You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/auto-upgrade-node-os-image.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,7 +31,7 @@ The following upgrade channels are available. You're allowed to choose one of th
31
31
|---|---|
32
32
|`None`| Your nodes don't have security updates applied automatically. This means you're solely responsible for your security updates.|N/A|
33
33
|`Unmanaged`|OS updates are applied automatically through the OS built-in patching infrastructure. Newly allocated machines are unpatched initially. The OS's infrastructure patches them at some point.|Ubuntu and Azure Linux (CPU node pools) apply security patches through unattended upgrade/dnf-automatic roughly once per day around 06:00 UTC. Windows doesn't automatically apply security patches, so this option behaves equivalently to `None`. You'll need to manage the reboot process by using a tool like [kured][kured].|
34
-
| `SecurityPatch`|OS security patches which are AKS-tested, fully managed, and applied with safe deployment practices. AKS regularly updates the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only." There might be disruptions when the security patches are applied to the nodes, however AKS is limiting disruptions by only reimaging your nodes only when absolutely necessary eg: for certain kernel security packages. If AKS decides reimaging nodes is not necessary, it will patch nodes live without draining pods. When the patches are applied, the VHD is updated and existing machines are upgraded to that VHD, honoring maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.|Azure Linux doesn't support this channel on GPU-enabled VMs. `SecurityPatch` works on patch versions that are deprecated, so long as the minor Kubernetes version is still supported.|
34
+
| `SecurityPatch`|OS security patches which are AKS-tested, fully managed, and applied with safe deployment practices. AKS regularly updates the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only." There might be disruptions when the security patches are applied to the nodes, however AKS is limiting disruptions by only reimaging your nodes only when absolutely necessary eg: for certain kernel security packages. When the patches are applied, the VHD is updated and existing machines are upgraded to that VHD, honoring maintenance windows and surge settings. If AKS decides reimaging nodes is not necessary, it will patch nodes live without draining pods i.e no VHD update is performed in such cases. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.|Azure Linux doesn't support this channel on GPU-enabled VMs. `SecurityPatch` works on patch versions that are deprecated, so long as the minor Kubernetes version is still supported.|
35
35
|`NodeImage`|AKS updates the nodes with a newly patched VHD containing security fixes and bug fixes on a weekly cadence. The update to the new VHD is disruptive, following maintenance windows and surge settings. No extra VHD cost is incurred when choosing this option. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default. Node image upgrades support patch versions that are deprecated, so long as the minor Kubernetes version is still supported. Node images are AKS-tested, fully managed, and applied with safe deployment practices|
36
36
37
37
## Set the node OS auto-upgrade channel on a new cluster
@@ -149,7 +149,7 @@ On the `Unmanaged` channel, AKS has no control over how and when the security up
149
149
150
150
* Does `SecurityPatch` always lead to a reimage of my nodes?
151
151
152
-
AKS limits reimages to only when absolutely necessary eg: certain kernel packages may require a reimage to get fully applied. Thus `SecurityPatch` is designed to minimize disruptions as much as possible. If AKS decides reimaging nodes is not necessary, it will patch nodes live without draining pods.
152
+
AKS limits reimages to only when absolutely necessary eg: certain kernel packages may require a reimage to get fully applied. Thus `SecurityPatch` is designed to minimize disruptions as much as possible. If AKS decides reimaging nodes is not necessary, it will patch nodes live without draining pods i.e no VHD update is performed in such cases.
153
153
154
154
* How do I know if a `SecurityPatch` or `NodeImage` upgrade is applied on my node?
0 commit comments