Merge pull request #263075 from MicrosoftDocs/main

1/11/2024 PM Publish

Author: Taojunshen

articles/aks/TOC.yml

@@ -105,14 +105,14 @@
           href: network-observability-overview.md
     - name: Security
       items:
+        - name: Security concepts
+          href: concepts-security.md
         - name: Access and identity
           href: concepts-identity.md
         - name: Security vulnerability management
           href: concepts-vulnerability-management.md
         - name: Security Baseline
           href: /security/benchmark/azure/baselines/aks-security-baseline?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
-        - name: Container Security
-          href: concepts-security.md
         - name: Confidential Containers security policy
           href: ../confidential-computing/confidential-containers-aks-security-policy.md?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
         - name: Security controls by Azure Policy

articles/aks/concepts-security.md

@@ -4,7 +4,7 @@ description: Learn about security in Azure Kubernetes Service (AKS), including m
 author: miwithro
 ms.topic: conceptual
 ms.custom: build-2023
-ms.date: 10/31/2023
+ms.date: 01/11/2024
 ms.author: miwithro
 ---
 
@@ -82,25 +82,6 @@ Because of compliance or regulatory requirements, certain workloads may require
 * [Confidential Containers][confidential-containers] (preview), also based on Kata Confidential Containers, encrypts container memory and prevents data in memory during computation from being in clear text, readable format, and tampering. It helps isolate your containers from other container groups/pods, as well as VM node OS kernel. Confidential Containers (preview) uses hardware based memory encryption (SEV-SNP).
 * [Pod Sandboxing][pod-sandboxing] (preview) provides an isolation boundary between the container application and the shared kernel and compute resources (CPU, memory, and network) of the container host.
 
-## Cluster upgrades
-
-Azure provides upgrade orchestration tools to upgrade of an AKS cluster and components, maintain security and compliance, and access the latest features. This upgrade orchestration includes both the Kubernetes master and agent components. 
-
-To start the upgrade process, specify one of the [listed available Kubernetes versions](supported-kubernetes-versions.md). Azure then safely cordons and drains each AKS node and upgrades.
-
-### Cordon and drain
-
-During the upgrade process, AKS nodes are individually cordoned from the cluster to prevent new pods from being scheduled on them. The nodes are then drained and upgraded as follows:
-
-1. A new node is deployed into the node pool. 
-    * This node runs the latest OS image and patches.
-1. One of the existing nodes is identified for upgrade. 
-1. Pods on the identified node are gracefully terminated and scheduled on the other nodes in the node pool.
-1. The emptied node is deleted from the AKS cluster.
-1. Steps 1-4 are repeated until all nodes are successfully replaced as part of the upgrade process.
-
-For more information, see [Upgrade an AKS cluster][aks-upgrade-cluster].
-
 ## Network security
 
 For connectivity and security with on-premises networks, you can deploy your AKS cluster into existing Azure virtual network subnets. These virtual networks connect back to your on-premises network using Azure Site-to-Site VPN or Express Route. Define Kubernetes ingress controllers with private, internal IP addresses to limit services access to the internal network connection.

articles/azure-arc/kubernetes/tutorial-arc-enabled-open-service-mesh.md

@@ -1,11 +1,9 @@
 ---
 title: Azure Arc-enabled Open Service Mesh
-description: Open Service Mesh (OSM) extension on Azure Arc-enabled Kubernetes cluster
+description: Deploy the Open Service Mesh (OSM) extension on Azure Arc-enabled Kubernetes cluster
 ms.custom: ignite-2022, devx-track-azurecli, devx-track-arm-template
-ms.date: 10/12/2022
+ms.date: 01/11/2024
 ms.topic: tutorial
-author: mayurigupta13
-ms.author: mayg
 ---
 
 # Azure Arc-enabled Open Service Mesh
@@ -14,6 +12,8 @@ ms.author: mayg
 
 OSM runs an Envoy-based control plane on Kubernetes, can be configured with [SMI](https://smi-spec.io/) APIs, and works by injecting an Envoy proxy as a sidecar container next to each instance of your application. [Read more](https://docs.openservicemesh.io/#features) on the service mesh scenarios enabled by Open Service Mesh.
 
+All components of Azure Arc-enabled OSM are deployed on availability zones, making them zone redundant.
+
 ## Installation options and requirements
 
 Azure Arc-enabled Open Service Mesh can be deployed through Azure portal, Azure CLI, an ARM template, or a built-in Azure policy.
@@ -67,8 +67,9 @@ export RESOURCE_GROUP=<resource-group-name>
 If you're using an OpenShift cluster, skip to the [OpenShift installation steps](#install-osm-on-an-openshift-cluster).
 
 Create the extension:
+
 > [!NOTE]
-> If you would like to pin a specific version of OSM, add the `--version x.y.z` flag to the `create` command. Note that this will set the value for `auto-upgrade-minor-version` to false.
+> To pin a specific version of OSM, add the `--version x.y.z` flag to the `create` command. Note that this will set the value for `auto-upgrade-minor-version` to false.
 
 ```azurecli-interactive
 az k8s-extension create --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --extension-type Microsoft.openservicemesh --scope cluster --name osm
@@ -181,8 +182,10 @@ Now, [install OSM with custom values](#setting-values-during-osm-installation).
 [cert-manager](https://cert-manager.io/) is a provider that can be used for issuing signed certificates to OSM without
 the need for storing private keys in Kubernetes. Refer to OSM's [cert-manager documentation](https://docs.openservicemesh.io/docs/guides/certificates/)
 and [demo](https://docs.openservicemesh.io/docs/demos/cert-manager_integration/) to learn more.
+
 > [!NOTE]
 > Use the commands provided in the OSM GitHub documentation with caution. Ensure that you use the correct namespace in commands or specify with flag `--osm-namespace arc-osm-system`.
+
 To install OSM with cert-manager as the certificate provider, create or append to your existing JSON settings file the `certificateProvider.kind`
 value set to cert-manager as shown here. To change from the default cert-manager values specified in OSM documentation,
 also include and update the subsequent `certmanager.issuer` lines.
@@ -218,29 +221,26 @@ To set required values for configuring Contour during OSM installation, append t
 }
 ```
 
-Now, [install OSM with custom values](#setting-values-during-osm-installation).
-
 ### Setting values during OSM installation
 
 Any values that need to be set during OSM installation need to be saved to a single JSON file and passed in through the Azure CLI
 install command.
 
 After you create a JSON file with applicable values as described in the custom installation sections, set the file path as an environment variable:
 
-   ```azurecli-interactive
-   export SETTINGS_FILE=<json-file-path>
-   ```
+```azurecli-interactive
+export SETTINGS_FILE=<json-file-path>
+```
 
-Run the `az k8s-extension create` command to create the OSM extension, passing in the settings file using the
+Run the `az k8s-extension create` command to create the OSM extension, passing in the settings file using the `--configuration-settings-file` flag:
 
-`--configuration-settings-file` flag:
-   ```azurecli-interactive
-   az k8s-extension create --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --extension-type Microsoft.openservicemesh --scope cluster --name osm --configuration-settings-file $SETTINGS_FILE
-   ```
+```azurecli-interactive
+az k8s-extension create --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --extension-type Microsoft.openservicemesh --scope cluster --name osm --configuration-settings-file $SETTINGS_FILE
+```
 
 ## Install Azure Arc-enabled OSM using ARM template
 
-After connecting your cluster to Azure Arc, create a JSON file with the following format, making sure to update the \<cluster-name\> and \<osm-arc-version\> values:
+After connecting your cluster to Azure Arc, create a JSON file with the following format, making sure to update the `<cluster-name>` and `<osm-arc-version>` values:
 
 ```json
 {
@@ -307,7 +307,7 @@ export TEMPLATE_FILE_NAME=<template-file-path>
 export DEPLOYMENT_NAME=<desired-deployment-name>
 ```
 
-Run this command to install the OSM extension using the az CLI:
+Run this command to install the OSM extension:
 
 ```azurecli-interactive
 az deployment group create --name $DEPLOYMENT_NAME --resource-group $RESOURCE_GROUP --template-file $TEMPLATE_FILE_NAME
@@ -317,7 +317,9 @@ You should now be able to view the OSM resources and use the OSM extension in yo
 
 ## Install Azure Arc-enabled OSM using built-in policy
 
-A built-in policy is available on Azure portal under the category of **Kubernetes** by the name of **Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed**. This policy can be assigned at the scope of a subscription or a resource group. The default action of this policy is **Deploy if not exists**. However, you can choose to audit the clusters for extension installations by changing the parameters during assignment. You're also prompted to specify the version you wish to install (v1.0.0-1 or higher) as a parameter.
+A built-in policy is available on Azure portal under the **Kubernetes** category: **Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed**. This policy can be assigned at the scope of a subscription or a resource group.
+
+The default action of this policy is **Deploy if not exists**. However, you can choose to audit the clusters for extension installations by changing the parameters during assignment. You're also prompted to specify the version you wish to install (v1.0.0-1 or higher) as a parameter.
 
 ## Validate installation
 
@@ -360,15 +362,17 @@ You should see a JSON output similar to:
 }
 ```
 
+For more commands that you can use to validate and troubleshoot the deployment of the Open Service Mesh (OSM) extension components on your cluster, see [our troubleshooting guide](extensions-troubleshooting.md#azure-arc-enabled-open-service-mesh)
+
 ## OSM controller configuration
 
-OSM deploys a MeshConfig resource `osm-mesh-config` as a part of its control plane in arc-osm-system namespace. The purpose of this MeshConfig is to provide the mesh owner/operator the ability to update some of the mesh configurations based on their needs. to view the default values, use the following command.
+OSM deploys a MeshConfig resource `osm-mesh-config` as a part of its control plane in `arc-osm-system` namespace. The purpose of this MeshConfig is to provide the mesh owner/operator the ability to update some of the mesh configurations based on their needs. To view the default values, use the following command.
 
 ```azurecli-interactive
 kubectl describe meshconfig osm-mesh-config -n arc-osm-system
 ```
 
-The output would show the default values:
+The output shows the default values:
 
 ```azurecli-interactive
   Certificate:
@@ -416,6 +420,7 @@ For more information, see the [Config API reference](https://docs.openservicemes
 
 > [!NOTE]
 > Values in the MeshConfig `osm-mesh-config` are persisted across upgrades.
+
 Changes to `osm-mesh-config` can be made using the `kubectl patch` command. In the following example, the permissive traffic policy mode is changed to false.
 
 ```azurecli-interactive
@@ -436,7 +441,7 @@ Alternatively, to edit `osm-mesh-config` in Azure portal, select **Edit configur
 
 ## Using Azure Arc-enabled OSM
 
-To start using OSM capabilities, you need to first onboard the application namespaces to the service mesh. Download the OSM CLI from [OSM GitHub releases page](https://github.com/openservicemesh/osm/releases/). Once the namespaces are added to the mesh, you can configure the SMI policies to achieve the desired OSM capability.
+To start using OSM capabilities, you need to first onboard the application namespaces to the service mesh. Download the OSM CLI from the [OSM GitHub releases page](https://github.com/openservicemesh/osm/releases/). Once the namespaces are added to the mesh, you can configure the SMI policies to achieve the desired OSM capability.
 
 ### Onboard namespaces to the service mesh
 
@@ -445,18 +450,19 @@ Add namespaces to the mesh by running the following command:
 ```azurecli-interactive
 osm namespace add <namespace_name>
 ```
+
 Namespaces can be onboarded from Azure portal as well by selecting **+Add** in the cluster's Open Service Mesh section.
 
 [![+Add button located on top of the Open Service Mesh section](media/tutorial-arc-enabled-open-service-mesh/osm-portal-add-namespace.jpg)](media/tutorial-arc-enabled-open-service-mesh/osm-portal-add-namespace.jpg#lightbox)
 
-More information about onboarding services can be found [here](https://docs.openservicemesh.io/docs/guides/app_onboarding/#onboard-services).
+For more information about onboarding services, see the [Open Service Mesh documentation](https://docs.openservicemesh.io/docs/guides/app_onboarding/#onboard-services).
 
 ### Configure OSM with Service Mesh Interface (SMI) policies
 
 You can start with a [sample application](https://docs.openservicemesh.io/docs/getting_started/install_apps/) or use your test environment to try out SMI policies.
 
 > [!NOTE]
-> If you are using a sample applications, ensure that their versions match the version of the OSM extension installed on your cluster. For example, if you are using v1.0.0 of the OSM extension, use the bookstore manifest from release-v1.0 branch of OSM upstream repository.
+> If you use sample applications, ensure that their versions match the version of the OSM extension installed on your cluster. For example, if you are using v1.0.0 of the OSM extension, use the bookstore manifest from release-v1.0 branch of OSM upstream repository.
 
 ### Configuring your own Jaeger, Prometheus and Grafana instances
 
@@ -526,21 +532,23 @@ InsightsMetrics
 ### Navigating the OSM dashboard
 
 1. Access your Arc connected Kubernetes cluster using this [link](https://aka.ms/azmon/osmux).
-2. Go to Azure Monitor and navigate to the Reports tab to access the OSM workbook.
+2. Go to Azure Monitor and navigate to the **Reports** tab to access the OSM workbook.
 3. Select the time-range & namespace to scope your services.
 
 [![OSM workbook](media/tutorial-arc-enabled-open-service-mesh/osm-workbook.jpg)](media/tutorial-arc-enabled-open-service-mesh/osm-workbook.jpg#lightbox)
 
 #### Requests tab
 
-- This tab shows a summary of all the http requests sent via service to service in OSM.
+The **Requests** tab shows a summary of all the http requests sent via service to service in OSM.
+
 - You can view all the services by selecting the service in the grid.
 - You can view total requests, request error rate & P90 latency.
 - You can drill down to destination and view trends for HTTP error/success code, success rate, pod resource utilization, and latencies at different percentiles.
 
 #### Connections tab
 
-- This tab shows a summary of all the connections between your services in Open Service Mesh.
+The **Connections** tab shows a summary of all the connections between your services in Open Service Mesh.
+
 - Outbound connections: total number of connections between Source and destination services.
 - Outbound active connections: last count of active connections between source and destination in selected time range.
 - Outbound failed connections: total number of failed connections between source and destination service.
@@ -590,17 +598,8 @@ When you use the `az k8s-extension` command to delete the OSM extension, the `ar
 > [!NOTE]
 > Use the az k8s-extension CLI to uninstall OSM components managed by Arc. Using the OSM CLI to uninstall is not supported by Arc and can result in undesirable behavior.
 
-## Troubleshooting
-
-Refer to the [extension troubleshooting guide](extensions-troubleshooting.md#azure-arc-enabled-open-service-mesh) for help with issues.
-
-## Frequently asked questions
-
-### Is the extension of Azure Arc-enabled OSM zone redundant?
-
-Yes, all components of Azure Arc-enabled OSM are deployed on availability zones and are hence zone redundant.
-
 ## Next steps
 
-> **Just want to try things out?**  
-> Get started quickly with an [Azure Arc Jumpstart](https://aka.ms/arc-jumpstart-osm) scenario using Cluster API.
+- Just want to try things out? Get started quickly with an [Azure Arc Jumpstart](https://aka.ms/arc-jumpstart-osm) scenario using Cluster API.
+- Get [troubleshooting help for Azure Arc-enabled OSM](extensions-troubleshooting.md#azure-arc-enabled-open-service-mesh).
+- - Explore other [extensions for Arc-enabled Kubernetes](extensions-release.md).

articles/azure-monitor/agents/azure-monitor-agent-mma-removal-tool.md

@@ -10,7 +10,7 @@ ms.custom:
 # Customer intent: As an Azure account administrator, I want to use the available Azure Monitor tools to migrate from Log Analytics Agent to Azure Monitor Agent and track the status of the migration in my account.
 ---
 
-# MMA Discovery and Removal Tool  
+# MMA Discovery and Removal Tool (Preview)
 After you migrate your machines to AMA, you need to remove the MMA agent to avoid duplication of logs. AzTS MMA Discovery and Removal Utility can centrally remove MMA extension from Azure Virtual Machine (VMs), Azure Virtual Machine Scale Sets and Azure Arc Servers from a tenant.  
 The utility works in two steps  
 1. Discovery – First the utility creates an inventory of all machines that have the MMA agents installed. We recommend that no new VMs, Virtual Machine Scale Sets or Azure Arc Servers with MMA extension are created while the utility is running.  

articles/azure-netapp-files/configure-customer-managed-keys.md

@@ -259,12 +259,11 @@ The process to configure a NetApp account with customer-managed keys in the Azur
     az netappfiles account update --name <account_name> \  
         --resource-group <resource_group> \
         --identity-type UserAssigned \
-        --user-identity-id $user-assigned-identity \   
         --key-source Microsoft.Keyvault \
         --key-vault-uri $key_vault_uri \
         --key-name <key> \
         --keyvault-resource-id <key-vault> \   
-        --user-assigned-identity
+        --user-assigned-identity $user_assigned_identity
      ```
 
 ### [Azure PowerShell](#tab/azure-powershell)

articles/azure-resource-manager/bicep/file.md

@@ -405,7 +405,7 @@ See [Arrays](./data-types.md#arrays) and [Objects](./data-types.md#objects) for
 ## Known limitations
 
 * No support for the concept of apiProfile, which is used to map a single apiProfile to a set apiVersion for each resource type.
-* No support for user-defined functions.
+* User-defined functions are not supported at the moment. However, an experimental feature is currently accessible. For more information, see [User-defined functions in Bicep](./user-defined-functions.md).
 * Some Bicep features require a corresponding change to the intermediate language (Azure Resource Manager JSON templates). We announce these features as available when all of the required updates have been deployed to global Azure. If you're using a different environment, such as Azure Stack, there may be a delay in the availability of the feature. The Bicep feature is only available when the intermediate language has also been updated in that environment.
 
 ## Next steps