,
+							AvailabilityProfile: api.VirtualMachineScaleSets,
+						},
+					},
+				},
+			},
+			expectedHasCustomSearchDomain:           false,
+			expectedGetSearchDomainName:             "",
+			expectedGetSearchDomainRealmUser:        "",
+			expectedGetSearchDomainRealmPassword:    "",
+			expectedHasCustomNodesDNS:               false,
+			expectedGetHyperkubeImageReference:      "hyperkube-amd64:v1.15.4",
+			expectedGetTargetEnvironment:            "AzurePublicCloud",
+			expectedIsNSeriesSKU:                    false,
+			expectedIsDockerContainerRuntime:        true,
+			expectedGetSysctlDConfigKeyVals:         "",
+			expectedGetCSEErrorCodeVals:             []int{-1},
+			expectedIsVirtualMachineScaleSets:       true,
+			expectedIsPodSecurityPolicyAddonEnabled: true,
+		},
 	}
 
 	for _, c := range cases {
@@ -1183,7 +1226,12 @@ func TestGetContainerServiceFuncMap(t *testing.T) {
 			v = reflect.ValueOf(funcMap["IsDashboardAddonEnabled"])
 			ret = v.Call(make([]reflect.Value, 0))
 			if ret[0].Interface() != c.expectedIsDashboardAddonEnabled {
-				t.Errorf("expected funcMap invocation of HasCustomPodSecurityPolicy to return %t, instead got %t", c.expectedIsDashboardAddonEnabled, ret[0].Interface())
+				t.Errorf("expected funcMap invocation of IsDashboardAddonEnabled to return %t, instead got %t", c.expectedIsDashboardAddonEnabled, ret[0].Interface())
+			}
+			v = reflect.ValueOf(funcMap["IsPodSecurityPolicyAddonEnabled"])
+			ret = v.Call(make([]reflect.Value, 0))
+			if ret[0].Interface() != c.expectedIsPodSecurityPolicyAddonEnabled {
+				t.Errorf("expected funcMap invocation of IsPodSecurityPolicyAddonEnabled to return %t, instead got %t", c.expectedIsPodSecurityPolicyAddonEnabled, ret[0].Interface())
 			}
 			v = reflect.ValueOf(funcMap["GetEtcdStorageLimitGB"])
 			ret = v.Call(make([]reflect.Value, 0))

diff --git a/pkg/engine/templates_generated.go b/pkg/engine/templates_generated.go