Merge branch 'main' of https://github.com/MicrosoftDocs/azure-stack-docs-pr into amlfs-templates

Author: pauljewellmsft

AKS-Hybrid/TOC.yml

@@ -47,7 +47,9 @@
       - name: Azure CLI
         href: aks-create-clusters-cli.md
       - name: Azure portal
-        href: aks-create-clusters-portal.md   
+        href: aks-create-clusters-portal.md
+      - name: Bicep
+        href: create-clusters-bicep.md   
       - name: Deploy to Azure using a quickstart template
         href: /samples/azure/azure-quickstart-templates/aks-on-ashci
       - name: Azure Resource Manager template

AKS-Hybrid/auto-scale-aks-arc.md

@@ -5,9 +5,9 @@ ms.topic: how-to
 ms.custom: devx-track-azurecli
 author: sethmanheim
 ms.author: sethm
-ms.lastreviewed: 02/28/2024
+ms.date: 08/01/2024
 ms.reviewer: abha
-ms.date: 02/28/2024
+ms.lastreviewed: 08/01/2024
 
 # Intent: As a Kubernetes user, I want to use cluster autoscaling to grow my nodes to keep up with application demand.
 # Keyword: cluster autoscaling Kubernetes
@@ -59,7 +59,7 @@ It takes a few minutes to update the cluster and configure the cluster autoscale
 Disable the cluster autoscaler using the [`az aksarc update`](/cli/azure/aksarc#az-aksarc-update) command and the `--disable-cluster-autoscaler` parameter:
 
 ```azurecli-interactive
-az aks update \
+az aksarc update \
   --resource-group myResourceGroup \
   --name my-aks-arc-cluster \
   --disable-cluster-autoscaler
@@ -72,7 +72,7 @@ Nodes aren't removed when the cluster autoscaler is disabled.
 As your application demands change, you might need to adjust the cluster autoscaler node count to scale efficiently. Change the node count using the [`az aksarc update`](/cli/azure/aksarc#az-aksarc-update) command and update the cluster autoscaler using the `--update-cluster-autoscaler` parameter and specifying your updated `--min-count` and `--max-count` for the node.
 
 ```azurecli-interactive
-az aks update \
+az aksarc update \
   --resource-group myResourceGroup \
   --name myAKSCluster \
   --update-cluster-autoscaler \

AKS-Hybrid/azure-rbac-23h2.md

@@ -69,14 +69,7 @@ After a few minutes, the command completes and returns JSON-formatted informatio
 
 ## Step 2: Create role assignments for users to access the cluster
 
-AKS enabled by Azure Arc provides the following built-in roles:
-
-| Role                                                     | Description                                              |
-| ------------------------------------------------------------ | ------------------------------------------------------------ |
-| [Azure Arc Kubernetes Viewer](/azure/role-based-access-control/built-in-roles#azure-arc-kubernetes-viewer) | Allows read-only access to see most objects in a namespace. <br />Doesn't allow viewing roles or role bindings. <br />Doesn't allow viewing `secrets`, because `read` permission on secrets enables access to `ServiceAccount` credentials in the namespace, which allows API access as any `ServiceAccount` in the namespace (a form of privilege escalation). |
-| [Azure Arc Kubernetes Writer](/azure/role-based-access-control/built-in-roles#azure-arc-kubernetes-writer) | Allows read/write access to most objects in a namespace. <br />Doesn't allow viewing or modifying roles or role bindings. <br />Allows accessing `secrets` and running pods as any `ServiceAccount` in the namespace, so it can be used to gain the API access levels of any `ServiceAccount` in the namespace. |
-| [Azure Arc Kubernetes Admin](/azure/role-based-access-control/built-in-roles#azure-arc-kubernetes-admin) | Allows admin access, intended to be granted within a namespace. <br />Allows read/write access to most resources in a namespace (or cluster scope), including the ability to create roles and role bindings within the namespace. <br />Doesn't allow write access to resource quota or to the namespace itself. |
-| [Azure Arc Kubernetes Cluster Admin](/azure/role-based-access-control/built-in-roles#azure-arc-kubernetes-cluster-admin) | Allows "super-user" access to perform any action on any resource.<br/>Gives full control over every resource in the cluster and in all namespaces. |
+[!INCLUDE [built-in-roles](includes/built-in-roles.md)]
 
 You can use the [`az role assignment create`](/cli/azure/role/assignment#az-role-assignment-create) command to create role assignments.
 

AKS-Hybrid/cluster-labels.md

@@ -2,10 +2,10 @@
 title: Use cluster labels in AKS enabled by Azure Arc
 description: Learn how to use labels in Kubernetes clusters in AKS enabled by Arc.
 ms.topic: how-to
-ms.date: 05/31/2024
+ms.date: 08/01/2024
 author: sethmanheim
 ms.author: sethm 
-ms.lastreviewed: 05/31/2024
+ms.lastreviewed: 08/01/2024
 ms.reviewer: guanghu
 
 ---
@@ -39,7 +39,7 @@ This article describes how to use labels in a Kubernetes cluster on AKS enabled
    The following example creates a node pool named `labelnp` with the label `dept=HR`:
 
    ```azurecli
-   az aks nodepool add –resource-group myResourceGroup –cluster-name myAKSCluster –name labelnp –node-count 1 –labels dept=HR –no-wait
+   az aksarc nodepool add –resource-group myResourceGroup –cluster-name myAKSCluster –name labelnp –node-count 1 –labels dept=HR –no-wait
    ```
 
    The following example output from the [`az aksarc nodepool list`](/cli/azure/aksarc/nodepool#az-aksarc-nodepool-list) command shows the `labelnp` node pool creates nodes with the specified `nodeLabels`:

AKS-Hybrid/concepts-security-access-identity.md

@@ -3,9 +3,9 @@ title: Access and identity options for Azure Kubernetes Service (AKS) Arc
 description: Learn about options in access and identity management on a Kubernetes cluster in AKS on Azure Stack HCI.
 author: leslielin
 ms.topic: conceptual
-ms.date: 07/16/2024
+ms.date: 07/30/2024
 ms.author: leslielin
-ms.lastreviewed: 06/03/2024
+ms.lastreviewed: 07/30/2024
 ms.reviewer: abha
 
 # Intent: As an IT Pro, I want to learn how to improve the security of the applications and infrastructure within my AKS on Azure Stack HCI deployment(s).
@@ -117,15 +117,7 @@ With this feature, you not only give users permissions to the AKS resource acros
 
 ### Built-in roles
 
-AKS enabled by Azure Arc provides the following four built-in roles. They are similar to the [Kubernetes built-in roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) with a few differences, such as supporting CRDs. See the full list of actions allowed by each [Azure built-in role](/azure/role-based-access-control/built-in-roles).
-
-| Role                                                     | Description                                              |
-| ------------------------------------------------------------ | ------------------------------------------------------------ |
-| [Azure Arc-enabled Kubernetes Cluster User Role](/azure/role-based-access-control/built-in-roles/containers#azure-arc-enabled-kubernetes-cluster-user-role) | Allows you to retrieve the Cluster Connect-based kubeconfig file to manage clusters from anywhere. |
-| [Azure Arc Kubernetes Viewer](/azure/role-based-access-control/built-in-roles/containers#azure-arc-kubernetes-viewer) | Allows read-only access to see most objects in a namespace. <br />Doesn't allow viewing roles or role bindings. <br />Doesn't allow viewing `secrets`, because `read` permission on secrets enables access to `ServiceAccount` credentials in the namespace, which allows API access as any `ServiceAccount` in the namespace (a form of privilege escalation). |
-| [Azure Arc Kubernetes Writer](/azure/role-based-access-control/built-in-roles/containers#azure-arc-kubernetes-writer) | Allows read/write access to most objects in a namespace. <br />Doesn't allow viewing or modifying roles or role bindings. <br />Allows accessing `secrets` and running pods as any `ServiceAccount` in the namespace, so it can be used to gain the API access levels of any `ServiceAccount` in the namespace. |
-| [Azure Arc Kubernetes Admin](/azure/role-based-access-control/built-in-roles/containers#azure-arc-kubernetes-admin) | Allows admin access, intended to be granted within a namespace. <br />Allows read/write access to most resources in a namespace (or cluster scope), including the ability to create roles and role bindings within the namespace. <br />Doesn't allow write access to resource quota or to the namespace itself. |
-| [Azure Arc Kubernetes Cluster Admin](/azure/role-based-access-control/built-in-roles/containers#azure-arc-kubernetes-cluster-admin) | Allows super-user access to perform any action on any resource.<br/>Gives full control over every resource in the cluster and in all namespaces. |
+[!INCLUDE [built-in-roles](includes/built-in-roles.md)]
 
 ## Microsoft Entra integration
 
@@ -151,11 +143,6 @@ The following table contains a summary of how users can authenticate to Kubernet
 3. Run `kubectl` commands.
    - The first command can trigger browser-based authentication to authenticate to the Kubernetes cluster, as described in the following table.
 
-In the Azure portal, you can find:
-
-- The *Role assignment* (Azure RBAC role grant) referred to in the second column is shown on the **Access Control (IAM)** tab.
-- The Cluster Admin Microsoft Entra group is shown on the **Configuration** tab.
-  - You can also use the `--aad-admin-group-object-ids` parameter in the Azure CLI.
 
 | Description                                                  | Role grant required                                          | Cluster admin Microsoft Entra groups                       | When to use                                                  |
 | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |

AKS-Hybrid/create-clusters-bicep.md

@@ -0,0 +1,199 @@
+---
+title: Create Kubernetes clusters using Bicep
+description: Learn how to create Kubernetes clusters in Azure Stack HCI using Bicep.
+ms.topic: how-to
+ms.custom: devx-track-azurecli
+ms.date: 07/26/2024
+author: sethmanheim
+ms.author: sethm 
+ms.reviewer: haojiehang
+ms.lastreviewed: 07/24/2024
+
+---
+
+# Create Kubernetes clusters using Bicep
+
+This article describes how to create Kubernetes clusters in Azure Stack HCI using Bicep. The workflow is as follows:
+
+1. Create an SSH key pair
+1. Create a Kubernetes cluster in Azure Stack HCI 23H2 using Bicep. By default, the cluster is Azure Arc-connected.
+1. Validate the deployment and connect to the cluster.
+
+## Before you begin
+
+Before you begin, make sure you have the following prerequisites:
+
+1. Get the following details from your on-premises infrastructure administrator:
+
+   - Azure subscription ID: the Azure subscription ID that uses Azure Stack HCI for deployment and registration.
+   - Custom location name or ID: the Azure Resource Manager ID of the custom location. The custom location is configured during the Azure Stack HCI cluster deployment. Your infrastructure admin should give you the Resource Manager ID of the custom location. This parameter is required in order to create Kubernetes clusters. You can also get the Resource Manager ID using `az customlocation show --name "<custom location name>" --resource-group <azure resource group> --query "id" -o tsv`, if the infrastructure admin provides a custom location name and resource group name.
+   - Logical network name or ID: the Azure Resource Manager ID of the Azure Stack HCI logical network that was created following these steps. Your admin should give you the ID of the logical network. This parameter is required in order to create Kubernetes clusters. You can also get the Azure Resource Manager ID using `az stack-hci-vm network lnet show --name "<lnet name>" --resource-group <azure resource group> --query "id" -o tsv` if you know the resource group in which the logical network was created.
+
+1. Make sure you have the [latest version of Azure CLI](/cli/azure/install-azure-cli) on your development machine. You can also upgrade your Azure CLI version using `az upgrade`.
+1. Download and install **kubectl** on your development machine. The Kubernetes command-line tool, **kubectl**, enables you to run commands against Kubernetes clusters. You can use **kubectl** to deploy applications, inspect and manage cluster resources, and view logs.
+
+## Create an SSH key pair
+
+To create an SSH key pair (same as Azure AKS), use the following procedure:
+
+1. [Open a Cloud Shell session](https://shell.azure.com) in your browser.
+1. Create an SSH key pair using the `az sshkey create` Azure CLI command or the `ssh-keygen` command:
+
+   ```azurecli
+   # Create an SSH key pair using Azure CLI
+   az sshkey create --name "mySSHKey" --resource-group "myResourceGroup"
+   ```
+
+   Or, create an SSH key pair using `ssh-keygen`:
+
+   ```bash  
+   ssh-keygen -t rsa -b 4096
+   ```
+
+For more information about creating SSH keys, see [Create and manage SSH keys for authentication in Azure](/azure/virtual-machines/linux/create-ssh-keys-detailed).
+
+## Update and review the Bicep scripts
+
+This section shows the Bicep parameter and template files. These files are also available in an [Azure Quickstart template](https://github.com/Azure/azure-quickstart-templates).
+
+### Bicep parameter file: aksarc.bicepparam
+
+```bicep
+using 'main.bicep'
+param aksClusterName = 'aksarc-bicep-new'
+param aksControlPlaneIP = 'x.x.x.x'
+param sshPublicKey = 'ssh_public_key'
+param hciLogicalNetworkName = 'lnet_name'
+param hciCustomLocationName = 'cl_name'
+param aksNodePoolOSType = 'Linux'
+param aksNodePoolNodeCount = 1
+```
+
+### Bicep template file: main.bicep
+
+```bicep
+@description('The name of AKS Arc cluster resource')
+param aksClusterName string
+param location string = 'eastus'
+
+// Default to 1 node CP
+@description('The name of AKS Arc cluster control plane IP, provide this parameter during deployment')
+param aksControlPlaneIP string
+param aksControlPlaneNodeSize string = 'Standard_A4_v2'
+param aksControlPlaneNodeCount int = 1
+
+// Default to 1 node NP
+param aksNodePoolName string = 'nodepool1'
+param aksNodePoolNodeSize string = 'Standard_A4_v2'
+param aksNodePoolNodeCount int = 1
+@allowed(['Linux', 'Windows'])
+param aksNodePoolOSType string = 'Linux'
+
+@description('SSH public key used for cluster creation, provide this parameter during deployment')
+param sshPublicKey string
+
+// Build LNet ID from LNet name
+@description('The name of LNet resource, provide this parameter during deployment')
+param hciLogicalNetworkName string
+resource logicalNetwork 'Microsoft.AzureStackHCI/logicalNetworks@2023-09-01-preview' existing = {
+  name: hciLogicalNetworkName
+}
+
+// Build custom location ID from custom location name
+@description('The name of custom location resource, provide this parameter during deployment')
+param hciCustomLocationName string
+var customLocationId = resourceId('Microsoft.ExtendedLocation/customLocations', hciCustomLocationName) 
+
+// Create the connected cluster. This is the Arc representation of the AKS cluster, used to create a Managed Identity for the provisioned cluster.
+resource connectedCluster 'Microsoft.Kubernetes/ConnectedClusters@2024-01-01' = {
+  location: location
+  name: aksClusterName
+  identity: {
+    type: 'SystemAssigned'
+  }
+  kind: 'ProvisionedCluster'
+  properties: {
+    agentPublicKeyCertificate: ''
+    aadProfile: {
+      enableAzureRBAC: false
+    }
+  }
+}
+
+// Create the provisioned cluster instance. This is the actual AKS cluster and provisioned on your HCI cluster via the Arc Resource Bridge.
+resource provisionedClusterInstance 'Microsoft.HybridContainerService/provisionedClusterInstances@2024-01-01' = {
+  name: 'default'
+  scope: connectedCluster
+  extendedLocation: {
+    type: 'CustomLocation'
+    name: customLocationId
+  }
+  properties: {
+    linuxProfile: {
+      ssh: {
+        publicKeys: [
+          {
+            keyData: sshPublicKey
+          }
+        ]
+      }
+    }
+    controlPlane: {
+      count: aksControlPlaneNodeCount
+      controlPlaneEndpoint: {
+        hostIP: aksControlPlaneIP
+      }
+      vmSize: aksControlPlaneNodeSize
+    }
+    networkProfile: {
+      loadBalancerProfile: {
+        count: 0
+      }
+      networkPolicy: 'calico'
+    }
+    agentPoolProfiles: [
+      {
+        name: aksNodePoolName
+        count: aksNodePoolNodeCount
+        vmSize: aksNodePoolNodeSize
+        osType: aksNodePoolOSType
+      }
+    ]
+    cloudProviderProfile: {
+      infraNetworkProfile: {
+        vnetSubnetIds: [
+          logicalNetwork.id
+        ]
+      }
+    }
+    storageProfile: {
+      nfsCsiDriver: {
+        enabled: true
+      }
+      smbCsiDriver: {
+        enabled: true
+      }
+    }
+  }
+}
+```
+
+The **Microsoft.HybridContainerService/provisionedClusterInstances** resource is defined in the Bicep file. If you want to explore more properties, [see the API reference](/azure/templates/microsoft.hybridcontainerservice/provisionedclusterinstances?pivots=deployment-language-bicep).
+
+## Deploy the Bicep file
+
+1. Save the Bicep file as **main.bicep** to your local computer.
+1. Update the parameters defined in **aksarc.bicepparam** and save it to your local computer.
+1. Deploy the Bicep file using Azure CLI:
+
+   ```azurecli
+   az deployment group create --name BicepDeployment --resource-group myResourceGroupName --template-file main.bicep –-parameters aksarc.bicepparam
+   ```
+
+## Validate the Bicep deployment and connect to the cluster
+
+You can now connect to your Kubernetes cluster by running the `az connectedk8s proxy` command from your development machine. You can also use **kubectl** to see the node and pod status. Follow the same steps as described in [Connect to the Kubernetes cluster](aks-create-clusters-cli.md#connect-to-the-kubernetes-cluster).
+
+## Next steps
+
+[Create Kubernetes clusters using Azure CLI](aks-create-clusters-cli.md)