Update azure-disk-customer-managed-keys.md

sauryadas · web-flow · commit e36ecc252314 · 2020-01-12T10:39:29.000-08:00
diff --git a/articles/aks/azure-disk-customer-managed-keys.md b/articles/aks/azure-disk-customer-managed-keys.md
@@ -6,7 +6,7 @@ author: mlearned
 
 ms.service: container-service
 ms.topic: article
-ms.date: 01/09/2020
+ms.date: 01/12/2020
 ms.author: mlearned
 ---
 
@@ -92,7 +92,7 @@ az role assignment create --assignee $desIdentity --role Reader --scope $keyVaul
 
 ## Create a new AKS cluster and encrypt the OS disk with a customer-manged key
 
-Create a new resource group and AKS cluster, then use your key to encrypt the OS disk.
+Create a new resource group and AKS cluster, then use your key to encrypt the OS disk. Customer managed key is only supported in kubernetes versions greater than 1.17
 
 ```azurecli-interactive
 # Retrieve the DiskEncryptionSet value and set a variable
@@ -102,25 +102,16 @@ diskEncryptionSetId=$(az resource show -n $diskEncryptionSetName -g ssecmktestin
 az group create -n myResourceGroup-l myAzureRegionName
 
 # Create the AKS cluster
-az aks create -n myAKSCluster -g myResourceGroup --node-osdisk-diskencryptionsetid diskEncryptionId
+az aks create -n myAKSCluster -g myResourceGroup --node-osdisk-diskencryptionset-id diskEncryptionId --kubernetes-version 1.17
 ```
 
-## Add a node pool to an existing AKS cluster and encrypt the OS disk with a customer-managed key
-
-New nodepools do not use encrypted disks by default.  You can add a new node pool to an existing cluster and encrypt the OS disk with your own key by using the following command.
-
-```azurecli-interactive
-# Add a nodepool to an existing cluster with BYOK encryption
-nodepool add –-cluster-name myAKSCluster -n myNodePoolName -g myResourceGroup --node-osdisk-diskencryptionsetid diskEncryptionId  
-```
+When new node pools are added to the cluster created above, the customer managed key provided during the create is used to encrypt the OS disk
 
 ## Encrypt your AKS cluster data disk with a customer-managed key
 
 You can also encrypt the AKS data disks with your own keys.  Replace myResourceGroup and myDiskEncryptionSetName with your real values, and apply the yaml.
 
-### Deploy the sample image from ACR to AKS
-
-Ensure you have the proper AKS credentials
+Ensure you have the proper AKS credentials. The Service principal will need to have contributor access to the resource group where the diskencryptionset is present. Otherwise, you will get an error suggesting that the service principal does not have permissions.
 
 Create a file called **byok-azure-disk.yaml** that contains the following information.  Replace myResourceGroup and myDiskEncrptionSetName with your values.
 
