Merge pull request #226276 from Nickomang/aks-nodeosupgrade

Node OS upgrade channel and planned maintenance schedule type

Author: v-dirichards

articles/aks/auto-upgrade-cluster.md

@@ -17,16 +17,17 @@ Part of the AKS cluster lifecycle involves performing periodic upgrades to the l
 >
 > Auto-upgrade will first upgrade the control plane, and then proceed to upgrade agent pools one by one.
 
-## Why use auto-upgrade
+## Why use cluster auto-upgrade
 
-Auto-upgrade provides a set once and forget mechanism that yields tangible time and operational cost benefits. By enabling auto-upgrade, you can ensure your clusters are up to date and don't miss the latest AKS features or patches from AKS and upstream Kubernetes.
+Cluster auto-upgrade provides a set once and forget mechanism that yields tangible time and operational cost benefits. By enabling auto-upgrade, you can ensure your clusters are up to date and don't miss the latest AKS features or patches from AKS and upstream Kubernetes.
 
 AKS follows a strict versioning window with regard to supportability. With properly selected auto-upgrade channels, you can avoid clusters falling into an unsupported version. For more on the AKS support window, see [Alias minor versions][supported-kubernetes-versions].
 
+## Cluster auto-upgrade limitations
 
-Even if using node image auto upgrade (which won't change the Kubernetes version), it still requires MC to be in a supported version
+If you’re using cluster auto-upgrade, you can no longer upgrade the control plane first and then upgrade the individual node pools. Cluster auto-upgrade will always upgrade the control plane and the node pools together. There is no ability of upgrading the control plane only, and trying to run the command `az aks upgrade --control-plane-only` will raise the error: `NotAllAgentPoolOrchestratorVersionSpecifiedAndUnchanged: Using managed cluster api, all Agent pools' OrchestratorVersion must be all specified or all unspecified. If all specified, they must be stay unchanged or the same with control plane.`
 
-## Using auto-upgrade
+## Using cluster auto-upgrade
 
 Automatically completed upgrades are functionally the same as manual upgrades. The timing of upgrades is determined by the selected channel. When making changes to auto-upgrade, allow 24 hours for the changes to take effect.
 
@@ -49,6 +50,9 @@ The following upgrade channels are available:
 > [!NOTE]
 > Auto-upgrade requires the cluster's Kubernetes version to be within the [AKS support window][supported-kubernetes-versions], even if using the `node-image` channel.
 
+> [!NOTE]
+> If using the preview API `11-02-preview` or later, if you select the `node-image` cluster auto-upgrade channel the [node image auto-upgrade channel][node-image-auto-upgrade] will automatically be set to `NodeImage`.
+
 Automatically upgrading a cluster follows the same process as manually upgrading a cluster. For more information, see [Upgrade an AKS cluster][upgrade-aks-cluster].
 
 To set the auto-upgrade channel when creating a cluster, use the *auto-upgrade-channel* parameter, similar to the following example.
@@ -73,23 +77,20 @@ The Azure portal also highlights all the deprecated APIs between your current ve
 
 ## Using auto-upgrade with Planned Maintenance
 
-If you’re using Planned Maintenance and Auto-Upgrade, your upgrade will start during your specified maintenance window. 
+If you’re using Planned Maintenance and cluster auto-upgrade, your upgrade will start during your specified maintenance window. 
 
 > [!NOTE]
 > To ensure proper functionality, use a maintenance window of four hours or more.
 
 For more information on Planned Maintenance, see [Use Planned Maintenance to schedule maintenance windows for your Azure Kubernetes Service (AKS) cluster][planned-maintenance].
 
-## Auto upgrade limitations
-
-If you’re using Auto-Upgrade you cannot anymore upgrade the control plane first, and then upgrade the individual node pools. Auto-Upgrade will always upgrade the control plane and the node pools together. In Auto-Upgrade there is no concept of upgrading the control plane only, and trying to run the command `az aks upgrade --control-plane-only` will raise the error: `NotAllAgentPoolOrchestratorVersionSpecifiedAndUnchanged: Using managed cluster api, all Agent pools' OrchestratorVersion must be all specified or all unspecified. If all specified, they must be stay unchanged or the same with control plane.`
-
-## Best practices for auto-upgrade
+## Best practices for cluster auto-upgrade
 
 The following best practices will help maximize your success when using auto-upgrade:
 
 - In order to keep your cluster always in a supported version (i.e within the N-2 rule), choose either `stable` or `rapid` channels.
 - If you're interested in getting the latest patches as soon as possible, use the `patch` channel. The `node-image` channel is a good fit if you want your agent pools to always be running the most recent node images.
+- To automatically upgrade node images while using a different cluster upgrade channel, consider using the [node image auto-upgrade][node-image-auto-upgrade] `NodeImage` channel.
 - Follow [Operator best practices][operator-best-practices-scheduler].
 - Follow [PDB best practices][pdb-best-practices].
 
@@ -98,7 +99,7 @@ The following best practices will help maximize your success when using auto-upg
 [upgrade-aks-cluster]: upgrade-cluster.md
 [planned-maintenance]: planned-maintenance.md
 [operator-best-practices-scheduler]: operator-best-practices-scheduler.md#plan-for-availability-using-pod-disruption-budgets
-
+[node-image-auto-upgrade]: auto-upgrade-node-image.md 
 
 <!-- EXTERNAL LINKS -->
 [pdb-best-practices]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/

articles/aks/auto-upgrade-node-image.md

@@ -0,0 +1,92 @@
+---
+title: Automatically upgrade Azure Kubernetes Service (AKS) cluster node operating system images
+description: Learn how to automatically upgrade Azure Kubernetes Service (AKS) cluster node operating system images.
+services: container-service
+ms.topic: article
+ms.author: nickoman
+author: nickomang
+ms.date: 02/03/2023
+---
+
+# Automatically upgrade Azure Kubernetes Service cluster node operating system images
+
+AKS supports upgrading the images on a node so your cluster is up to date with the newest operating system (OS) and runtime updates. AKS regularly provides new node OS images with the latest updates, so it's beneficial to upgrade your node's images regularly for the latest AKS features and to maintain security. Before learning about auto-upgrade, make sure you understand upgrade fundamentals by reading [Upgrade an AKS cluster][upgrade-aks-cluster].
+
+The latest AKS node image information can be found by visiting the [AKS release tracker][release-tracker].
+
+## Why use node OS auto-upgrade
+
+Node OS auto-upgrade provides a set once and forget mechanism that yields tangible time and operational cost benefits. By enabling auto-upgrade, you can ensure your clusters are up to date and don't miss the latest AKS features or patches from AKS.
+
+## Prerequisites
+
+- Must be using API version `11-02-preview` or later
+
+- If using Azure CLI, the `aks-preview` CLI extension version `0.5.127` or later must be installed
+
+- If using the `SecurityPatch` channel, the `NodeOsUpgradeChannelPreview` feature flag must be enabled on your subscription
+
+### Register the 'NodeOsUpgradeChannelPreview' feature flag
+
+Register the `NodeOsUpgradeChannelPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
+
+```azurecli-interactive
+az feature register --namespace "Microsoft.ContainerService" --name "NodeOsUpgradeChannelPreview"
+```
+
+It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature show][az-feature-show] command:
+
+```azurecli-interactive
+az feature show --namespace "Microsoft.ContainerService" --name "NodeOsUpgradeChannelPreview"
+```
+
+When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:
+
+```azurecli-interactive
+az provider register --namespace Microsoft.ContainerService
+```
+
+## Using node OS auto-upgrade
+
+Automatically completed upgrades are functionally the same as manual upgrades. The timing of upgrades is determined by the selected channel. When making changes to auto-upgrade, allow 24 hours for the changes to take effect. By default, a cluster's node OS auto-upgrade channel is set to `Unmanaged`.
+
+> [!NOTE]
+> Node OS image auto-upgrade won't affect the cluster's Kubernetes version, but it still still requires the cluster to be in a supported version to function properly.
+
+The following upgrade channels are available:
+
+|Channel|Description|OS-specific behavior|
+|---|---|
+| `None`| Your nodes will not have security updates applied automatically. This means you are solely responsible for your security updates|N/A|
+| `Unmanaged`|OS updates will be applied automatically through the OS built-in patching infrastructure. Newly allocated machines will be unpatched initially and will be patched at some point by the OS's infrastructure|Ubuntu applies security patches through unattended upgrade roughly once a day around 06:00 UTC. Windows and Mariner do not apply security patches automatically, so this option behaves equivalently to `None`|
+| `SecurityPatch`|AKS will update the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only" on a regular basis. Where possible, patches will also be applied without disruption to existing nodes. Some patches, such as kernel patches, cannot be applied to existing nodes without disruption. For such patches, the VHD will be updated and existing machines will be upgraded to that VHD following maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group.|N/A|
+| `NodeImage`|AKS will update the nodes with a newly patched VHD containing security fixes and bug fixes on a weekly cadence. The update to the new VHD is disruptive, following maintenance windows and surge settings. No extra VHD cost is incurred when choosing this option.|
+
+To set the node OS auto-upgrade channel when creating a cluster, use the *node-os-upgrade-channel* parameter, similar to the following example.
+
+```azurecli-interactive
+az aks create --resource-group myResourceGroup --name myAKSCluster --node-os-upgrade-channel SecurityPatch
+```
+
+To set the auto-upgrade channel on existing cluster, update the *node-os-upgrade-channel* parameter, similar to the following example.
+
+```azurecli-interactive
+az aks update --resource-group myResourceGroup --name myAKSCluster --node-os-upgrade-channel SecurityPatch
+```
+
+## Using node OS auto-upgrade with Planned Maintenance
+
+If you’re using Planned Maintenance and node OS auto-upgrade, your upgrade will start during your specified maintenance window.
+
+> [!NOTE]
+> To ensure proper functionality, use a maintenance window of four hours or more.
+
+For more information on Planned Maintenance, see [Use Planned Maintenance to schedule maintenance windows for your Azure Kubernetes Service (AKS) cluster][planned-maintenance].
+
+<!-- LINKS -->
+[planned-maintenance]: planned-maintenance.md
+[release-tracker]: release-tracker.md
+[az-provider-register]: /cli/azure/provider#az-provider-register
+[az-feature-register]: /cli/azure/feature#az-feature-register
+[az-feature-show]: /cli/azure/feature#az-feature-show
+[upgrade-aks-cluster]: upgrade-cluster.md