Merge pull request #78486 from iainfoulds/aksfreshness

[AKS] Freshness checks and updates

Author: tfosmark

articles/aks/api-server-authorized-ip-ranges.md

@@ -73,8 +73,6 @@ The Kubernetes API server is how the underlying Kubernetes APIs are exposed. Thi
 
 To secure access to the otherwise publicly accessible AKS control plane / API server, you can enable and use authorized IP ranges. These authorized IP ranges only allow defined IP address ranges to communicate with the API server. A request made to the API server from an IP address that is not part of these authorized IP ranges is blocked. You should continue to use RBAC to then authorize users and the actions they request.
 
-To use the authorized IP range functionality, a public IP address is exposed on the node pool by deploying a basic NGINX service. The API server communicates with the node pool through this authorized public IP address. You then define additional IP address ranges that can access the API server.
-
 For more information about the API server and other cluster components, see [Kubernetes core concepts for AKS][concepts-clusters-workloads].
 
 ## Create an AKS cluster

articles/aks/cluster-autoscaler.md

@@ -6,7 +6,7 @@ author: iainfoulds
 
 ms.service: container-service
 ms.topic: article
-ms.date: 01/29/2019
+ms.date: 05/31/2019
 ms.author: iainfou
 ---
 
@@ -24,11 +24,11 @@ This article shows you how to enable and manage the cluster autoscaler in an AKS
 
 ## Before you begin
 
-This article requires that you are running the Azure CLI version 2.0.55 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
+This article requires that you are running the Azure CLI version 2.0.65 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
 
 ### Install aks-preview CLI extension
 
-AKS clusters that support the cluster autoscaler must use virtual machine scale sets and run Kubernetes version *1.12.4* or later. This scale set support is in preview. To opt in and create clusters that use scale sets, first install the *aks-preview* Azure CLI extension using the [az extension add][az-extension-add] command, as shown in the following example:
+AKS clusters that support the cluster autoscaler must use virtual machine scale sets and run Kubernetes version *1.12.7* or later. This scale set support is in preview. To opt in and create clusters that use scale sets, first install the *aks-preview* Azure CLI extension using the [az extension add][az-extension-add] command, as shown in the following example:
 
 ```azurecli-interactive
 az extension add --name aks-preview
@@ -59,9 +59,10 @@ az provider register --namespace Microsoft.ContainerService
 
 ## Limitations
 
-The following limitations apply when you create and manage AKS clusters that use virtual machine scale sets:
+The following limitations apply when you create and manage AKS clusters that use the cluster autoscaler:
 
 * The HTTP application routing add-on can't be used.
+* Multiple node pools (currently in preview in AKS) can't currently be used.
 
 ## About the cluster autoscaler
 

articles/aks/control-kubeconfig-access.md

@@ -6,7 +6,7 @@ author: iainfoulds
 
 ms.service: container-service
 ms.topic: article
-ms.date: 01/03/2019
+ms.date: 05/31/2019
 ms.author: iainfou
 ---
 
@@ -20,7 +20,7 @@ This article shows you how to assign RBAC roles that limit who can get the confi
 
 This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli] or [using the Azure portal][aks-quickstart-portal].
 
-This article also requires that you are running the Azure CLI version 2.0.53 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
+This article also requires that you are running the Azure CLI version 2.0.65 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
 
 ## Available cluster roles permissions
 
@@ -41,9 +41,9 @@ These RBAC roles can be applied to an Azure Active Directory (AD) user or group.
 
 ## Assign role permissions to a user or group
 
-To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Azure AD user account or group. The following example commands do the following steps:
+To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Azure AD user account or group. The following example commands:
 
-* Gets the cluster resource ID using the [az aks show][az-aks-show] command for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. Provide your own cluster and resource group name as needed.
+* Get the cluster resource ID using the [az aks show][az-aks-show] command for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. Provide your own cluster and resource group name as needed.
 * Uses the [az account show][az-account-show] and [az ad user show][az-ad-user-show] commands to get your user ID.
 * Finally, assigns a role using the [az role assignment create][az-role-assignment-create] command.
 
@@ -65,7 +65,7 @@ az role assignment create \
 ```
 
 > [!TIP]
-> If you want to assign permissions to an Azure AD group, update the `--assignee` parameter with the object ID for the group rather than a user as shown in the previous example. To obtain the object ID for a group, use the [az ad group show][az-ad-group-show] command. The following example gets the object ID for the Azure AD group named *appdev*: `az ad group show --group appdev --query objectId -o tsv`
+> If you want to assign permissions to an Azure AD group, update the `--assignee` parameter shown in the previous example with the object ID for the *group* rather than a *user*. To obtain the object ID for a group, use the [az ad group show][az-ad-group-show] command. The following example gets the object ID for the Azure AD group named *appdev*: `az ad group show --group appdev --query objectId -o tsv`
 
 You can change the previous assignment to the *Cluster User Role* as needed.
 

articles/aks/scale-cluster.md

@@ -6,17 +6,17 @@ author: iainfoulds
 
 ms.service: container-service
 ms.topic: article
-ms.date: 01/10/2019
+ms.date: 05/31/2019
 ms.author: iainfoulds
 ---
 
 # Scale the node count in an Azure Kubernetes Service (AKS) cluster
 
-If the resource needs of your applications change, you can manually scale an AKS cluster to run a different number of nodes. When you scale down, nodes are carefully [cordoned and drained][kubernetes-drain] to minimize disruption to running applications. When you scale up, the `az` command waits until nodes are marked `Ready` by the Kubernetes cluster.
+If the resource needs of your applications change, you can manually scale an AKS cluster to run a different number of nodes. When you scale down, nodes are carefully [cordoned and drained][kubernetes-drain] to minimize disruption to running applications. When you scale up, AKS waits until nodes are marked `Ready` by the Kubernetes cluster before pods are scheduled on them.
 
 ## Scale the cluster nodes
 
-First, get the *name* of your nodepool using the [az aks show][az-aks-show] command. The following example gets the nodepool name for the cluster named *myAKSCluster* in the *myResourceGroup* resource group:
+First, get the *name* of your node pool using the [az aks show][az-aks-show] command. The following example gets the node pool name for the cluster named *myAKSCluster* in the *myResourceGroup* resource group:
 
 ```azurecli-interactive
 az aks show --resource-group myResourceGroup --name myAKSCluster --query agentPoolProfiles
@@ -40,7 +40,7 @@ $ az aks show --resource-group myResourceGroup --name myAKSCluster --query agent
 ]
 ```
 
-Use the `az aks scale` command to scale the cluster nodes. The following example scales a cluster named *myAKSCluster* to a single node. Provide your own *--nodepool-name* from the previous command, such as *nodepool1*:
+Use the [az aks scale][az-aks-scale] command to scale the cluster nodes. The following example scales a cluster named *myAKSCluster* to a single node. Provide your own *--nodepool-name* from the previous command, such as *nodepool1*:
 
 ```azurecli-interactive
 az aks scale --resource-group myResourceGroup --name myAKSCluster --node-count 1 --nodepool-name <your node pool name>
@@ -64,53 +64,19 @@ The following example output shows the cluster has successfully scaled to one no
       "vnetSubnetId": null
     }
   ],
-  "dnsPrefix": "myAKSClust-myResourceGroup-19da35",
-  "enableRbac": true,
-  "fqdn": "myaksclust-myresourcegroup-19da35-0d60b16a.hcp.eastus.azmk8s.io",
-  "id": "/subscriptions/<guid>/resourcegroups/myResourceGroup/providers/Microsoft.ContainerService/managedClusters/myAKSCluster",
-  "kubernetesVersion": "1.9.11",
-  "linuxProfile": {
-    "adminUsername": "azureuser",
-    "ssh": {
-      "publicKeys": [
-        {
-          "keyData": "[...]"
-        }
-      ]
-    }
-  },
-  "location": "eastus",
-  "name": "myAKSCluster",
-  "networkProfile": {
-    "dnsServiceIp": "10.0.0.10",
-    "dockerBridgeCidr": "172.17.0.1/16",
-    "networkPlugin": "kubenet",
-    "networkPolicy": null,
-    "podCidr": "10.244.0.0/16",
-    "serviceCidr": "10.0.0.0/16"
-  },
-  "nodeResourceGroup": "MC_myResourceGroup_myAKSCluster_eastus",
-  "provisioningState": "Succeeded",
-  "resourceGroup": "myResourceGroup",
-  "servicePrincipalProfile": {
-    "clientId": "[...]",
-    "secret": null
-  },
-  "tags": null,
-  "type": "Microsoft.ContainerService/ManagedClusters"
+  [...]
 }
 ```
 
 ## Next steps
 
-Learn more about deploying and managing AKS with the AKS tutorials.
-
-> [!div class="nextstepaction"]
-> [AKS Tutorial][aks-tutorial]
+In this article, you manually scaled an AKS cluster to increase or decrease the number of nodes. You can also use the [cluster autoscaler][cluster-autoscaler] (currently in preview in AKS) to automatically scale your cluster.
 
 <!-- LINKS - external -->
 [kubernetes-drain]: https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/
 
 <!-- LINKS - internal -->
 [aks-tutorial]: ./tutorial-kubernetes-prepare-app.md
 [az-aks-show]: /cli/azure/aks#az-aks-show
+[az-aks-scale]: /cli/azure/aks#az-aks-scale
+[cluster-autoscaler]: cluster-autoscaler.md

articles/aks/update-credentials.md

@@ -6,7 +6,7 @@ author: iainfoulds
 
 ms.service: container-service
 ms.topic: article
-ms.date: 01/30/2019
+ms.date: 05/31/2019
 ms.author: iainfou
 ---
 
@@ -16,7 +16,7 @@ By default, AKS clusters are created with a service principal that has a one-yea
 
 ## Before you begin
 
-You need the Azure CLI version 2.0.56 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+You need the Azure CLI version 2.0.65 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
 
 ## Choose to update or create a service principal
 
@@ -29,10 +29,11 @@ If you want to create a service principal and then update the AKS cluster, skip
 
 ### Get the service principal ID
 
-To update the credentials for the existing service principal, get the service principal ID of your cluster using the [az aks show][az-aks-show] command. The following example gets the ID for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. The service principal ID is set as a variable for use in additional command.
+To update the credentials for the existing service principal, get the service principal ID of your cluster using the [az aks show][az-aks-show] command. The following example gets the ID for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. The service principal ID is set as a variable named *SP_ID* for use in additional command.
 
 ```azurecli-interactive
-SP_ID=$(az aks show -g myResourceGroup -n myAKSCluster --query servicePrincipalProfile.clientId -o tsv)
+SP_ID=$(az aks show --resource-group myResourceGroup --name myAKSCluster \
+    --query servicePrincipalProfile.clientId -o tsv)
 ```
 
 ### Update the service principal credentials

articles/aks/upgrade-cluster.md

@@ -6,7 +6,7 @@ author: iainfoulds
 
 ms.service: container-service
 ms.topic: article
-ms.date: 02/12/2019
+ms.date: 05/31/2019
 ms.author: iainfou
 ---
 
@@ -18,7 +18,7 @@ For AKS clusters that use multiple node pools or Windows Server nodes (both curr
 
 ## Before you begin
 
-This article requires that you are running the Azure CLI version 2.0.56 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
+This article requires that you are running the Azure CLI version 2.0.65 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
 
 ## Check for available AKS cluster upgrades
 
@@ -29,24 +29,26 @@ az aks get-upgrades --resource-group myResourceGroup --name myAKSCluster --outpu
 ```
 
 > [!NOTE]
-> When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between *1.10.x* -> *1.11.x* or *1.11.x* -> *1.12.x* are allowed, however *1.10.x* -> *1.12.x* is not.
+> When you upgrade an AKS cluster, Kubernetes minor versions cannot be skipped. For example, upgrades between *1.11.x* -> *1.12.x* or *1.12.x* -> *1.13.x* are allowed, however *1.11.x* -> *1.13.x* is not.
 >
-> To upgrade, from *1.10.x* -> *1.12.x*, first upgrade from *1.10.x* -> *1.11.x*, then upgrade from *1.11.x* -> *1.12.x*.
+> To upgrade, from *1.11.x* -> *1.13.x*, first upgrade from *1.11.x* -> *1.12.x*, then upgrade from *1.12.x* -> *1.13.x*.
 
-The following example output shows that the cluster can be upgraded to version *1.11.5* or *1.11.6*:
+The following example output shows that the cluster can be upgraded to version *1.12.7* or *1.12.8*:
 
 ```console
-Name     ResourceGroup    MasterVersion    NodePoolVersion    Upgrades
--------  ---------------  ---------------  -----------------  --------------
-default  myResourceGroup  1.10.12          1.10.12            1.11.5, 1.11.6
+Name     ResourceGroup    MasterVersion  NodePoolVersion  Upgrades
+-------  ---------------  -------------  ---------------  --------------
+default  myResourceGroup  1.11.9         1.11.9           1.12.7, 1.12.8
 ```
 
 ## Upgrade an AKS cluster
 
-With a list of available versions for your AKS cluster, use the [az aks upgrade][az-aks-upgrade] command to upgrade. During the upgrade process, AKS adds a new node to the cluster, then carefully [cordon and drains][kubernetes-drain] one node at a time to minimize disruption to running applications. The following example upgrades a cluster to version *1.11.6*:
+With a list of available versions for your AKS cluster, use the [az aks upgrade][az-aks-upgrade] command to upgrade. During the upgrade process, AKS adds a new node to the cluster that runs the specified Kubernetes version, then carefully [cordon and drains][kubernetes-drain] one of the old nodes to minimize disruption to running applications. When the new node is confirmed as running application pods, the old node is deleted. This process repeats until all nodes in the cluster have been upgraded.
+
+The following example upgrades a cluster to version *1.12.8*:
 
 ```azurecli-interactive
-az aks upgrade --resource-group myResourceGroup --name myAKSCluster --kubernetes-version 1.11.6
+az aks upgrade --resource-group myResourceGroup --name myAKSCluster --kubernetes-version 1.12.8
 ```
 
 It takes a few minutes to upgrade the cluster, depending on how many nodes you have.
@@ -62,7 +64,7 @@ The following example output shows that the cluster now runs *1.11.6*:
 ```json
 Name          Location    ResourceGroup    KubernetesVersion    ProvisioningState    Fqdn
 ------------  ----------  ---------------  -------------------  -------------------  ---------------------------------------------------------------
-myAKSCluster  eastus      myResourceGroup  1.11.6               Succeeded            myaksclust-myresourcegroup-19da35-90efab95.hcp.eastus.azmk8s.io
+myAKSCluster  eastus      myResourceGroup  1.12.8               Succeeded            myaksclust-myresourcegroup-19da35-90efab95.hcp.eastus.azmk8s.io
 ```
 
 ## Next steps

articles/aks/use-multiple-node-pools.md

@@ -70,6 +70,7 @@ The following limitations apply when you create and manage AKS clusters that sup
 * You can't delete the first node pool.
 * The HTTP application routing add-on can't be used.
 * You can't add/update/delete node pools using an existing Resource Manager template as with most operations. Instead, [use a separate Resource Manager template](#manage-node-pools-using-a-resource-manager-template) to make changes to node pools in an AKS cluster.
+* The cluster autoscaler (currently in preview in AKS) can't be used.
 
 While this feature is in preview, the following additional limitations apply:
 
@@ -328,7 +329,7 @@ Only pods that have this taint applied can be scheduled on nodes in *gpunodepool
 
 ## Manage node pools using a Resource Manager template
 
-When you use an Azure Resource Manager template to create and managed resources, you can typically update the settings in your template and redeploy to update the resource. With nodepools in AKS, the initial nodepool profile can't be updated once the AKS cluster has been created. This behavior means that you can't update an existing Resource Manager template, make a change to the node pools, and redeploy. Instead, you must create a separate Resource Manager template that updates only the agent pools for an existing AKS cluster.
+When you use an Azure Resource Manager template to create and managed resources, you can typically update the settings in your template and redeploy to update the resource. With node pools in AKS, the initial node pool profile can't be updated once the AKS cluster has been created. This behavior means that you can't update an existing Resource Manager template, make a change to the node pools, and redeploy. Instead, you must create a separate Resource Manager template that updates only the agent pools for an existing AKS cluster.
 
 Create a template such as `aks-agentpools.json` and paste the following example manifest. This example template configures the following settings:
 
@@ -433,7 +434,7 @@ az group delete --name myResourceGroup --yes --no-wait
 
 ## Next steps
 
-In this article you learned how to create and manage multiple node pools in an AKS cluster. For more information about how to control pods across node pools, see [Best practices for advanced scheduler features in AKS][operator-best-practices-advanced-scheduler].
+In this article, you learned how to create and manage multiple node pools in an AKS cluster. For more information about how to control pods across node pools, see [Best practices for advanced scheduler features in AKS][operator-best-practices-advanced-scheduler].
 
 To create and use Windows Server container node pools, see [Create a Windows Server container in AKS][aks-windows].