Merge pull request #261961 from MicrosoftDocs/main

12/26/2023 PM Publish

Author: Taojunshen

articles/aks/api-server-authorized-ip-ranges.md

@@ -3,7 +3,7 @@ title: API server authorized IP ranges in Azure Kubernetes Service (AKS)
 description: Learn how to secure your cluster using an IP address range for access to the API server in Azure Kubernetes Service (AKS)
 ms.topic: article
 ms.custom: devx-track-azurecli
-ms.date: 11/04/2022
+ms.date: 12/26/2023
 #Customer intent: As a cluster operator, I want to increase the security of my cluster by limiting access to the API server to only the IP addresses that I specify.
 ---
 
@@ -171,7 +171,7 @@ az aks update -g $RG -n $AKSNAME --api-server-authorized-ip-ranges $CURRENT_IP/2
 > [!NOTE]
 > The above example adds another IP address to the approved ranges. Note that it still includes the IP address from [Update a cluster's API server authorized IP ranges](#update-a-clusters-api-server-authorized-ip-ranges). If you don't include your existing IP address, this command will replace it with the new one instead of adding it to the authorized ranges. To disable authorized IP ranges, use `az aks update` and specify an empty range "".
 
-Another option is to use the following command on Windows systems to get the public IPv4 address, or you can follow the steps in [Find your IP address](https://support.microsoft.com/en-gb/help/4026518/windows-10-find-your-ip-address).
+Another option is to use the following command on Windows systems to get the public IPv4 address, or you can follow the steps in [Find your IP address](https://support.microsoft.com/help/4026518/windows-10-find-your-ip-address).
 
 ```azurepowershell-interactive
 Invoke-RestMethod http://ipinfo.io/json | Select -exp ip

articles/aks/concepts-network.md

@@ -2,12 +2,12 @@
 title: Concepts - Networking in Azure Kubernetes Services (AKS)
 description: Learn about networking in Azure Kubernetes Service (AKS), including kubenet and Azure CNI networking, ingress controllers, load balancers, and static IP addresses.
 ms.topic: conceptual
-ms.date: 12/01/2022
+ms.date: 12/26/2023
 ms.custom: fasttrack-edit
 
 ---
 
-# Network concepts for applications in Azure Kubernetes Service (AKS)
+# Networking concepts for applications in Azure Kubernetes Service (AKS)
 
 In a container-based, microservices approach to application development, application components work together to process their tasks. Kubernetes provides various resources enabling this cooperation:
 
@@ -111,7 +111,6 @@ With Azure CNI, every pod gets an IP address from the subnet and can be accessed
 > [!NOTE]
 > Due to Kubernetes limitations, the Resource Group name, the Virtual Network name and the subnet name must be 63 characters or less.
 
-
 Unlike kubenet, traffic to endpoints in the same virtual network isn't NAT'd to the node's primary IP. The source address for traffic inside the virtual network is the pod IP. Traffic that's external to the virtual network still NATs to the node's primary IP.
 
 Nodes use the [Azure CNI][cni-networking] Kubernetes plugin.

articles/aks/csi-secrets-store-identity-access.md

@@ -67,6 +67,9 @@ In this security model, the AKS cluster acts as token issuer. Microsoft Entra ID
 
 4. Get the AKS cluster OIDC Issuer URL using the [`az aks show`][az-aks-show] command.
 
+    > [!NOTE]
+    > This step assumes you have an existing AKS cluster with the OIDC Issuer URL enabled. If you don't have it enabled, see [Update an AKS cluster with OIDC Issuer](./use-oidc-issuer.md#update-an-aks-cluster-with-oidc-issuer) to enable it.
+
     ```bash
     export AKS_OIDC_ISSUER="$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "oidcIssuerProfile.issuerUrl" -o tsv)"
     echo $AKS_OIDC_ISSUER
@@ -116,11 +119,11 @@ In this security model, the AKS cluster acts as token issuer. Microsoft Entra ID
         objects:  |
           array:
             - |
-              objectName: secret1
+              objectName: secret1             # Set to the name of your secret
               objectType: secret              # object types: secret, key, or cert
               objectVersion: ""               # [OPTIONAL] object versions, default to latest if empty
             - |
-              objectName: key1
+              objectName: key1                # Set to the name of your key
               objectType: key
               objectVersion: ""
         tenantId: "${IDENTITY_TENANT}"        # The tenant ID of the key vault

articles/aks/integrations.md

@@ -12,7 +12,7 @@ Azure Kubernetes Service (AKS) provides extra functionality for your clusters us
 
 ## Add-ons
 
-Add-ons are a fully supported way to provide extra capabilities for your AKS cluster. The installation, configuration, and lifecycle of add-ons is managed by AKS. You can use the [`az aks enable-addons`][az-aks-enable-addons] command to install an add-on or manage the add-ons for your cluster.
+Add-ons are a fully supported way to provide extra capabilities for your AKS cluster. The installation, configuration, and lifecycle of add-ons are managed on AKS. You can use the [`az aks enable-addons`][az-aks-enable-addons] command to install an add-on or manage the add-ons for your cluster.
 
 AKS uses the following rules for applying updates to installed add-ons:
 
@@ -24,21 +24,21 @@ AKS uses the following rules for applying updates to installed add-ons:
 ### Exceptions
 
 - Add-ons are upgraded to a new major/minor version (or breaking change) within a Kubernetes minor version if either the cluster's Kubernetes version or the add-on version are in preview.
-- There may be unavoidable circumstances, such as CVE security patches or critical bug fixes, when you need to update an add-on within a GA minor version.
+- There can be unavoidable circumstances, such as CVE security patches or critical bug fixes, when you need to update an add-on within a GA minor version.
 
 ### Available add-ons
 
-| Name | Description | More details |
-|---|---|---|
-| web_application_routing | Use a managed NGINX ingress controller with your AKS cluster.| [Application Routing Overview][app-routing] |
-| ingress-appgw | Use Application Gateway Ingress Controller with your AKS cluster. | [What is Application Gateway Ingress Controller?][agic] |
-| keda | Use event-driven autoscaling for the applications on your AKS cluster. | [Simplified application autoscaling with Kubernetes Event-driven Autoscaling (KEDA) add-on][keda]|
-| monitoring | Use Container Insights monitoring with your AKS cluster. | [Container insights overview][container-insights] |
-| azure-policy | Use Azure Policy for AKS, which enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | [Understand Azure Policy for Kubernetes clusters][azure-policy-aks] |
-| azure-keyvault-secrets-provider | Use Azure Keyvault Secrets Provider addon.| [Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster][keyvault-secret-provider] |
-| virtual-node | Use virtual nodes with your AKS cluster. | [Use virtual nodes][virtual-nodes] |
-| http_application_routing | Configure ingress with automatic public DNS name creation for your AKS cluster (retired). | [HTTP application routing add-on on Azure Kubernetes Service (AKS) (retired)][http-app-routing] |
-| open-service-mesh | Use Open Service Mesh with your AKS cluster (retired). | [Open Service Mesh AKS add-on (retired)][osm] |
+| Name | Description | Articles | GitHub |
+|---|---|---| --- |
+| web_application_routing | Use a managed NGINX ingress controller with your AKS cluster.| [Application Routing Overview][app-routing] | [GitHub][app-routing-repo] |
+| ingress-appgw | Use Application Gateway Ingress Controller with your AKS cluster. | [What is Application Gateway Ingress Controller?][agic] | [GitHub][agic-repo] |
+| keda | Use event-driven autoscaling for the applications on your AKS cluster. | [Simplified application autoscaling with Kubernetes Event-driven Autoscaling (KEDA) add-on][keda] | [GitHub][keda-repo] |
+| monitoring | Use Container Insights monitoring with your AKS cluster. | [Container insights overview][container-insights] | [GitHub][aks-repo] |
+| azure-policy | Use Azure Policy for AKS, which enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. | [Understand Azure Policy for Kubernetes clusters][azure-policy-aks] | [GitHub][azure-policy-repo] |
+| azure-keyvault-secrets-provider | Use Azure Keyvault Secrets Provider addon.| [Use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster][keyvault-secret-provider] | [GitHub][keyvault-secret-provider-repo] |
+| virtual-node | Use virtual nodes with your AKS cluster. | [Use virtual nodes][virtual-nodes] | [GitHub][virtual-nodes-oss-repo] |
+| http_application_routing | Configure ingress with automatic public DNS name creation for your AKS cluster (retired). | [HTTP application routing add-on on Azure Kubernetes Service (AKS) (retired)][http-app-routing] | [GitHub][app-routing-repo] |
+| open-service-mesh | Use Open Service Mesh with your AKS cluster (retired). | [Open Service Mesh AKS add-on (retired)][osm] | [GitHub][osm-repo] |
 
 ## Extensions
 
@@ -53,7 +53,7 @@ Extensions and add-ons are both supported ways to add functionality to your AKS
 
 ## GitHub Actions
 
-GitHub Actions helps you automate your software development workflows from within GitHub.
+GitHub Actions help you automate your software development workflows from within GitHub.
 
 - For more information on using GitHub Actions with Azure, see [GitHub Actions for Azure][github-actions].
 - For an example of using GitHub Actions with an AKS cluster, see [Build, test, and deploy containers to Azure Kubernetes Service using GitHub Actions][github-actions-aks].
@@ -69,25 +69,32 @@ There are many open-source and third-party integrations you can install on your
 | [Grafana][grafana] | An open-source dashboard for observability.  | [Deploy Grafana on Kubernetes][grafana-install] or use [Managed Grafana][managed-grafana]|
 | [Couchbase][couchdb] | A distributed NoSQL cloud database. | [Install Couchbase and the Operator on AKS][couchdb-install] |
 | [OpenFaaS][open-faas]| An open-source framework for building serverless functions by using containers. | [Use OpenFaaS with AKS][open-faas-aks] |
-| [Apache Spark][apache-spark] | An open-source, fast engine for large-scale data processing. | Running Apache Spark jobs requires a minimum node size of *Standard_D3_v2*. See [running Spark on Kubernetes][spark-kubernetes] for more details on running Spark jobs on Kubernetes. |
+| [Apache Spark][apache-spark] | An open-source, fast engine for large-scale data processing. | Running Apache Spark jobs requires a minimum node size of *Standard_D3_v2*. For more information on running Spark jobs on Kubernetes, see the [running Spark on Kubernetes][spark-kubernetes] guide. |
 | [Istio][istio] | An open-source service mesh. | [Istio Installation Guides][istio-install] |
 | [Linkerd][linkerd] | An open-source service mesh. | [Linkerd Getting Started][linkerd-install] |
 | [Consul][consul] | An open-source, identity-based networking solution. | [Getting Started with Consul Service Mesh for Kubernetes][consul-install] |
 
 ### Third-party integrations for Windows containers
 
-Microsoft has collaborated with partners to ensure your build, test, deployment, configuration, and monitoring of your applications perform optimally with Windows containers on AKS.
+Microsoft collaborates with partners to ensure the build, test, deployment, configuration, and monitoring of your applications perform optimally with Windows containers on AKS.
 
-For more details, see [Windows AKS partner solutions][windows-aks-partner-solutions].
+For more information, see [Windows AKS partner solutions][windows-aks-partner-solutions].
 
 <!-- LINKS -->
+[aks-repo]: https://github.com/Azure/AKS
 [http-app-routing]: http-application-routing.md
+[app-routing-repo]: https://github.com/Azure/aks-app-routing-operator
 [container-insights]: ../azure-monitor/containers/container-insights-overview.md
 [virtual-nodes]: virtual-nodes.md
+[virtual-nodes-oss-repo]: https://github.com/virtual-kubelet/virtual-kubelet
 [azure-policy-aks]: ../governance/policy/concepts/policy-for-kubernetes.md#install-azure-policy-add-on-for-aks
+[azure-policy-repo]: https://github.com/Azure/azure-policy
 [agic]: ../application-gateway/ingress-controller-overview.md
+[agic-repo]: https://github.com/Azure/application-gateway-kubernetes-ingress
 [osm]: open-service-mesh-about.md
+[osm-repo]: https://github.com/Azure/osm-azure
 [keyvault-secret-provider]: csi-secrets-store-driver.md
+[keyvault-secret-provider-repo]: https://github.com/Azure/secrets-store-csi-driver-provider-azure
 [cluster-extensions]: cluster-extensions.md?tabs=azure-cli
 [cluster-extensions-current]: cluster-extensions.md?tabs=azure-cli#currently-available-extensions
 [aks-support-policy]: support-policies.md
@@ -112,6 +119,7 @@ For more details, see [Windows AKS partner solutions][windows-aks-partner-soluti
 [spark-kubernetes]: https://spark.apache.org/docs/latest/running-on-kubernetes.html
 [managed-grafana]: ../managed-grafana/overview.md
 [keda]: keda-about.md
+[keda-repo]: https://github.com/Azure-Samples/aks-keda-addon-workload-identity
 [app-routing]: app-routing.md
 [maintenance-windows]: planned-maintenance.md
 [release-tracker]: release-tracker.md

articles/aks/open-service-mesh-binary.md

@@ -2,7 +2,7 @@
 title: Download the OSM client Library
 description: Download and configure the Open Service Mesh (OSM) client library
 ms.topic: article
-ms.date: 8/26/2021
+ms.date: 12/26/2023
 ms.author: pgibson
 zone_pivot_groups: client-operating-system
 ---

articles/aks/open-service-mesh-integrations.md

@@ -2,7 +2,7 @@
 title: Integrations with Open Service Mesh on Azure Kubernetes Service (AKS)
 description: Integrations with Open Service Mesh on Azure Kubernetes Service (AKS)
 ms.topic: article
-ms.date: 03/23/2022
+ms.date: 12/26/2023
 ---
 
 # Integrations with Open Service Mesh on Azure Kubernetes Service (AKS)

articles/aks/use-system-pools.md

@@ -2,7 +2,7 @@
 title: Use system node pools in Azure Kubernetes Service (AKS)
 description: Learn how to create and manage system node pools in Azure Kubernetes Service (AKS)
 ms.topic: article
-ms.date: 11/22/2022
+ms.date: 12/26/2023
 ms.custom: fasttrack-edit, devx-track-azurecli, devx-track-azurepowershell
 ---
 
@@ -38,7 +38,7 @@ The following limitations apply when you create and manage AKS clusters that sup
 
 ## System and user node pools
 
-For a system node pool, AKS automatically assigns the label **kubernetes.azure.com/mode: system** to its nodes. This causes AKS to prefer scheduling system pods on node pools that contain this label. This label doesn't prevent you from scheduling application pods on system node pools. However, we recommend you isolate critical system pods from your application pods to prevent misconfigured or rogue application pods from accidentally killing system pods.
+For a system node pool, AKS automatically assigns the label **kubernetes.azure.com/mode: system** to its nodes. This causes AKS to prefer scheduling system pods on node pools that contain this label. This label doesn't prevent you from scheduling application pods on system node pools. However, we recommend you isolate critical system pods from your application pods to prevent misconfigured or rogue application pods from accidentally deleting system pods.
 
 You can enforce this behavior by creating a dedicated system node pool. Use the `CriticalAddonsOnly=true:NoSchedule` taint to prevent application pods from being scheduled on system node pools.
 
@@ -106,7 +106,7 @@ New-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster -NodeCoun
 
 ### [Azure CLI](#tab/azure-cli)
 
-You can add one or more system node pools to existing AKS clusters. It's recommended to schedule your application pods on user node pools, and dedicate system node pools to only critical system pods. This prevents rogue application pods from accidentally killing system pods. Enforce this behavior with the `CriticalAddonsOnly=true:NoSchedule` [taint][aks-taints] for your system node pools.
+You can add one or more system node pools to existing AKS clusters. It's recommended to schedule your application pods on user node pools, and dedicate system node pools to only critical system pods. This prevents rogue application pods from accidentally deleting system pods. Enforce this behavior with the `CriticalAddonsOnly=true:NoSchedule` [taint][aks-taints] for your system node pools.
 
 The following command adds a dedicated node pool of mode type system with a default count of three nodes.
 
@@ -122,7 +122,7 @@ az aks nodepool add \
 
 ### [Azure PowerShell](#tab/azure-powershell)
 
-You can add one or more system node pools to existing AKS clusters. It's recommended to schedule your application pods on user node pools, and dedicate system node pools to only critical system pods. Adding more system node pools prevents rogue application pods from accidentally killing system pods. Enforce the behavior with the `CriticalAddonsOnly=true:NoSchedule` [taint][aks-taints] for your system node pools.
+You can add one or more system node pools to existing AKS clusters. It's recommended to schedule your application pods on user node pools, and dedicate system node pools to only critical system pods. Adding more system node pools prevents rogue application pods from accidentally deleting system pods. Enforce the behavior with the `CriticalAddonsOnly=true:NoSchedule` [taint][aks-taints] for your system node pools.
 
 The following command adds a dedicated node pool of mode type system with a default count of three nodes.