feat(aks-preview): add cluster FIPS flag

[ttruongatl]

---

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

az aks create
az aks update

General Guidelines

• Have you run azdev style aks-preview locally? (pip install azdev required)
• Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
• My extension version conforms to the Extension version schema

For new extensions:

• My extension description/summary conforms to the Extension Summary Guidelines.

About Extension Publish

There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update src/index.json automatically.
You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify src/index.json.

Summary

Adds preview --enable-fips support for az aks create and az aks update, including Kubernetes version validation, node pool FIPS enforcement, help text, and tests. This intentionally avoids manually bumping the generated AKS SDK/API version; enableFIPS is sent through the existing model extra REST-property path until the SDK is regenerated.

Tests

• PYTHONPATH=src/aks-preview python -m pytest src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py::AKSPreviewManagedClusterContextTestCase::test_get_enable_fips src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py::AKSPreviewManagedClusterCreateDecoratorTestCase::test_set_up_enable_fips src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py::AKSPreviewManagedClusterUpdateDecoratorTestCase::test_update_enable_fips -q
• python -m pytest src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py -q -k 'enable_fips or get_kubernetes_version'
• PYTHONPATH=src/aks-preview python -m pytest src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py::AzureKubernetesServiceScenarioTest::test_aks_create_with_cluster_fips src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py::AzureKubernetesServiceScenarioTest::test_aks_update_with_cluster_fips -q (live-only tests collected/skipped locally)
• PYTHONPATH=src/aks-preview python -m compileall -q src/aks-preview/azext_aks_preview
• git diff --check

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Hi @ttruongatl,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[github-actions]

Hi @ttruongatl

Release Suggestions

Module: aks-preview

• Update VERSION to 21.0.0b2 in src/aks-preview/setup.py

Notes

• For more info about extension versioning, please refer to Extension version schema

[Copilot]

Pull request overview

Adds a new preview flag --enable-fips to the aks-preview extension to enable cluster-wide FIPS mode for az aks create and az aks update, including CLI parameter wiring, help text, request shaping in managed cluster decorators, and unit/live-only tests.

Changes:

• Introduces --enable-fips (preview) for az aks create and az aks update and wires it through params + custom command signatures.
• Implements cluster-level FIPS handling in managed cluster create/update decorators, including Kubernetes version gating (1.34+) and node pool enforcement behavior.
• Adds unit tests for context/decorator behavior and live-only scenario tests for create/update.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/aks-preview/HISTORY.rst	Documents the new preview flag and its requirements.
src/aks-preview/azext_aks_preview/managed_cluster_decorator.py	Adds context getter/validation and create/update decorator logic to set cluster/nodepool FIPS flags.
src/aks-preview/azext_aks_preview/custom.py	Extends aks_create/aks_update signatures to accept enable_fips and pass through raw parameters.
src/aks-preview/azext_aks_preview/_params.py	Registers --enable-fips as a preview argument for create/update.
src/aks-preview/azext_aks_preview/_help.py	Adds help entries describing cluster-level FIPS behavior and constraints.
src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py	Adds unit tests for context + decorator create/update behavior for cluster FIPS.
src/aks-preview/azext_aks_preview/tests/latest/test_aks_commands.py	Adds live-only scenario tests for create/update with cluster-level FIPS.

[FumingZhang]

unrelated to your change?

[ttruongatl]

Removed it

[FumingZhang]

move this to section Pending or a new version

[ttruongatl]

Updated it.

[FumingZhang]

please show a proof that the test could pass locally or in the live test pipeline

[ttruongatl]

Verified with the installed az aks CLI in Canary (eastus2euap) using Azure CLI core 2.86.0 and aks-preview. Both live scenarios passed: create returned enableFips=true, agentPoolFips=true, provisioningState=Succeeded; update create/enable/disable completed successfully with final state enableFips=false, agentPoolFips=true, provisioningState=Succeeded. Report: