Freshness pass and formatting edits

schaffererin · schaffererin · commit 349d605ea14e · 2023-04-25T14:40:50.000-07:00
diff --git a/articles/aks/custom-certificate-authority.md b/articles/aks/custom-certificate-authority.md
@@ -5,14 +5,23 @@ author: rayoef
 ms.author: rayoflores
 ms.topic: article
 ms.custom: devx-track-azurecli
-ms.date: 4/24/2022
+ms.date: 04/25/2023
 ---
 
 # Custom certificate authority (CA) in Azure Kubernetes Service (AKS) (preview)
 
-Custom certificate authorities (CAs) allow you to establish trust between your Azure Kubernetes Service (AKS) clusters and workloads, such as private registries, proxies, and firewalls. A Kubernetes secret stores the certificate authority's information, and then it's passed to all nodes in the cluster.
+AKS generates and uses the following certificates, Certificate Authorities (CAs), and Service Accounts (SAs):
 
-This feature is applied per node pool, so new and existing node pools must be configured to enable this feature.
+* The AKS API server creates a CA called the Cluster CA.
+* The API server has a Cluster CA, which signs certificates for one-way communication from the API server to kubelets.
+* Each kubelet also creates a Certificate Signing Request (CSR), which is signed by the Cluster CA, for communication from the kubelet to the API server.
+* The API aggregator uses the Cluster CA to issue certificates for communication with other APIs. The API aggregator can also have its own CA for issuing those certificates, but it currently uses the Cluster CA.
+* Each node uses an SA token, which is signed by the Cluster CA.
+* The `kubectl` client has a certificate for communicating with the AKS cluster.
+
+You can also create custom certificate authorities, which allow you to establish trust between your Azure Kubernetes Service (AKS) clusters and workloads, such as private registries, proxies, and firewalls. A Kubernetes secret stores the certificate authority's information, and then it's passed to all nodes in the cluster. This feature is applied per node pool, so you need to enable it on new and existing node pools.
+
+This article shows you how to create custom CAs and apply them to your AKS clusters.
 
 ## Prerequisites
 
@@ -28,44 +37,45 @@ This feature is applied per node pool, so new and existing node pools must be co
 
 [!INCLUDE [preview features callout](includes/preview/preview-callout.md)]
 
-Install the aks-preview extension using the [`az extension add`][az-extension-add] command.
+1. Install the aks-preview extension using the [`az extension add`][az-extension-add] command.
 
-```azurecli
-az extension add --name aks-preview
-```
+    ```azurecli
+    az extension add --name aks-preview
+    ```
 
-Update to the latest version of the extension using the [`az extension update`][az-extension-update] command.
+2. Update to the latest version of the extension using the [`az extension update`][az-extension-update] command.
 
-```azurecli
-az extension update --name aks-preview
-```
+    ```azurecli
+    az extension update --name aks-preview
+    ```
 
-## Register the 'CustomCATrustPreview' feature flag
+## Register the `CustomCATrustPreview` feature flag
 
-Register the `CustomCATrustPreview` feature flag using the [`az feature register`][az-feature-register] command. It takes a few minutes for the status to show *Registered*.
+1. Register the `CustomCATrustPreview` feature flag using the [`az feature register`][az-feature-register] command.
 
-```azurecli
-az feature register --namespace "Microsoft.ContainerService" --name "CustomCATrustPreview"
-```
+    ```azurecli
+    az feature register --namespace "Microsoft.ContainerService" --name "CustomCATrustPreview"
+    ```
 
-Verify the registration status using the [`az feature show`][az-feature-show] command.
+    It takes a few minutes for the status to show *Registered*.
 
-```azurecli
-az feature show --namespace "Microsoft.ContainerService" --name "CustomCATrustPreview"
-```
+2. Verify the registration status using the [`az feature show`][az-feature-show] command.
 
-When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider using the [`az provider register`][az-provider-register] command.
+    ```azurecli
+    az feature show --namespace "Microsoft.ContainerService" --name "CustomCATrustPreview"
+    ```
 
-```azurecli
-az provider register --namespace Microsoft.ContainerService
-```
+3. When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider using the [`az provider register`][az-provider-register] command.
+
+    ```azurecli
+    az provider register --namespace Microsoft.ContainerService
+    ```
 
 ## Custom CA installation on AKS node pools
 
-### Install CAs during node pool creation
+### Install CAs on AKS node pools
 
-If your environment requires your custom CAs to be added to node trust store for correct provisioning, you need to pass a text file containing up to 10 blank line separated certificates during
-[`az aks create`][az-aks-create] or [`az aks update`][az-aks-update] operations.
+If your environment requires your custom CAs to be added to node trust store for correct provisioning, you need to pass a text file containing up to 10 blank line separated certificates during [`az aks create`][az-aks-create] or [`az aks update`][az-aks-update] operations.
 
 Example text file:
 
@@ -79,128 +89,125 @@ cert2
 -----END CERTIFICATE-----
 ```
 
-```azurecli
-az aks create \
-    --resource-group myResourceGroup \
-    --name myAKSCluster \
-    --node-count 2 \
-    --enable-custom-ca-trust \
-    --custom-ca-trust-certificates pathToFileWithCAs
-```
+#### Install CAs during node pool creation
 
-#### CA rotation for availability during node pool boot up
+* Install CAs during node pool creation using the [`az aks create][az-aks-create] command and specifying your text file for the `--custom-ca-trust-certificates` parameter.
 
-You can update CAs passed to your cluster during boot up using the [`az aks update`][az-aks-update] command and specifying your text file.
+    ```azurecli
+    az aks create \
+        --resource-group myResourceGroup \
+        --name myAKSCluster \
+        --node-count 2 \
+        --enable-custom-ca-trust \
+        --custom-ca-trust-certificates pathToFileWithCAs
+    ```
 
-```azurecli
-az aks update \
-    --resource-group myResourceGroup \
-    --name myAKSCluster \
-    --custom-ca-trust-certificates pathToFileWithCAs
-```
+#### CA rotation for availability during node pool boot up
 
-> [!NOTE]
-> This operation triggers a model update, ensuring new nodes have the newest CAs required for correct provisioning. AKS creates additional nodes, drains existing ones, deletes them, and replaces them with nodes that have the new set of CAs installed.
+* Update CAs passed to your cluster during boot up using the [`az aks update`][az-aks-update] command and specifying your text file for the `--custom-ca-trust-certificates` parameter.
 
-### Install CAs once node pool is up and running
+    ```azurecli
+    az aks update \
+        --resource-group myResourceGroup \
+        --name myAKSCluster \
+        --custom-ca-trust-certificates pathToFileWithCAs
+    ```
 
-If your environment can be successfully provisioned without your custom CAs, you can provide the CAs by deploying a secret in the `kube-system` namespace. This approach allows for certificate rotation without the need for node recreation.
+    > [!NOTE]
+    > This operation triggers a model update, ensuring new nodes have the newest CAs required for correct provisioning. AKS creates additional nodes, drains existing ones, deletes them, and replaces them with nodes that have the new set of CAs installed.
 
-Create a [Kubernetes secret][kubernetes-secrets] YAML manifest with your base64 encoded certificate string in the `data` field. Data from this secret is used to update CAs on all nodes. Make sure the secret is named `custom-ca-trust-secret` and is created in the `kube-system` namespace. Installing CAs using the secret in the `kube-system` namespace allows for CA rotation without the need for node recreation.
-
-```yaml
-apiVersion: v1
-kind: Secret
-metadata: 
-    name: custom-ca-trust-secret
-    namespace: kube-system
-type: Opaque
-data:
-    ca1.crt: |
-      {base64EncodedCertStringHere}
-    ca2.crt: |
-      {anotherBase64EncodedCertStringHere}
-```
+### Install CAs after node pool creation
 
-To update or remove a CA, you can edit and apply the YAML manifest. The cluster polls for changes and updates the nodes accordingly. It may take a couple minutes before changes are applied.
+If your environment can be successfully provisioned without your custom CAs, you can provide the CAs by deploying a secret in the `kube-system` namespace. This approach allows for certificate rotation without the need for node recreation.
 
-> [!NOTE]
-> Sometimes, containerd restart on the node might be required for the CAs to be picked up properly. If it appears like CAs aren't correctly added to your node's trust store, you can trigger a restart using the following command from node's shell:
->
-> ```systemctl restart containerd```
+* Create a [Kubernetes secret][kubernetes-secrets] YAML manifest with your base64 encoded certificate string in the `data` field.
+
+    ```yaml
+    apiVersion: v1
+    kind: Secret
+    metadata: 
+        name: custom-ca-trust-secret
+        namespace: kube-system
+    type: Opaque
+    data:
+        ca1.crt: |
+          {base64EncodedCertStringHere}
+        ca2.crt: |
+          {anotherBase64EncodedCertStringHere}
+    ```
+
+    Data from this secret is used to update CAs on all nodes. Make sure the secret is named `custom-ca-trust-secret` and is created in the `kube-system` namespace. Installing CAs using the secret in the `kube-system` namespace allows for CA rotation without the need for node recreation. To update or remove a CA, you can edit and apply the YAML manifest. The cluster polls for changes and updates the nodes accordingly. It may take a couple minutes before changes are applied.
+
+    > [!NOTE]
+    >
+    > containerd restart on the node might be required for the CAs to be picked up properly. If it appears like CAs aren't correctly added to your node's trust store, you can trigger a restart using the following command from node's shell:
+    >
+    > ```systemctl restart containerd```
 
 ## Configure a new AKS cluster to use a custom CA
 
-Configure a new AKS cluster to use a custom CA using the [`az aks create`][az-aks-create] command with the `--enable-custom-ca-trust` parameter.
+* Configure a new AKS cluster to use a custom CA using the [`az aks create`][az-aks-create] command with the `--enable-custom-ca-trust` parameter.
 
-```azurecli
-az aks create \
-    --resource-group myResourceGroup \
-    --name myAKSCluster \
-    --node-count 2 \
-    --enable-custom-ca-trust
-```
+    ```azurecli
+    az aks create \
+        --resource-group myResourceGroup \
+        --name myAKSCluster \
+        --node-count 2 \
+        --enable-custom-ca-trust
+    ```
 
-You can also configure a new AKS cluster to use custom CA with CAs installed before the node boots up using the [`az aks create`][az-aks-create] command with the `--enable-custom-ca-trust` and `--custom-ca-trust-certificates` parameters.
+## Configure a new AKS cluster to use a custom CA with CAs installed before node boots up
 
-```azurecli
-az aks create \
-    --resource-group myResourceGroup \
-    --name myAKSCluster \
-    --node-count 2 \
-    --enable-custom-ca-trust \
-    --custom-ca-trust-certificates pathToFileWithCAs
-```
+* Configure a new AKS cluster to use custom CA with CAs installed before the node boots up using the [`az aks create`][az-aks-create] command with the `--enable-custom-ca-trust` and `--custom-ca-trust-certificates` parameters.
+
+    ```azurecli
+    az aks create \
+        --resource-group myResourceGroup \
+        --name myAKSCluster \
+        --node-count 2 \
+        --enable-custom-ca-trust \
+        --custom-ca-trust-certificates pathToFileWithCAs
+    ```
 
 ## Configure an existing AKS cluster to have custom CAs installed before node boots up
 
-Configure an existing AKS cluster to have your custom CAs added to node's trust store before it boots up using the [`az aks update`][az-aks-update] command with the `--custom-ca-trust-certificates` parameter.
+* Configure an existing AKS cluster to have your custom CAs added to node's trust store before it boots up using the [`az aks update`][az-aks-update] command with the `--custom-ca-trust-certificates` parameter.
 
-```azurecli
-az aks update \
-    --resource-group myResourceGroup \
-    --name myAKSCluster \
-    --custom-ca-trust-certificates pathToFileWithCAs
-```
+    ```azurecli
+    az aks update \
+        --resource-group myResourceGroup \
+        --name myAKSCluster \
+        --custom-ca-trust-certificates pathToFileWithCAs
+    ```
 
 ## Configure a new node pool to use a custom CA
 
-Configure a new node pool to use a custom CA using the [`az aks nodepool add`][az-aks-nodepool-add] command with the `--enable-custom-ca-trust` parameter.
+* Configure a new node pool to use a custom CA using the [`az aks nodepool add`][az-aks-nodepool-add] command with the `--enable-custom-ca-trust` parameter.
 
-```azurecli
-az aks nodepool add \
-    --cluster-name myAKSCluster \
-    --resource-group myResourceGroup \
-    --name myNodepool \
-    --enable-custom-ca-trust \
-    --os-type Linux
-```
+    ```azurecli
+    az aks nodepool add \
+        --cluster-name myAKSCluster \
+        --resource-group myResourceGroup \
+        --name myNodepool \
+        --enable-custom-ca-trust \
+        --os-type Linux
+    ```
 
-If no other node pools with the feature enabled exist, the cluster has to reconcile its settings for the changes to take effect. This operation happens automatically as a part of AKS's reconcile loop. Before the operation, the daemon set and pods don't appear on the cluster. You can trigger an immediate reconcile operation using the [`az aks update`][az-aks-update] command. The daemon set and pods appear after the update completes.
-
-```azurecli
-az aks update \
- --resource-group myResourceGroup \
- --name cluster-name
-```
+    If no other node pools with the feature enabled exist, the cluster has to reconcile its settings for the changes to take effect. This operation happens automatically as a part of AKS's reconcile loop. Before the operation, the daemon set and pods don't appear on the cluster. You can trigger an immediate reconcile operation using the [`az aks update`][az-aks-update] command. The daemon set and pods appear after the update completes.
 
 ## Configure an existing node pool to use a custom CA
 
-Configure an existing node pool to use a custom CA using the [`az aks nodepool update`][az-aks-nodepool-update] command with the `--enable-custom-trust-ca` parameter.
-
-```azurecli
-az aks nodepool update \
-    --resource-group myResourceGroup \
-    --cluster-name myAKSCluster \
-    --name myNodepool \
-    --enable-custom-ca-trust
-```
+* Configure an existing node pool to use a custom CA using the [`az aks nodepool update`][az-aks-nodepool-update] command with the `--enable-custom-trust-ca` parameter.
 
-If no other node pools with the feature enabled exist, the cluster has to reconcile its settings for the changes to take effect. This operation happens automatically as a part of AKS's reconcile loop. Before the operation, the daemon set and pods don't appear on the cluster. You can trigger an immediate reconcile operation using the [`az aks update`][az-aks-update] command. The daemon set and pods appear after the update completes.
+    ```azurecli
+    az aks nodepool update \
+        --resource-group myResourceGroup \
+        --cluster-name myAKSCluster \
+        --name myNodepool \
+        --enable-custom-ca-trust
+    ```
 
-```azurecli
-az aks update -g myResourceGroup --name cluster-name
-```
+    If no other node pools with the feature enabled exist, the cluster has to reconcile its settings for the changes to take effect. This operation happens automatically as a part of AKS's reconcile loop. Before the operation, the daemon set and pods don't appear on the cluster. You can trigger an immediate reconcile operation using the [`az aks update`][az-aks-update] command. The daemon set and pods appear after the update completes.
 
 ## Troubleshooting
 
@@ -219,9 +226,6 @@ From the node's shell, run ```systemctl restart containerd```. Once containerd i
 
 For more information on AKS security best practices, see [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)][aks-best-practices-security-upgrades].
 
-<!-- LINKS EXTERNAL -->
-[kubernetes-secrets]:https://kubernetes.io/docs/concepts/configuration/secret/
-
 <!-- LINKS INTERNAL -->
 [aks-best-practices-security-upgrades]: operator-best-practices-cluster-security.md
 [azure-cli-install]: /cli/azure/install-azure-cli
