Engineering feedback

Kaarthikeyan Subramanian · Kaarthikeyan Subramanian · commit 8c0f33ff82f4 · 2024-05-13T13:36:34.000-07:00
diff --git a/articles/aks/auto-upgrade-node-os-image.md b/articles/aks/auto-upgrade-node-os-image.md
@@ -31,7 +31,7 @@ The following upgrade channels are available. You're allowed to choose one of th
 |---|---|
 | `None`| Your nodes don't have security updates applied automatically. This means you're solely responsible for your security updates.|N/A|
 | `Unmanaged`|OS updates are applied automatically through the OS built-in patching infrastructure. Newly allocated machines are unpatched initially. The OS's infrastructure patches them at some point.|Ubuntu and Azure Linux (CPU node pools) apply security patches through unattended upgrade/dnf-automatic roughly once per day around 06:00 UTC. Windows doesn't automatically apply security patches, so this option behaves equivalently to `None`. You'll need to manage the reboot process by using a tool like [kured][kured].|
-| `SecurityPatch`|OS security patches which are AKS-tested, fully managed, and applied with safe deployment practices. It does not contain any OS bug fixes just security updates.AKS regularly updates the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only." There might be disruptions when the security patches are applied to the nodes, however AKS is limiting disruptions by only reimaging your nodes only when absolutely necessary eg: for certain kernel security packages. When the patches are applied, the VHD is updated and existing machines are upgraded to that VHD, honoring maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.|Azure Linux doesn't support this channel on GPU-enabled VMs. `SecurityPatch` works on patch versions that are deprecated, so long as the minor Kubernetes version is still supported.|
+| `SecurityPatch`|OS security patches which are AKS-tested, fully managed, and applied with safe deployment practices. AKS regularly updates the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only." There might be disruptions when the security patches are applied to the nodes, however AKS is limiting disruptions by only reimaging your nodes only when absolutely necessary eg: for certain kernel security packages. If AKS decides reimaging nodes is not necessary, it will patch nodes live without draining pods. When the patches are applied, the VHD is updated and existing machines are upgraded to that VHD, honoring maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.|Azure Linux doesn't support this channel on GPU-enabled VMs. `SecurityPatch` works on patch versions that are deprecated, so long as the minor Kubernetes version is still supported.|
 | `NodeImage`|AKS updates the nodes with a newly patched VHD containing security fixes and bug fixes on a weekly cadence. The update to the new VHD is disruptive, following maintenance windows and surge settings. No extra VHD cost is incurred when choosing this option. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default. Node image upgrades support patch versions that are deprecated, so long as the minor Kubernetes version is still supported. Node images are AKS-tested, fully managed, and applied with safe deployment practices|
 
 ## Set the node OS auto-upgrade channel on a new cluster
@@ -149,7 +149,7 @@ On the `Unmanaged` channel, AKS has no control over how and when the security up
 
 * Does `SecurityPatch` always lead to a reimage of my nodes?
 
-AKS limits reimages to only when absolutely necessary eg: certain kernel packages may require a reimage to get fully applied. Thus `SecurityPatch` is designed to minimize disruptions as much as possible. 
+AKS limits reimages to only when absolutely necessary eg: certain kernel packages may require a reimage to get fully applied. Thus `SecurityPatch` is designed to minimize disruptions as much as possible. If AKS decides reimaging nodes is not necessary, it will patch nodes live without draining pods.
 
  * How do I know if a `SecurityPatch` or `NodeImage` upgrade is applied on my node?
  
