Merge branch 'main' into azl-rebrand-manage-services

Author: v-sissondan

.openpublishing.redirection.aks.json

@@ -1454,6 +1454,41 @@
         "source_path": "AKS-Arc/kubernetes-rbac-23h2.md",
         "redirect_url": "/azure/aks/aksarc/kubernetes-rbac-local",
         "redirect_document_id": false
+      },
+      {
+        "source_path": "AKS-Arc/tutorial-kubernetes-prepare-application.md",
+        "redirect_url": "/azure/aks/aksarc/overview",
+        "redirect_document_id": false
+      },
+      {
+        "source_path": "AKS-Arc/tutorial-kubernetes-prepare-azure-container-registry.md",
+        "redirect_url": "/azure/aks/aksarc/overview",
+        "redirect_document_id": false
+      },
+      {
+        "source_path": "AKS-Arc/tutorial-kubernetes-deploy-cluster.md",
+        "redirect_url": "/azure/aks/aksarc/overview",
+        "redirect_document_id": false
+      },
+      {
+        "source_path": "AKS-Arc/tutorial-kubernetes-deploy-application.md",
+        "redirect_url": "/azure/aks/aksarc/overview",
+        "redirect_document_id": false
+      },
+      {
+        "source_path": "AKS-Arc/tutorial-kubernetes-scale.md",
+        "redirect_url": "/azure/aks/aksarc/overview",
+        "redirect_document_id": false
+      },
+      {
+        "source_path": "AKS-Arc/tutorial-kubernetes-app-update.md",
+        "redirect_url": "/azure/aks/aksarc/overview",
+        "redirect_document_id": false
+      },
+      {
+        "source_path": "AKS-Arc/tutorial-kubernetes-upgrade-cluster.md",
+        "redirect_url": "/azure/aks/aksarc/overview",
+        "redirect_document_id": false
       }
     ]
   }

AKS-Arc/TOC.yml

@@ -76,6 +76,10 @@
           href: deploy-load-balancer-portal.md
         # - name: Troubleshoot issues
         #   href: load-balancer-troubleshoot.md
+    - name: Security
+      items:
+      - name: Encrypt etcd secrets
+        href: encrypt-etcd-secrets.md
     - name: AI and Machine Learning
       items:
       - name: Deploy an AI model with the AI toolchain operator
@@ -360,23 +364,6 @@
             href: setup.md
           - name: Create a Kubernetes cluster
             href: create-kubernetes-cluster.md
-  - name: Tutorial
-    items:
-      - name: 1 - Prepare an application
-        href: tutorial-kubernetes-prepare-application.md
-      - name: 2 - Create container registry
-        href: tutorial-kubernetes-prepare-azure-container-registry.md
-      - name: 3 - Deploy a Kubernetes cluster
-        href: tutorial-kubernetes-deploy-cluster.md
-      - name: 4 - Run an application
-        href: tutorial-kubernetes-deploy-application.md
-      - name: 5 - Scale an application
-        href: tutorial-kubernetes-scale.md
-      - name: 6 - Update an application
-        href: tutorial-kubernetes-app-update.md
-      - name: 7 - Upgrade Kubernetes cluster 
-        # Remove this, we don tneed to upgrade K8s in this tutorial.
-        href: tutorial-kubernetes-upgrade-cluster.md
   - name: Concepts
     items:
     - name: Quotas and resource limits

AKS-Arc/aks-edge-software-license-terms.md

@@ -68,7 +68,7 @@ These license terms are an agreement between you and Microsoft Corporation (or o
 
 **10. APPLICABLE LAW AND PLACE TO RESOLVE DISPUTES.** If you acquired the software in the United States or Canada, the laws of the state or province where you live (or, if a business, where your principal place of business is located) govern the interpretation of this agreement, claims for its breach, and all other claims (including consumer protection, unfair competition, and tort claims), regardless of conflict of laws principles, except that the FAA governs everything related to arbitration. If you acquired the software in any other country, its laws apply, except that the FAA governs everything related to arbitration. If U.S. federal jurisdiction exists, you and Microsoft consent to exclusive jurisdiction and venue in the federal court in King County, Washington for all disputes heard in court (excluding arbitration). If not, you and Microsoft consent to exclusive jurisdiction and venue in the Superior Court of King County, Washington for all disputes heard in court (excluding arbitration).
 
-**11. CONSUMER RIGHTS; REGIONAL VARIATIONS.** This agreement describes certain legal rights. You may have other rights, including consumer rights, under the laws of your state, province, or country. Separate and apart from your relationship with Microsoft, you may also have rights with respect to the party from which you acquired the software. This agreement does not change those other rights if the laws of your state, province, or country do not permit it to do so. For example, if you acquired the software in one of the below regions, or mandatory country law applies, then the following provisions apply to you:
+**11. CONSUMER RIGHTS; REGIONAL VARIATIONS.** This agreement describes certain legal rights. You may have other rights, including consumer rights, under the laws of your state, province, or country/region. Separate and apart from your relationship with Microsoft, you may also have rights with respect to the party from which you acquired the software. This agreement does not change those other rights if the laws of your state, province, or country/region do not permit it to do so. For example, if you acquired the software in one of the below regions, or mandatory country/region law applies, then the following provisions apply to you:
 
 **a) Australia.** You have statutory guarantees under the Australian Consumer Law and nothing in this agreement is intended to affect those rights.
 
@@ -86,7 +86,7 @@ Subject to the foregoing clause ii., Microsoft will only be liable for slight ne
 **13. LIMITATION ON AND EXCLUSION OF DAMAGES. IF YOU HAVE ANY BASIS FOR RECOVERING DAMAGES DESPITE THE PRECEDING DISCLAIMER OF WARRANTY, YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.**
 
 **This limitation applies to (a) anything related to the software, services, content (including code) on third party Internet sites, or third party applications; and (b) claims for breach of contract, warranty, guarantee, or condition; strict liability, negligence, or other tort; or any other claim; in each case to the extent permitted by applicable law.
-It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your state, province, or country may not allow the exclusion or limitation of incidental, consequential, or other damages.**
+It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your state, province, or country/region may not allow the exclusion or limitation of incidental, consequential, or other damages.**
 
 **Please note: As this software is distributed in Canada, some of the clauses in this agreement are provided below in French.**
 

AKS-Arc/aks-overview.md

@@ -2,7 +2,7 @@
 title: What is AKS enabled by Azure Arc?
 description: Learn about AKS enabled by Azure Arc and available deployment options.
 ms.topic: overview
-ms.date: 05/28/2024
+ms.date: 04/14/2025
 author: sethmanheim
 ms.author: sethm 
 ms.reviewer: abha
@@ -39,16 +39,11 @@ The following list describes some of the common use cases for AKS, but is not an
 
 The available deployment options are as follows:
 
-- **AKS on Azure Local**: AKS on Azure Local uses Azure Arc to create new Kubernetes clusters on Azure Local directly from Azure. It enables you to use familiar tools like the Azure portal and Azure Resource Manager templates to create and manage your Kubernetes clusters running on Azure Local.
-- **AKS Edge Essentials**: AKS Edge Essentials includes a lightweight Kubernetes distribution with a small footprint and simple installation experience, making it easy for you to deploy Kubernetes on PC-class or "light" edge hardware.
-- **AKS on Windows Server**: Azure Kubernetes Service on Windows Server (and on Azure Local 22H2) is an on-premises Kubernetes implementation of AKS that automates running containerized applications at scale, using Windows PowerShell and Windows Admin Center. It simplifies deployment and management of AKS on Windows Server 2019/2022 Datacenter and Azure Local 22H2.
-- **AKS on VMWare (preview)**: AKS on VMware (preview) enables you to use Azure Arc to create new Kubernetes clusters on VMware vSphere. With AKS on VMware, you can manage your AKS clusters running on VMware vSphere using familiar tools like Azure CLI.
+- [**AKS on Azure Local**](aks-whats-new-local.md): AKS on Azure Local uses Azure Arc to create new Kubernetes clusters on Azure Local directly from Azure. It enables you to use familiar tools like the Azure portal and Azure Resource Manager templates to create and manage your Kubernetes clusters running on Azure Local.
+- [**AKS Edge Essentials**](aks-edge-overview.md): AKS Edge Essentials includes a lightweight Kubernetes distribution with a small footprint and simple installation experience, making it easy for you to deploy Kubernetes on PC-class or "light" edge hardware.
+- [**AKS on VMWare (preview)**](aks-vmware-overview.md): AKS on VMware (preview) enables you to use Azure Arc to create new Kubernetes clusters on VMware vSphere. With AKS on VMware, you can manage your AKS clusters running on VMware vSphere using familiar tools like Azure CLI.
+- [**AKS on Windows Server**](overview.md): AKS on Windows Server is an on-premises Kubernetes implementation of AKS that automates running containerized applications at scale, using Windows PowerShell and Windows Admin Center. It simplifies deployment and management of AKS on Windows Server 2019/2022 Datacenter.
 
 ## Next steps
 
-To get started with AKS enabled by Azure Arc, see the following deployment option overviews:
-
 - [What's new in AKS on Azure Local](aks-whats-new-local.md)
-- [AKS on Windows Server](overview.md)
-- [AKS Edge Essentials](aks-edge-overview.md)
-- [AKS on VMware (preview)](aks-vmware-overview.md)

AKS-Arc/deploy-gpu-node-pool-22h2.md

@@ -1,5 +1,5 @@
 ---
-title: Use GPUs for compute-intensive workloads
+title: Use GPUs for compute-intensive workloads in AKS on Windows Server
 description: Learn how to deploy GPU-enabled node pools in AKS on Windows Server.
 author: sethmanheim
 ms.topic: how-to
@@ -11,7 +11,7 @@ ms.lastreviewed: 03/21/2023
 # Keyword: Run GPU workloads on Kubernetes
 ---
 
-# Use GPUs for compute-intensive workloads
+# Use GPUs for compute-intensive workloads in AKS on Windows Server
 
 [!INCLUDE [aks-hybrid-applies-to-azure-stack-hci-windows-server-sku](includes/aks-hci-applies-to-skus/aks-hybrid-applies-to-azure-stack-hci-windows-server-sku.md)]
 

AKS-Arc/deploy-gpu-node-pool.md

@@ -3,7 +3,7 @@ title: Use GPUs for compute-intensive workloads in AKS on Azure Local
 description: Learn how to deploy GPU-enabled node pools in AKS enabled by Arc on Azure Local.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 03/25/2025
+ms.date: 04/14/2025
 ms.author: sethm 
 ms.lastreviewed: 03/21/2025
 ms.reviewer: abha
@@ -17,7 +17,7 @@ ms.reviewer: abha
 [!INCLUDE [hci-applies-to-23h2](includes/hci-applies-to-23h2.md)]
 
 > [!NOTE]
-> For information about GPUs in AKS on Azure Local 22H2, see [Use GPUs (Azure Local 22H2)](deploy-gpu-node-pool-22h2.md).
+> For information about GPUs in AKS on Windows Server, see [Use GPUs in AKS on Windows Server](deploy-gpu-node-pool-22h2.md).
 
 Graphical Processing Units (GPU) are used for compute-intensive workloads such as machine learning, deep learning, and more. This article describes how to use GPUs for compute-intensive workloads in AKS enabled by Azure Arc.
 
@@ -241,5 +241,5 @@ If an upgrade is triggered on a cluster without extra GPU resources to facilitat
 ## Next steps
 
 - [Supported VM sizes](scale-requirements.md)
-- [Use GPUs (AKS on Azure Local 22H2)](deploy-gpu-node-pool-22h2.md)
-- [AKS overview](aks-hybrid-options-overview.md)
+- [Use GPUs in AKS on Windows Server](deploy-gpu-node-pool-22h2.md)
+- [AKS overview](aks-overview.md)

AKS-Arc/encrypt-etcd-secrets.md

@@ -0,0 +1,110 @@
+---
+title: Encrypt etcd secrets for Kubernetes clusters in AKS on Azure Local
+description: Learn how to encrypt etcd secrets in AKS on Azure Local.
+author: sethmanheim
+ms.topic: how-to
+ms.date: 04/11/2025
+ms.author: sethm 
+ms.lastreviewed: 04/10/2025
+ms.reviewer: khareanushka
+# Intent: As an IT Pro, I want to learn about encrypted etcd secrets and how they are used in my AKS deployment. 
+# Keyword: etcd secrets AKS Windows Server
+
+---
+
+# How to: Encrypt etcd secrets for Kubernetes clusters
+
+[!INCLUDE [hci-applies-to-23h2](includes/hci-applies-to-23h2.md)]
+
+A [*secret*](https://kubernetes.io/docs/concepts/configuration/secret/) in Kubernetes is an object that contains a small amount of sensitive data, such as passwords and SSH keys. In the Kubernetes API server, secrets are stored in *etcd*, which is a highly available key value store used as the Kubernetes backing store for all cluster data.
+
+Azure Kubernetes Service (AKS) on Azure Local comes with encryption of etcd secrets using a **Key Management Service (KMS) plugin**. All Kubernetes clusters in Azure Local have a built-in KMS plugin enabled by default. This plugin generates the [Key Encryption Key (KEK)](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#kms-encryption-and-per-object-encryption-keys)
+and automatically rotates it every 30 days.
+
+This article describes how to verify that the data is encrypted. For more information, see the [official Kubernetes documentation for the KMS plugin](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/).
+
+> [!NOTE]
+> The KMS plugin currently uses the KMS v1 protocol.
+
+## Before you begin
+
+Before you begin, ensure that you have the following prerequisites:
+
+- To interact with Kubernetes clusters, you must install [**kubectl**](https://kubernetes.io/docs/tasks/tools/) and [**kubelogin**](https://azure.github.io/kubelogin/install.html).
+- To view or manage secrets, ensure you have the necessary entitlements to access them. For more information, see [Access and identity](concepts-security-access-identity.md#built-in-roles).
+
+## Access your Microsoft Entra-enabled cluster
+
+Get the user credentials to access your cluster using the [az aksarc get-credentials](/cli/azure/aksarc#az-aksarc-get-credentials) command. You need the **Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action** resource, which is included in the **Azure Kubernetes Service Arc Cluster User** role permission:
+
+```azurecli
+az aksarc get-credentials --resource-group $resource_group --name $aks_cluster_name
+```
+
+## Verify that the KMS plugin is enabled
+
+To verify that the KMS plugin is enabled, run the following command and ensure that the health status of **kms-providers** is **OK**:
+
+```azurecli
+kubectl get --raw='/readyz?verbose'
+```
+
+```output
+[+]ping ok
+[+]Log ok
+[+]etcd ok
+[+]kms-providers ok
+[+]poststarthook/start-encryption-provider-config-automatic-reload ok
+```
+
+## Verify that the data is encrypted
+
+To verify that secrets and data has been encrypted using a KMS plugin, [see the Kubernetes documentation](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#verifying-that-the-data-is-encrypted). You can use the following commands to verify that the data is encrypted:
+
+```azurecli
+kubectl exec --stdin --tty <etcd pod name> -n kube-system --etcdctl --cacert /etc/kubernetes/pki/etcd/ca.crt --key /etc/kubernetes/pki/etcd/server.key --cert /etc/kubernetes/pki/etcd/server.crt get /registry/secrets/default/db-user-pass -w fields
+```
+
+- `kubectl exec`: This is the kubectl command used to execute a command inside a running pod. It enables you to run commands within the container of a pod.
+- `--stdin`: This flag enables you to send input (stdin) to the command you are running inside the pod.
+- `--tty`: This flag allocates a TTY (terminal) for the command, making it behave as though you're interacting with a terminal session.
+- `<etcd pod name>`: to find the etcd pod name, run the following command:
+
+  ```azurecli
+   kubectl get pods -n kube-system | findstr etcd-moc
+   ```
+
+- `-n kube-system`: Specifies the namespace where the pod is located. **kube-system** is the default namespace used by Kubernetes for system components, such as etcd and other control plane services.
+- `--etcdctl`: Reads the secret from etcd. Additional fields are used for authentication before you get access to etcd.
+
+The following fields are returned in the command output:
+
+```output
+"ClusterID" : <cluster id> 
+"MemberID" : <member id> 
+"Revision" : <revision number> 
+"RaftTerm" : 2 
+"Key" : <path to the key>
+"CreateRevision" : <revision number at the time the key was created> 
+"ModRevision" :  <revision number at the time the key was modified> 
+"Version" : <version of the key-value pair in etcd> 
+"Value" : "k8s:enc:kms:v1:kms-plugin: <encrypted secret value>"  
+"Lease" : <lease associated with the secret> 
+"More" : <indicates if there are more results> 
+"Count" : <number of key-value pairs returned> 
+```
+
+After you run the command, examine the `Value` field in the output in the terminal window. This output shows the value stored in the etcd secret store for this key, which is the encrypted value of the secret. The value is encrypted using a KMS plugin. The `k8s:enc:kms:v1:` prefix indicates that Kubernetes is using the KMS v1 plugin to store the secret in an encrypted format.
+
+> [!NOTE]
+> If you use the `kubectl describe secrets` command to retrieve secrets, it returns them in base64-encoded format, but unencrypted. The `kubectl describe` command retrieves the details of a Kubernetes resource via the API server, which manages encryption and decryption automatically. For sensitive data such as secrets, even if they are mounted on a pod, the API server ensures that they are decrypted when accessed. As a result, running the `kubectl describe` command does not display secrets in their encrypted form, but rather in their decrypted form if they are being used by a resource.
+
+## Troubleshooting
+
+If you encounter any errors with the KMS plugin, follow the procedure on the [Troubleshooting page](aks-troubleshoot.md) to troubleshoot the issue.
+
+## Next steps
+
+- [Create Kubernetes clusters](aks-create-clusters-cli.md#deploy-the-application-and-load-balancer)
+- [Deploy a Linux application on a Kubernetes cluster](deploy-linux-application.md)
+

AKS-Arc/includes/supported-gpu-models.md

@@ -2,15 +2,15 @@
 author: sethmanheim
 ms.author: sethm
 ms.topic: include
-ms.date: 03/25/2025
+ms.date: 04/14/2025
 ms.reviewer: abha
-ms.lastreviewed: 03/25/2025
+ms.lastreviewed: 04/14/2025
 
 ---
 
 ## Supported GPU models
 
-The following GPU models are supported by AKS on Azure Local, version 23H2:
+The following GPU models are supported by AKS on Azure Local.
 
 | Manufacturer | GPU model | Supported version |
 |--------------|-----------|-------------------|
@@ -20,7 +20,7 @@ The following GPU models are supported by AKS on Azure Local, version 23H2:
 
 ## Supported GPU VM sizes
 
-The following VM sizes for each GPU model are supported by AKS on Azure Local, version 23H2.
+The following VM sizes for each GPU model are supported by AKS on Azure Local.
 
 ### Nvidia T4 is supported by NK T4 SKUs