Merge branch 'main' of https://github.com/MicrosoftDocs/azure-stack-docs-pr into md-collect-logs-portal

Author: Manika Dhiman

.openpublishing.redirection.aks.json

@@ -1371,13 +1371,18 @@
         "redirect_document_id": false
       },
       {
-        "source_path": "AKS-Hybrid/offline-download.md",
-        "redirect_url": "/azure/aks/hybrid/aks-overview",
+        "source_path": "AKS-Hybrid/deploy-load-balancer.md",
+        "redirect_url": "/azure/aks/hybrid/deploy-load-balancer-cli",
         "redirect_document_id": false
       },
       {
-        "source_path": "AKS-Hybrid/deploy-load-balancer.md",
-        "redirect_url": "/azure/aks/hybrid/deploy-load-balancer-cli",
+        "source_path": "AKS-Hybrid/kubernetes-rbac-azure-ad.md",
+        "redirect_url": "/azure/aks/hybrid/kubernetes-rbac-entra-id",
+        "redirect_document_id": false
+      },
+      {
+        "source_path": "AKS-Hybrid/infrastructure-components.md",
+        "redirect_url": "/azure/aks/hybrid/cluster-architecture",
         "redirect_document_id": false
       }
     ]

.openpublishing.redirection.json

@@ -9,23 +9,23 @@
     href: supported-kubernetes-versions.md  
   - name: Data collection
     href: data-collection.md
-- name: AKS enabled by Azure Arc 
+- name: AKS on Azure Stack HCI 23H2
   expanded: true
   items:
   - name: What's new in AKS on Azure Stack HCI 23H2
     href: aks-whats-new-23h2.md
   - name: Concepts
     items:
+    - name: Architecture
+      href: cluster-architecture.md
     - name: Networking
       items:
       - name: Networking concepts
         href: aks-hci-network-system-requirements.md
       - name: Load balancer
-        href: load-balancer-overview.md
-    - name: Infrastructure component updates
-      href: infrastructure-components.md
-    - name: Cluster architecture
-      href: cluster-architecture.md
+        href: load-balancer-overview.md      
+    - name: Access and identity
+      href: concepts-security-access-identity.md
     - name: Supported scale requirements
       href: scale-requirements.md
     - name: Azure Hybrid Benefit
@@ -47,7 +47,9 @@
       - name: Azure CLI
         href: aks-create-clusters-cli.md
       - name: Azure portal
-        href: aks-create-clusters-portal.md      
+        href: aks-create-clusters-portal.md   
+      - name: Deploy to Azure using a quickstart template
+        href: /samples/azure/azure-quickstart-templates/aks-on-ashci
       - name: Azure Resource Manager template
         href: resource-manager-quickstart.md
     - name: Networking
@@ -62,6 +64,18 @@
           href: deploy-load-balancer-portal.md
         # - name: Troubleshoot issues
         #   href: load-balancer-troubleshoot.md
+    - name: Download Kubernetes VHDs manually
+      href: offline-download.md
+    - name: Security and authentication
+      items:
+      - name: Use Azure RBAC for Kubernetes authorization
+        href: azure-rbac-23h2.md
+      - name: Use Kubernetes RBAC with Microsoft Entra ID
+        href: kubernetes-rbac-23h2.md
+      - name: Retrieve certificate-based admin kubeconfig
+        href: retrieve-admin-kubeconfig.md
+      - name: Restrict SSH access
+        href: restrict-ssh-access.md
     - name: Storage
       items:
       - name: CSI storage drivers
@@ -76,28 +90,28 @@
         href: manage-node-pools.md
       - name: Use GPUs
         href: deploy-gpu-node-pool.md
-      - name: Use labels in a Kubernetes cluster
+    - name: Cluster management
+      items:
+      - name: Labels
         href: cluster-labels.md
+      - name: Taints
+        href: aks-arc-use-node-taints.md
     - name: Scale a Kubernetes cluster
       href: auto-scale-aks-arc.md
     - name: Upgrade Kubernetes clusters
       href: cluster-upgrade.md
     - name: Create Windows Server containers
       href: aks-create-containers.md
-    - name: Deploy container images using Azure Container Registry
+    - name: Integrate Azure Container Registry with a Kubernetes cluster
       href: deploy-container-registry.md
-    - name: Security and authentication
-      items:
-      - name: Retrieve certificate-based admin kubeconfig
-        href: retrieve-admin-kubeconfig.md
-      - name: Restrict SSH access
-        href: restrict-ssh-access.md
     - name: Monitoring and logging
       items:    
           - name: Monitor Kubernetes object events
             href: kubernetes-monitor-object-events.md
           - name: Monitor Kubernetes audit events
             href: kubernetes-monitor-audit-events.md
+          - name: Monitor logs reference
+            href: kubernetes-monitor-metrics.md
           - name: Enable Container Insights
             href: /azure/azure-monitor/containers/kubernetes-monitoring-enable
           - name: Use on-premises monitoring
@@ -112,26 +126,24 @@
       href: aks-known-issues.md
     - name: Troubleshoot
       href: aks-troubleshoot.md
+    - name: KubeAPIServer unreachable error
+      href: kube-api-server-unreachable.md
   - name: Reference
     items:
     - name: Azure CLI
       href: /cli/azure/aksarc
     - name: REST API reference
       href: /rest/api/hybridcontainer/operation-groups
+  - name: Resources
+    items:
     - name: Azure Stack HCI
       href: /azure-stack/hci/index
-    - name: Windows Admin Center (WAC)
-      href: /windows-server/manage/windows-admin-center/understand/windows-admin-center
     - name: Azure hybrid cloud
       href: /hybrid
-    - name: Windows Server
-      href: /windows-server/
-    - name: Release notes
-      href: https://aka.ms/AKS-hybrid-Releasenotes
-    - name: AKS Arc PowerShell
-      href: ./reference/ps/index.md
-    - name: Add-ons, extensions, and integrations
-      href: add-ons.md    
+    - name: Azure Arc Jumpstart
+      href: https://azurearcjumpstart.com/azure_arc_jumpstart/azure_arc_k8s/aks_stack_hci/
+    - name: Azure roadmap
+      href: https://azure.microsoft.com/roadmap/
 - name: AKS Edge Essentials
   items:
   - name: Overview
@@ -218,7 +230,7 @@
       href: aks-edge-licensing.md
     - name: Microsoft Software License Terms
       href: aks-edge-software-license-terms.md 
-- name: AKS enabled by Azure Arc on VMware
+- name: AKS on VMware
   items:
   - name: Overview
     href: aks-vmware-overview.md
@@ -252,6 +264,20 @@
       href: aks-vmware-known-issues.md
     - name: Troubleshooting guide
       href: aks-vmware-troubleshooting-guide.md
+  - name: Reference
+    items:
+    - name: aksarc CLI version 1.0.0b1
+      items:
+      - name: Commands
+        href: aksarc.yml
+      - name: logs
+        href: logs.yml
+      - name: nodepool
+        href: nodepool.yml
+      - name: vmsize
+        href: vmsize.yml
+      - name: vnet
+        href: vnet.yml
 - name: AKS on Windows Server
   items:
   - name: Overview
@@ -434,7 +460,7 @@
         - name: Use Active Directory single sign-on
           href: ad-sso.md
         - name: Use Kubernetes RBAC with Microsoft Entra ID
-          href: kubernetes-rbac-azure-ad.md
+          href: kubernetes-rbac-entra-id.md
         - name: Use Azure RBAC with AKS clusters
           href: azure-rbac-aks-hybrid.md
         - name: Update certificate bundle on container hosts
@@ -525,19 +551,15 @@
       href: help-support.md
     - name: File bugs
       href: https://aka.ms/AKS-hybrid-issues
+    - name: Release notes
+      href: https://aka.ms/AKS-hybrid-Releasenotes
+    - name: AKS Arc PowerShell
+      href: ./reference/ps/index.md
+    - name: Add-ons, extensions, and integrations
+      href: add-ons.md    
   - name: Architecture
     items:
     - name: Baseline architecture for AKS
       href: /azure/architecture/example-scenario/hybrid/aks-baseline
     - name: Network architecture for AKS
       href: /azure/architecture/example-scenario/hybrid/aks-network
-  - name: Resources
-    items:
-    - name: Azure Arc Jumpstart
-      href: https://azurearcjumpstart.com/azure_arc_jumpstart/azure_arc_k8s/aks_stack_hci/
-    - name: Azure roadmap
-      href: https://azure.microsoft.com/roadmap/
-    - name: AKS roadmap
-      href: https://aka.ms/k8sroadmap
-    - name: AKS enabled Arc roadmap
-      href: https://aka.ms/AKS-hybrid-roadmap

AKS-Hybrid/TOC.yml

@@ -0,0 +1,158 @@
+---
+title: Manage node taints for an AKS cluster
+description: Learn how to manage node taints in AKS on Azure Stack HCI 23H2
+ms.topic: how-to
+ms.custom: devx-track-azurecli
+ms.date: 06/03/2024
+author: sethmanheim
+ms.author: sethm 
+ms.reviewer: abha
+ms.lastreviewed: 01/30/2024
+
+---
+
+# Use node taints in an AKS enabled by Azure Arc cluster
+
+[!INCLUDE [hci-applies-to-23h2](includes/hci-applies-to-23h2.md)]
+
+This article describes how to use node taints in an AKS cluster.
+
+## Overview
+
+The AKS scheduling mechanism is responsible for placing pods onto nodes and is based on the upstream Kubernetes scheduler, [kube-scheduler](https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/). You can constrain a pod to run on particular nodes by instructing the node to reject a set of pods using [node taints](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/), which interact with the AKS scheduler.
+
+Node taints work by marking a node so that the scheduler avoids placing certain pods on the marked nodes. You can place [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) on a pod to allow the scheduler to schedule that pod on a node with a matching taint. Taints and tolerations work together to help you control how the scheduler places pods onto nodes. For more information, see [example use cases of taints and tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/#example-use-cases:~:text=not%20be%20evicted.-,Example%20Use%20Cases,-Taints%20and%20tolerations).
+
+Taints are key-value pairs with an [effect](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). There are three values for the effect field when using node taints: `NoExecute`, `NoSchedule`, and `PreferNoSchedule`.
+
+- `NoExecute`: Pods already running on the node are immediately evicted if they don't have a matching toleration. If a pod has a matching toleration, it might be evicted if `tolerationSeconds` are specified.
+- `NoSchedule`: Only pods with a matching toleration are placed on this node. Existing pods aren't evicted.
+- `PreferNoSchedule`: The scheduler avoids placing any pods that don't have a matching toleration.
+
+### Before you begin
+
+- This article assumes you have an existing AKS cluster. If you need an AKS cluster, you can create one using [Azure CLI](aks-create-clusters-cli.md), Azure PowerShell, or the [Azure portal](aks-create-clusters-portal.md).
+- When you create a node pool, you can add taints to it. When you add a taint, all nodes within that node pool also get that taint.
+
+> [!IMPORTANT]
+> You should add taints or labels to nodes for the entire node pool using `az aksarc nodepool`. We don't recommend using `kubectl` to apply taints or labels to individual nodes in a node pool.
+
+### Set node pool taints
+
+Create a node pool with a taint using the [`az aksarc nodepool add`](/cli/azure/aksarc/nodepool#az-aksarc-nodepool-add) command. Specify the name `taintnp` and use the `--node-taints` parameter to specify `sku=gpu:NoSchedule` for the taint:
+
+```azurecli
+az aksarc nodepool add \
+    --resource-group myResourceGroup \
+    --cluster-name myAKSCluster \
+    --name taintnp \
+    --node-count 1 \
+    --node-taints sku=gpu:NoSchedule \
+    --no-wait
+```
+
+Check the status of the node pool using the [`az aksarc nodepool list`](/cli/azure/aksarc/nodepool#az-aksarc-nodepool-list) command:
+
+```azurecli
+az aksarc nodepool list -g myResourceGroup --cluster-name myAKSCluster
+```
+
+The following example output shows that the `taintnp` node pool creates nodes with the specified `nodeTaints`:
+
+```output
+[
+  {
+    ...
+    "count": 1,
+    ...
+    "name": "taintnp",
+    ...
+    "provisioningState": "Succeeded",
+    ...
+    "nodeTaints":  [
+      "sku=gpu:NoSchedule"
+    ],
+    ...
+  },
+ ...
+]
+```
+
+The taint information is visible in Kubernetes for handling scheduling rules for nodes. The Kubernetes scheduler can use taints and tolerations to restrict which workloads can run on nodes.
+
+- A *taint* is applied to a node that indicates only specific pods can be scheduled on them.
+- A *toleration* is then applied to a pod that allows them to "tolerate" a node's taint.
+
+### Set node pool tolerations
+
+In the previous step, you applied the `sku=gpu:NoSchedule` taint when you created the node pool. The following example YAML manifest uses a toleration to allow the Kubernetes scheduler to run an NGINX pod on a node in that node pool:
+
+Create a file named **nginx-toleration.yaml** and copy/paste the following example YAML:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mypod
+spec:
+  containers:
+  - image: mcr.microsoft.com/oss/nginx/nginx:1.15.9-alpine
+    name: mypod
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 1
+        memory: 2G
+  tolerations:
+  - key: "sku"
+    operator: "Equal"
+    value: "gpu"
+    effect: "NoSchedule"
+```
+
+Schedule the pod using the `kubectl apply` command:
+
+```azurecli
+kubectl apply -f nginx-toleration.yaml
+```
+
+It takes a few seconds to schedule the pod and pull the NGINX image.
+
+Check the status using the [`kubectl describe pod`](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_describe/) command:
+
+```azurecli
+kubectl describe pod mypod
+```
+
+The following condensed example output shows that the `sku=gpu:NoSchedule` toleration is applied. In the **Events** section, the scheduler assigned the pod to the `moc-lbeof1gn6x3` node:
+
+```output
+[...]
+Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
+                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
+                 sku=gpu:NoSchedule
+Events:
+  Type    Reason     Age    From                Message
+  ----    ------     ----   ----                -------
+  Normal  Scheduled  54s  default-scheduler   Successfully assigned default/mypod to moc-lbeof1gn6x3
+  Normal  Pulling    53s  kubelet             Pulling image "mcr.microsoft.com/oss/nginx/nginx:1.15.9-alpine"
+  Normal  Pulled     48s  kubelet             Successfully pulled image "mcr.microsoft.com/oss/nginx/nginx:1.15.9-alpine" in 3.025148695s (3.025157609s including waiting)
+  Normal  Created    48s  kubelet             Created container
+  Normal  Started    48s  kubelet             Started container
+```
+
+Only pods that have this toleration applied can be scheduled on nodes in `taintnp`. Any other pods are scheduled in the **nodepool1** node pool. If you create more node pools, you can use taints and tolerations to limit what pods can be scheduled on those node resources.
+
+### Update a cluster node pool to add a node taint
+
+Update a cluster to add a node taint using the [`az aksarc update`](/cli/azure/aksarc/nodepool#az-aksarc-nodepool-update) command and the `--node-taints` parameter to specify `sku=gpu:NoSchedule` for the taint. All existing taints are replaced with the new values. The old taints are deleted:
+
+```azurecli
+az aksarc update -g myResourceGroup --cluster-name myAKSCluster --name taintnp --node-taints "sku=gpu:NoSchedule"   
+```
+
+## Next steps
+
+- [Use labels in an Azure Arc-enabled AKS cluster](cluster-labels.md).

AKS-Hybrid/aks-arc-use-node-taints.md

@@ -5,7 +5,7 @@ author: rcheeran
 ms.author: rcheeran
 ms.topic: how-to
 ms.date: 10/10/2023
-ms.custom: template-how-to
+ms.custom: template-how-to, linux-related-content
 ---
 
 # TPM access for AKS Edge Essentials

AKS-Hybrid/aks-edge-howto-access-tpm.md

@@ -5,7 +5,7 @@ author: rcheeran
 ms.author: rcheeran
 ms.topic: how-to
 ms.date: 05/01/2024
-ms.custom: template-how-to
+ms.custom: template-how-to, linux-related-content
 ---
 
 # Deploy an application