Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory/authentication/concept-fido2-hardware-vendor.md

@@ -5,8 +5,8 @@ ms.date: 08/02/2021
 services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
-author: knicholasa
-ms.author: nichola
+author: martincoetzer
+ms.author: martinco
 ms.topic: conceptual
 ms.collection: M365-identity-device-management
 ---

articles/active-directory/reports-monitoring/reference-azure-ad-sla-performance.md

@@ -3,7 +3,7 @@ title: Azure Active Directory SLA performance | Microsoft Docs
 description: Learn about the Azure AD SLA performance
 services: active-directory
 documentationcenter: ''
-author: MarkusVi
+author: shlipsey3
 manager: amycolannino
 editor: ''
 
@@ -13,8 +13,8 @@ ms.topic: reference
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 08/26/2022
-ms.author: markvi
+ms.date: 09/08/2022
+ms.author: sarahlipsey
 ms.reviewer: besiler
 
 ms.collection: M365-identity-device-management

articles/aks/TOC.yml

@@ -260,6 +260,8 @@
             - name: Scan images in your CI/CD Workflow
               href: ../defender-for-cloud/defender-for-container-registries-cicd.md
               maintainContext: True
+        - name: Remove vulnerable images with ImageCleaner (preview)
+          href: image-cleaner.md
         - name: Registry security
           items:
             - name: Scanning images in ACR registries
@@ -434,6 +436,8 @@
           href: use-windows-hpc.md
         - name: Windows Server containers FAQ
           href: windows-faq.md
+        - name: Upgrade from Windows Server 2019 to 2022
+          href: upgrade-windows-2019-2022.md          
         - name: Create Dockerfiles for Windows Server containers
           href: /virtualization/windowscontainers/manage-docker/manage-windows-dockerfile?context=/azure/aks/context/aks-context
         - name: Optimize Dockerfiles for Windows Server containers

articles/aks/image-cleaner.md

@@ -0,0 +1,167 @@
+---
+title: Use ImageCleaner on Azure Kubernetes Service (AKS)
+description: Learn how to use ImageCleaner to clean up stale images on Azure Kubernetes Service (AKS)
+ms.author: nickoman
+author: nickomang
+services: container-service
+ms.topic: article
+ms.date: 08/26/2022
+---
+
+# Use ImageCleaner to clean up stale images on your Azure Kubernetes Service cluster (preview)
+
+It's common to use pipelines to build and deploy images on Azure Kubernetes Service (AKS) clusters. While great for image creation, this process often doesn't account for the stale images left behind and can lead to image bloat on cluster nodes. These images can present security issues as they may contain vulnerabilities. By cleaning these unreferenced images, you can remove an area of risk in your clusters. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.
+
+[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
+
+## Prerequisites
+
+* An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).
+* [Azure CLI][azure-cli-install] or [Azure PowerShell][azure-powershell-install] and the `aks-preview` CLI extension installed.
+* The `EnableImageCleanerPreview` feature flag registered on your subscription:
+
+### [Azure CLI](#tab/azure-cli)
+
+Register the `EnableImageCleanerPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
+
+```azurecli-interactive
+az feature register --namespace "Microsoft.ContainerService" --name "EnableImageCleanerPreview"
+```
+
+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
+
+```azurecli-interactive
+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableImageCleanerPreview')].{Name:name,State:properties.state}"
+```
+
+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
+
+```azurecli-interactive
+az provider register --namespace Microsoft.ContainerService
+```
+
+### [Azure PowerShell](#tab/azure-powershell)
+
+Register the `EnableImageCleanerPreview` feature flag by using the [Register-AzProviderPreviewFeature][register-azproviderpreviewfeature] cmdlet, as shown in the following example:
+
+```azurepowershell-interactive
+Register-AzProviderPreviewFeature -ProviderNamespace Microsoft.ContainerService -Name EnableImageCleanerPreview
+```
+
+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [Get-AzProviderPreviewFeature][get-azproviderpreviewfeature] cmdlet:
+
+```azurepowershell-interactive
+Get-AzProviderPreviewFeature -ProviderNamespace Microsoft.ContainerService -Name EnableImageCleanerPreview |
+ Format-Table -Property Name, @{name='State'; expression={$_.Properties.State}}
+```
+
+When ready, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [Register-AzResourceProvider][register-azresourceprovider] command:
+
+```azurepowershell-interactive
+Register-AzResourceProvider -ProviderNamespace Microsoft.ContainerService
+```
+
+---
+
+## Limitations
+
+ImageCleaner does not support the following:
+
+* ARM64 node pools. For more information, see [Azure Virtual Machines with ARM-based processors][arm-vms].
+* Windows node pools.
+
+## How ImageCleaner works
+
+When enabled, an `eraser-controller-manager` pod is deployed on each agent node, which will use an `ImageList` CRD to determine unreferenced and vulnerable images. Vulnerability is determined based on a [trivy][trivy] scan, after which images with a `LOW`, `MEDIUM`, `HIGH`, or `CRITICAL` classification are flagged. An updated `ImageList` will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually.
+
+Once an `ImageList` is generated, ImageCleaner will remove all the images in the list from node VMs.
+
+
+:::image type="content" source="./media/image-cleaner/image-cleaner.jpg" alt-text="A diagram showing ImageCleaner's workflow. The ImageCleaner pods running on the cluster can generate an ImageList, or manual input can be provided.":::
+
+## Configuration options
+
+In addition to choosing between manual and automatic mode, there are several options for ImageCleaner:
+
+|Name|Description|Required|
+|----|-----------|--------|
+|--enable-image-cleaner|Enable the ImageCleaner feature for an AKS cluster|Yes, unless disable is specified|
+|--disable-image-cleaner|Disable the ImageCleaner feature for an AKS cluster|Yes, unless enable is specified|
+|--image-cleaner-interval-hours|This parameter determines the interval time (in hours) ImageCleaner will use to run. The default value is one week, the minimum value is 24 hours and the maximum is three months.|No|
+
+## Enable ImageCleaner on your AKS cluster
+
+To create a new AKS cluster using the default interval, use [az aks create][az-aks-create]:
+
+```azurecli-interactive
+az aks create -g MyResourceGroup -n MyManagedCluster \ 
+  --enable-image-cleaner 
+```
+
+To enable on an existing AKS cluster, use [az aks update][az-aks-update]:
+
+```azurecli-interactive
+az aks update -g MyResourceGroup -n MyManagedCluster \ 
+  --enable-image-cleaner 
+```
+
+The `--image-cleaner-interval-hours` parameter can be specified at creation time or for an existing cluster. For example, the following command updates the interval for a cluster with ImageCleaner already enabled:
+
+```azurecli-interactive
+az aks update -g MyResourceGroup -n MyManagedCluster \
+  --image-cleaner-interval-hours 48
+```
+
+Based on your configuration, ImageCleaner will generate an `ImageList` containing non-running and vulnerable images at the desired interval. ImageCleaner will automatically remove these images from cluster nodes.
+
+## Manually remove images
+
+To manually remove images from your cluster using ImageCleaner, first create an `ImageList`. For example, save the following as `image-list.yml`:
+
+```yml
+apiVersion: eraser.sh/v1alpha1
+kind: ImageList
+metadata:
+  name: imagelist
+spec:
+  images:
+    - docker.io/library/alpine:3.7.3   # You can also use "*" to specify all non-running images
+```
+
+And apply it to the cluster:
+
+```bash
+kubectl apply -f image-list.yml
+```
+
+A job will trigger which causes ImageCleaner to remove the desired images from all nodes.
+
+## Disable ImageCleaner
+
+To stop using ImageCleaner, you can disable it via the `--disable-image-cleaner` flag:
+
+```azurecli-interactive
+az aks update -g MyResourceGroup -n MyManagedCluster
+  --disable-image-cleaner
+```
+
+## Logging
+
+The deletion logs are stored in the `image-cleaner-kind-worker` pods. You can check these via `kubectl logs` or via the Container Insights pod log table if the [Azure Monitor add-on](./monitor-aks.md) is enabled.
+
+<!-- LINKS -->
+
+[azure-cli-install]: /cli/azure/install-azure-cli
+[azure-powershell-install]: /powershell/azure/install-az-ps
+
+[az-aks-create]: /cli/azure/aks#az_aks_create
+[az-aks-update]: /cli/azure/aks#az_aks_update
+[az-feature-register]: /cli/azure/feature#az_feature_register
+[register-azproviderpreviewfeature]: /powershell/module/az.resources/register-azproviderpreviewfeature
+[az-feature-list]: /cli/azure/feature#az_feature_list
+[get-azproviderpreviewfeature]: /powershell/module/az.resources/get-azproviderpreviewfeature
+[az-provider-register]: /cli/azure/provider#az_provider_register
+[register-azresourceprovider]: /powershell/module/az.resources/register-azresourceprovider
+
+[arm-vms]: https://azure.microsoft.com/blog/azure-virtual-machines-with-ampere-altra-arm-based-processors-generally-available/
+[trivy]: https://github.com/aquasecurity/trivy

articles/aks/manage-abort-operations.md

@@ -3,7 +3,7 @@ title: Abort an Azure Kubernetes Service (AKS) long running operation
 description: Learn how to terminate a long running operation on an Azure Kubernetes Service cluster at the node pool or cluster level. 
 services: container-service
 ms.topic: article
-ms.date: 09/06/2022
+ms.date: 09/08/2022
 
 ---
 
@@ -25,42 +25,38 @@ This article assumes that you have an existing AKS cluster. If you need an AKS c
 
 ## Abort a long running operation
 
-### [Azure REST API](#tab/azure-rest)
+### [Azure CLI](#tab/azure-cli)
 
-You can use the Azure REST API [Abort](/rest/api/aks/managed-clusters) operation to stop an operation against the Managed Cluster.
+You can use the [az aks nodepool](/cli/azure/aks/nodepool) command with the `operation-abort` argument to abort an operation on a node pool or a managed cluster.
 
-The following example terminates a process for a specified agent pool.
+The following example terminates an operation on a node pool on a specified cluster by its name and resource group that holds the cluster.
 
-```rest
-/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedclusters/{resourceName}/agentPools/{agentPoolName}/abort
+```azurecli-interactive
+az aks nodepool operation-abort --resource-group myResourceGroup --cluster-name myAKSCluster --name myNodePool 
 ```
 
-The following example terminates a process for a specified managed cluster.
+The following example terminates an operation against a specified managed cluster its name and resource group that holds the cluster.
 
-```rest
-/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedclusters/{resourceName}/abort
+```azurecli-interactive
+az aks operation-abort --name myAKSCluster --resource-group myResourceGroup
 ```
 
 In the response, an HTTP status code of 204 is returned.
 
-### [Azure CLI](#tab/azure-cli)
-
-You can use the [az aks nodepool](/cli/azure/aks/nodepool) command with the `operation-abort` argument to abort an operation on a node pool or a managed cluster.
-
-The following example terminates an operation on a node pool on a specified cluster by its name and resource group that holds the cluster.
+### [Azure REST API](#tab/azure-rest)
 
-```azurecli-interactive
-az aks nodepool operation-abort\
+You can use the Azure REST API [Abort](/rest/api/aks/managed-clusters) operation to stop an operation against the Managed Cluster.
 
---resource-group myResourceGroup \
+The following example terminates a process for a specified agent pool.
 
---cluster-name myAKSCluster \
+```rest
+/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedclusters/{resourceName}/agentPools/{agentPoolName}/abort
 ```
 
-The following example terminates an operation against a specified managed cluster its name and resource group that holds the cluster.
+The following example terminates a process for a specified managed cluster.
 
-```azurecli-interactive
-az aks operation-abort --name myAKSCluster --resource-group myResourceGroup
+```rest
+/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedclusters/{resourceName}/abort
 ```
 
 In the response, an HTTP status code of 204 is returned.