You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/auto-upgrade-node-image.md
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ author: nickomang
8
8
ms.date: 02/03/2023
9
9
---
10
10
11
-
# Automatically upgrade Azure Kubernetes Service cluster node operating system images (preview)
11
+
# Automatically upgrade Azure Kubernetes Service cluster node operating system images
12
12
13
13
AKS now supports an exclusive channel dedicated to controlling node-level OS security updates. This channel, referred to as the node OS auto-upgrade channel, can't be used for cluster-level Kubernetes version upgrades. To automatically upgrade Kubernetes versions, continue to use the cluster [auto-upgrade][Autoupgrade] channel.
14
14
@@ -33,7 +33,7 @@ The following upgrade channels are available. You're allowed to choose one of th
33
33
|---|---|
34
34
|`None`| Your nodes won't have security updates applied automatically. This means you're solely responsible for your security updates.|N/A|
35
35
|`Unmanaged`|OS updates are applied automatically through the OS built-in patching infrastructure. Newly allocated machines are unpatched initially and will be patched at some point by the OS's infrastructure.|Ubuntu applies security patches through unattended upgrade roughly once a day around 06:00 UTC. Windows doesn't automatically apply security patches, so this option behaves equivalently to `None`. Azure Linux CPU node pools don't automatically apply security patches, so this option behaves equivalently to `None`.|
36
-
|`SecurityPatch`|This channel is in preview and requires enabling the feature flag `NodeOsUpgradeChannelPreview`. Refer to the prerequisites section below for details. AKS regularly updates the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only." There may be disruptions when the security patches are applied to the nodes. When the patches are applied, the VHD is updated and existing machines are upgraded to that VHD, honoring maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.|Azure Linux doesn't support this channel on GPU-enabled VMs.|
36
+
|`SecurityPatch`|This channel is in preview and requires enabling the feature flag `NodeOsUpgradeChannelPreview`. Refer to the prerequisites section for details. AKS regularly updates the node's virtual hard disk (VHD) with patches from the image maintainer labeled "security only." There may be disruptions when the security patches are applied to the nodes. When the patches are applied, the VHD is updated and existing machines are upgraded to that VHD, honoring maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.|Azure Linux doesn't support this channel on GPU-enabled VMs.|
37
37
|`NodeImage`|AKS updates the nodes with a newly patched VHD containing security fixes and bug fixes on a weekly cadence. The update to the new VHD is disruptive, following maintenance windows and surge settings. No extra VHD cost is incurred when choosing this option. If you use this channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.|
38
38
39
39
To set the node OS auto-upgrade channel when creating a cluster, use the *node-os-upgrade-channel* parameter, similar to the following example.
@@ -47,9 +47,10 @@ To set the node os auto-upgrade channel on existing cluster, update the *node-os
47
47
```azurecli-interactive
48
48
az aks update --resource-group myResourceGroup --name myAKSCluster --node-os-upgrade-channel SecurityPatch
49
49
```
50
+
50
51
## Cadence and Ownership
51
52
52
-
The default cadence means there's no planned maintenance window applied.
53
+
The default cadence means there's no planned maintenance window applied.
53
54
54
55
|Channel|Updates Ownership|Default cadence|
55
56
|---|---|
@@ -58,6 +59,7 @@ The default cadence means there's no planned maintenance window applied.
58
59
|`NodeImage`|AKS|Weekly|
59
60
60
61
## Prerequisites
62
+
61
63
"The following prerequisites are only applicable when using the `SecurityPatch` channel. If you aren't using this channel, you can ignore these requirements.
62
64
- Must be using API version `11-02-preview` or later
Copy file name to clipboardExpand all lines: articles/aks/concepts-vulnerability-management.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,11 +47,11 @@ In addition to automated scanning, Microsoft discovers and updates vulnerabiliti
47
47
48
48
### Linux nodes
49
49
50
-
Each evening, Linux nodes in AKS receive security patches through their distribution security update channel. This behavior is automatically configured, as the nodes are deployed in an AKS cluster. To minimize disruption and potential impact to running workloads, nodes aren't automatically rebooted if a security patch or kernel update requires it. For more information about how to handle node reboots, see [Apply security and kernel updates to nodes in AKS][apply-security-kernel-updates-to-aks-nodes].
50
+
The nightly canonical OS security updates are turned off by default in AKS. In order to enable them explicitly, please use the `unmanaged`[channel][aks-node-image-upgrade].
51
51
52
-
Nightly, we apply security updates to the OS on the node, but the node image used to create nodes for your cluster remains unchanged. If a new Linux node is added to your cluster, the original image is used to create the node. This new node receives all the security and kernel updates available during the automatic assessment performed every night, but remains unpatched until all checks and restarts are complete. You can use node image upgrade to check for and update node images used by your cluster. For more information on node image upgrade, see [Azure Kubernetes Service (AKS) node image upgrade][aks-node-image-upgrade].
52
+
If you are using the `unmanaged`[channel][aks-node-image-upgrade], then nightly canonical security updates are applied to the OS on the node. The node image used to create nodes for your cluster remains unchanged. If a new Linux node is added to your cluster, the original image is used to create the node. This new node receives all the security and kernel updates available during the automatic assessment performed every night, but remains unpatched until all checks and restarts are complete. You can use node image upgrade to check for and update node images used by your cluster. For more information on node image upgrade, see [Azure Kubernetes Service (AKS) node image upgrade][aks-node-image-upgrade].
53
53
54
-
For AKS clusters on the [OS auto upgrade][aks-node-image-upgrade]channel, the unattended upgrade process is disabled, and the OS nodes receives security updates through the weekly node image upgrade.
54
+
For AKS clusters using a [channel][aks-node-image-upgrade]other than `unmanaged`, the unattended upgrade process is disabled.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments