You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/auto-upgrade-node-os-image.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,15 +23,15 @@ It's best to use both cluster-level [auto-upgrades][Autoupgrade] and the node OS
23
23
The selected channel determines the timing of upgrades. When making changes to node OS auto-upgrade channels, allow up to 24 hours for the changes to take effect. Once you change from one channel to another channel, a reimage is triggered leading to rolling nodes.
24
24
25
25
> [!NOTE]
26
-
> Node OS image auto-upgrade won't affect the cluster's Kubernetes version. It only works for a cluster in a [supported version][supported].Use CLI version 2.61.0 or above for `SecurityPatch` channel.
26
+
> Node OS image auto-upgrade won't affect the cluster's Kubernetes version.
27
27
28
28
The following upgrade channels are available. You're allowed to choose one of these options:
29
29
30
30
|Channel|Description|OS-specific behavior|
31
31
|---|---|
32
32
|`None`| Your nodes don't have security updates applied automatically. This means you're solely responsible for your security updates.|N/A|
33
-
|`Unmanaged`|OS updates are applied automatically through the OS built-in patching infrastructure. Newly allocated machines are unpatched initially. The OS's infrastructure patches them at some point.|Ubuntu and Azure Linux (CPU node pools) apply security patches through unattended upgrade/dnf-automatic roughly once per day around 06:00 UTC. Windows doesn't automatically apply security patches, so this option behaves equivalently to `None`. You'll need to manage the reboot process by using a tool like [kured][kured].|
34
-
| `SecurityPatch`|OS security patches which are AKS-tested, fully managed, and applied with safe deployment practices. AKS regularly updates the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only." There might be disruptions when the security patches are applied to the nodes, however AKS is limiting disruptions by only reimaging your nodes only when absolutely necessary eg: for certain kernel security packages. When the patches are applied, the VHD is updated and existing machines are upgraded to that VHD, honoring maintenance windows and surge settings. If AKS decides reimaging nodes is not necessary, it will patch nodes live without draining pods i.e no VHD update is performed in such cases. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.|Azure Linux doesn't support this channel on GPU-enabled VMs. `SecurityPatch` works on kubernetes patch versions that are deprecated, so long as the minor Kubernetes version is still supported.|
33
+
|`Unmanaged`|OS updates are applied automatically through the OS built-in patching infrastructure. Newly allocated machines are unpatched initially. The OS's infrastructure patches them at some point.|Ubuntu and Azure Linux (CPU node pools) apply security patches through unattended upgrade/dnf-automatic roughly once per day around 06:00 UTC. Windows doesn't automatically apply security patches, so this option behaves equivalently to `None`. You need to manage the reboot process by using a tool like [kured][kured].|
34
+
| `SecurityPatch`|OS security patches, which are AKS-tested, fully managed, and applied with safe deployment practices. AKS regularly updates the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only." There might be disruptions when the security patches are applied to the nodes, however AKS is limiting disruptions by only reimaging your nodes only when necessary, such as for certain kernel security packages. When the patches are applied, the VHD is updated and existing machines are upgraded to that VHD, honoring maintenance windows and surge settings. If AKS decides reimaging nodes isn't necessary, it patches nodes live without draining pods and performs no VHD update. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.|Azure Linux doesn't support this channel on GPU-enabled VMs. `SecurityPatch` works on kubernetes patch versions that are deprecated, so long as the minor Kubernetes version is still supported.|
35
35
|`NodeImage`|AKS updates the nodes with a newly patched VHD containing security fixes and bug fixes on a weekly cadence. The update to the new VHD is disruptive, following maintenance windows and surge settings. No extra VHD cost is incurred when choosing this option. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default. Node image upgrades support patch versions that are deprecated, so long as the minor Kubernetes version is still supported. Node images are AKS-tested, fully managed, and applied with safe deployment practices|
36
36
37
37
## Set the node OS auto-upgrade channel on a new cluster
@@ -103,7 +103,7 @@ The default cadence means there's no planned maintenance window applied.
103
103
| `NodeImage`|AKS-tested, fully managed, and applied with safe deployment practices. For more real time information on releases, look up [AKS Node Images in Release tracker][release-tracker] |Weekly.|
104
104
105
105
> [!NOTE]
106
-
> While Windows security updates are released on a monthly basis, using the `Unmanaged` channel will not automatically apply these updates to Windows nodes. If you choose the `Unmanaged` channel, you need to manage the reboot process in the windows nodes.
106
+
> While Windows security updates are released on a monthly basis, using the `Unmanaged` channel will not automatically apply these updates to Windows nodes. If you choose the `Unmanaged` channel, you need to manage the reboot process for Windows nodes.
107
107
108
108
109
109
## Node channel known limitations
@@ -113,7 +113,7 @@ The default cadence means there's no planned maintenance window applied.
113
113
- The `SecurityPatch` channel isn't supported on Windows OS node pools.
114
114
115
115
> [!NOTE]
116
-
> Use CLI version 2.61.0 or above for `SecurityPatch` channel.
116
+
> Use CLI version 2.61.0 or above for the `SecurityPatch` channel.
117
117
118
118
119
119
## Node OS planned maintenance windows
@@ -149,7 +149,7 @@ On the `Unmanaged` channel, AKS has no control over how and when the security up
149
149
150
150
* Does `SecurityPatch` always lead to a reimage of my nodes?
151
151
152
-
AKS limits reimages to only when absolutely necessary eg: certain kernel packages may require a reimage to get fully applied. Thus `SecurityPatch` is designed to minimize disruptions as much as possible. If AKS decides reimaging nodes is not necessary, it will patch nodes live without draining pods i.e no VHD update is performed in such cases.
152
+
AKS limits reimages to only when absolutely necessary, such as certain kernel packages that may require a reimage to get fully applied. `SecurityPatch` is designed to minimize disruptions as much as possible. If AKS decides reimaging nodes isn't necessary, it will patch nodes live without draining pods and no VHD update is performed in such cases.
153
153
154
154
* How do I know if a `SecurityPatch` or `NodeImage` upgrade is applied on my node?
0 commit comments