Merge branch 'main' of https://github.com/microsoftdocs/azure-docs-pr into akv-misc

Author: msmbaldwin

articles/aks/concepts-clusters-workloads.md

@@ -3,7 +3,7 @@ title: Concepts - Kubernetes basics for Azure Kubernetes Services (AKS)
 description: Learn the basic cluster and workload components of Kubernetes and how they relate to features in Azure Kubernetes Service (AKS)
 services: container-service
 ms.topic: conceptual
-ms.date: 03/05/2020
+ms.date: 10/31/2022
 
 ---
 
@@ -196,7 +196,7 @@ Most stateless applications in AKS should use the deployment model rather than s
 
 You don't want to disrupt management decisions with an update process if your application requires a minimum number of available instances. *Pod Disruption Budgets* define how many replicas in a deployment can be taken down during an update or node upgrade. For example, if you have *five (5)* replicas in your deployment, you can define a pod disruption of *4 (four)* to only allow one replica to be deleted or rescheduled at a time. As with pod resource limits, best practice is to define pod disruption budgets on applications that require a minimum number of replicas to always be present.
 
-Deployments are typically created and managed with `kubectl create` or `kubectl apply`. Create a deployment by defining a manifest file in the YAML format. 
+Deployments are typically created and managed with `kubectl create` or `kubectl apply`. Create a deployment by defining a manifest file in the YAML format.
 
 The following example creates a basic deployment of the NGINX web server. The deployment specifies *three (3)* replicas to be created, and requires port *80* to be open on the container. Resource requests and limits are also defined for CPU and memory.
 
@@ -229,6 +229,32 @@ spec:
             memory: 256Mi
 ```
 
+A breakdown of the deployment specifications in the YAML manifest file is as follows:
+
+| Specification | Description |  
+| ----------------- | ------------- |  
+| `.apiVersion` | Specifies the API group and API resource you want to use when creating the resource. |  
+| `.kind` | Specifies the type of resource you want to create. |  
+| `.metadata.name` | Specifies the image to run. This file will run the *nginx* image from Docker Hub. |  
+| `.spec.replicas` | Specifies how many pods to create. This file will create three deplicated pods. |  
+| `.spec.selector` | Specifies which pods will be affected by this deployment. |
+| `.spec.selector.matchLabels` | Contains a map of *{key, value}* pairs that allows the deployment to find and manage the created pods. |  
+| `.spec.selector.matchLabels.app` | Has to match `.spec.template.metadata.labels`. |  
+| `.spec.template.labels` | Specifies the *{key, value}* pairs attached to the object. |  
+| `.spec.template.app` | Has to match `.spec.selector.matchLabels`. |  
+| `.spec.spec.containers` | Specifies the list of containers belonging to the pod. |  
+| `.spec.spec.containers.name` | Specifies the name of the container specified as a DNS label. |
+| `.spec.spec.containers.image` | Specifies the container image name. |
+| `.spec.spec.containers.ports` | Specifies the list of ports to expose from the container. |  
+| `.spec.spec.containers.ports.containerPort` | Specifies the number of port to expose on the pod's IP address. |  
+| `.spec.spec.resources` | Specifies the compute resources required by the container. |
+| `.spec.spec.resources.requests` | Specifies the minimum amount of compute resources required. |
+| `.spec.spec.resources.requests.cpu` | Specifies the minimum amount of CPU required. |
+| `.spec.spec.resources.requests.memory` | Specifies the minimum amount of memory required. |
+| `.spec.spec.resources.limits` | Specifies the maximum amount of compute resources allowed. This limit is enforced by the kubelet. |
+| `.spec.spec.resources.limits.cpu` | Specifies the maximum amount of CPU allowed. This limit is enforced by the kubelet. |
+| `.spec.spec.resources.limits.memory` | Specifies the maximum amount of memory allowed. This limit is enforced by the kubelet. |
+
 More complex applications can be created by including services (such as load balancers) within the YAML manifest.
 
 For more information, see [Kubernetes deployments][kubernetes-deployments].

articles/aks/learn/quick-kubernetes-deploy-bicep.md

@@ -3,7 +3,7 @@ title: Quickstart - Create an Azure Kubernetes Service (AKS) cluster by using Bi
 description: Learn how to quickly create a Kubernetes cluster using a Bicep file and deploy an application in Azure Kubernetes Service (AKS)
 services: container-service
 ms.topic: quickstart
-ms.date: 08/11/2022
+ms.date: 11/01/2022
 ms.custom: mvc, subject-armbicep
 #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure.
 ---
@@ -271,6 +271,8 @@ Two [Kubernetes Services][kubernetes-service] are also created:
         app: azure-vote-front
     ```
 
+    For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).
+
 1. Deploy the application using the [kubectl apply][kubectl-apply] command and specify the name of your YAML manifest:
 
     ```console

articles/aks/learn/quick-kubernetes-deploy-cli.md

@@ -3,7 +3,7 @@ title: 'Quickstart: Deploy an AKS cluster by using Azure CLI'
 description: Learn how to quickly create a Kubernetes cluster, deploy an application, and monitor performance in Azure Kubernetes Service (AKS) using the Azure CLI.
 services: container-service
 ms.topic: quickstart
-ms.date: 06/28/2022
+ms.date: 11/01/2022
 ms.custom: H1Hack27Feb2017, mvc, devcenter, seo-javascript-september2019, seo-javascript-october2019, seo-python-october2019, devx-track-azurecli, contperf-fy21q1, mode-api
 #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy an application so that I can see how to run and monitor applications using the managed Kubernetes service in Azure.
 ---
@@ -230,6 +230,8 @@ Two [Kubernetes Services][kubernetes-service] are also created:
         app: azure-vote-front
     ```
 
+    For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).
+
 1. Deploy the application using the [kubectl apply][kubectl-apply] command and specify the name of your YAML manifest:
 
     ```console

articles/aks/learn/quick-kubernetes-deploy-portal.md

@@ -4,7 +4,7 @@ titleSuffix: Azure Kubernetes Service
 description: Learn how to quickly create a Kubernetes cluster, deploy an application, and monitor performance in Azure Kubernetes Service (AKS) using the Azure portal.
 services: container-service
 ms.topic: quickstart
-ms.date: 04/29/2022
+ms.date: 11/01/2022
 ms.custom: mvc, seo-javascript-october2019, contperf-fy21q3, mode-ui
 #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy an application so that I can see how to run and monitor applications using the managed Kubernetes service in Azure.
 ---
@@ -228,6 +228,8 @@ Two Kubernetes Services are also created:
         app: azure-vote-front
     ```
 
+    For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).
+
 1. Deploy the application using the `kubectl apply` command and specify the name of your YAML manifest:
 
     ```console

articles/aks/learn/quick-kubernetes-deploy-powershell.md

@@ -3,7 +3,7 @@ title: 'Quickstart: Deploy an AKS cluster by using PowerShell'
 description: Learn how to quickly create a Kubernetes cluster and deploy an application in Azure Kubernetes Service (AKS) using PowerShell.
 services: container-service
 ms.topic: quickstart
-ms.date: 04/29/2022
+ms.date: 11/01/2022
 ms.custom: devx-track-azurepowershell, mode-api
 #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure.
 ---
@@ -211,6 +211,8 @@ Two [Kubernetes Services][kubernetes-service] are also created:
         app: azure-vote-front
     ```
 
+    For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).
+
 1. Deploy the application using the [kubectl apply][kubectl-apply] command and specify the name of your YAML manifest:
 
     ```azurepowershell-interactive

articles/aks/learn/quick-kubernetes-deploy-rm-template.md

@@ -3,7 +3,7 @@ title: Quickstart - Create an Azure Kubernetes Service (AKS) cluster
 description: Learn how to quickly create a Kubernetes cluster using an Azure Resource Manager template and deploy an application in Azure Kubernetes Service (AKS)
 services: container-service
 ms.topic: quickstart
-ms.date: 08/17/2022
+ms.date: 11/01/2022
 ms.custom: mvc, subject-armqs, devx-track-azurecli, mode-arm
 #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure.
 ---
@@ -269,6 +269,8 @@ Two [Kubernetes Services][kubernetes-service] are also created:
         app: azure-vote-front
     ```
 
+    For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).
+
 1. Deploy the application using the [kubectl apply][kubectl-apply] command and specify the name of your YAML manifest:
 
     ```console

articles/aks/learn/quick-windows-container-deploy-cli.md

@@ -4,7 +4,7 @@ description: Learn how to quickly create a Kubernetes cluster, deploy an applica
 services: container-service
 ms.topic: article
 ms.custom: event-tier1-build-2022
-ms.date: 04/29/2022
+ms.date: 11/01/2022
 #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy a Windows Server container so that I can see how to run applications running on a Windows Server container using the managed Kubernetes service in Azure.
 ---
 
@@ -288,6 +288,8 @@ spec:
     app: sample
 ```
 
+For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).
+
 Deploy the application using the [kubectl apply][kubectl-apply] command and specify the name of your YAML manifest:
 
 ```console

articles/aks/learn/quick-windows-container-deploy-powershell.md

@@ -3,7 +3,7 @@ title: Create a Windows Server container on an AKS cluster by using PowerShell
 description: Learn how to quickly create a Kubernetes cluster, deploy an application in a Windows Server container in Azure Kubernetes Service (AKS) using PowerShell.
 services: container-service
 ms.topic: article
-ms.date: 04/29/2022
+ms.date: 11/01/2022
 ms.custom: devx-track-azurepowershell
 
 
@@ -219,6 +219,8 @@ spec:
     app: sample
 ```
 
+For a breakdown of YAML manifest files, see [Deployments and YAML manifests](../concepts-clusters-workloads.md#deployments-and-yaml-manifests).
+
 Deploy the application using the [kubectl apply][kubectl-apply] command and specify the name of your
 YAML manifest:
 

articles/attestation/azure-tpm-vbs-attestation-usage.md

@@ -0,0 +1,74 @@
+---
+title: Azure TPM VBS attestation usage 
+description: Learn about how to apply TPM and VBS attestation
+services: attestation
+author: prsriva
+ms.service: attestation
+ms.topic: overview
+ms.date: 09/05/2022
+ms.author: prsriva
+ms.custom: tpm attestation
+---
+
+# Using TPM/VBS attestation 
+
+Attestation can be integrated into various applications and services, catering to different use cases. Azure Attestation service, which acts the remote attestation service can be used for desired purposes by updating the attestation policy. The policy engine works as processor, which takes the incoming payload as evidence and performs the validations as authored in the policy. This architecture simplifies the workflow and enables the service owner to purpose build solutions for the varied platforms and use cases.The workflow remains the same as described in [Azure attestation workflow](workflow.md). The attestation policy needs to be crafted as per the validations required.
+
+Attesting a platform has its own challenges with its varied components of boot and setup, one needs to rely on a hardware root-of-trust anchor which can be used to verify the first steps of the boot and extend that trust upwards into every layer on your system. A hardware TPM provides such an anchor for a remote attestation solution. Azure Attestation provides a highly scalable measured boot and runtime integrity measurement attestation solution with a revocation framework to give you full control over platform attestation.
+
+## Attestation steps
+
+Attestation Setup has two setups. One pertaining to the service setup and one pertaining to the client setup.
+
+:::image type="content" source="./media/tpm-attestation-setup.png" alt-text="A diagram that shows the different interactions for attestation." lightbox="./media/tpm-attestation-setup.png":::
+
+Detailed information about the workflow is described in [Azure attestation workflow](workflow.md). 
+
+### Service endpoint setup:
+This is the first step for any attestation to be performed. Setting up an endpoint, this can be performed either via code or using the Azure portal.
+
+Here's how you can set up an attestation endpoint using Portal
+
+1 Prerequisite: Access to the Microsoft Azure Active Directory(Azure AD) tenant and subscription under which you want to create the attestation endpoint.
+Learn more about setting up an [Azure AD tenant](../active-directory/develop/quickstart-create-new-tenant.md).
+
+2 Create an endpoint under the desired resource group, with the desired name.
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5azcU]
+
+3 Add Attestation Contributor Role to the Identity who will be responsible to update the attestation policy.
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5aoRj]
+
+4 Configure the endpoint with the required policy.
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5aoRk]
+
+Sample policies can be found in the [policy section](tpm-attestation-sample-policies.md).
+
+> [!NOTE]
+> TPM endpoints are designed to be provisioned without a default attestation policy.
+
+
+### Client setup:
+A client to communicate with the attestation service endpoint needs to ensure it's following the protocol as described in the [protocol documentation](virtualization-based-security-protocol.md). Use the [Attestation Client NuGet](https://www.nuget.org/packages/Microsoft.Attestation.Client) to ease the integration.
+ 
+1 Prerequisite: An Azure AD identity is needed to access the TPM endpoint.
+Learn more [Azure AD identity tokens](../active-directory/develop/v2-overview.md).
+
+2 Add Attestation Reader Role to the identity that will be need for authentication against the endpoint. Azure i
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5aoRi]
+
+
+## Execute the attestation workflow:
+Using the [Client](https://github.com/microsoft/Attestation-Client-Samples) to trigger an attestation flow. A successful attestation will result in an attestation report (encoded JWT token). Parsing the JWT token, the contents of the report can be easily validated against expected outcome. 
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE5azcT]
+
+
+Here's a sample of the contents of the attestation report.
+:::image type="content" source="./media/sample-decoded-token.jpg" alt-text="Sample snapshot of a decoded token for tpm attestation." lightbox="./media/sample-decoded-token.jpg":::
+
+Using the Open ID [metadata endpoint](/rest/api/attestation/metadata-configuration/get?tabs=HTTP) contains properties, which describe the attestation service.The signing keys describe the keys, which will be used to sign tokens generated by the attestation service. All tokens emitted by the attestation service will be signed by one of the certificates listed in the attestation signing keys.
+
+## Next steps
+- [Set up Azure Attestation using PowerShell](quickstart-powershell.md)
+- [Attest an SGX enclave using code samples](/samples/browse/?expanded=azure&terms=attestation)
+- [Learn more about policy](policy-reference.md)