Merging changes synced from https://github.com/MicrosoftDocs/azure-stack-docs-pr (branch live)

Author: Learn Build Service GitHub App

AKS-Arc/aks-edge-concept-clusters-nodes.md

@@ -4,7 +4,7 @@ description: Learn about clusters and nodes running on AKS Edge Essentials.
 author: sethmanheim
 ms.author: sethm
 ms.topic: concept-article
-ms.date: 07/11/2024
+ms.date: 07/03/2025
 ms.custom: template-concept
 ---
 
@@ -18,7 +18,7 @@ When you create an AKS Edge Essentials deployment, AKS Edge Essentials creates a
 
 ![Screenshot showing the the VMs in AKS Edge.](./media/aks-edge/aks-edge-vm.png)
 
-Deployments can only create one Linux VM on a given host machine. This Linux VM can act as both the control plane node and as a worker node based on your deployment needs. This curated VM is based on [CBL-Mariner](https://github.com/microsoft/CBL-Mariner). CBL-Mariner is an internal Linux distribution for Microsoft's cloud infrastructure and edge products and services. CBL-Mariner is designed to provide a consistent platform for these devices and services and enhances Microsoft's ability to stay current on Linux updates. For more information, see [CBL-Mariner security](https://github.com/microsoft/CBL-Mariner/blob/2.0/SECURITY.md). The Linux virtual machine is built on four-point comprehensive premises:
+Deployments can only create one Linux VM on a given host machine. This Linux VM can act as both the control plane node and as a worker node based on your deployment needs. This curated VM is based on [CBL-Mariner](https://github.com/microsoft/CBL-Mariner). CBL-Mariner is an internal Linux distribution for Microsoft's cloud infrastructure and edge products and services. CBL-Mariner is designed to provide a consistent platform for these devices and services and enhances Microsoft's ability to stay current on Linux updates. For more information, see [CBL-Mariner security](https://github.com/microsoft/CBL-Mariner/blob/2.0/SECURITY.md). The Linux virtual machine is built on a four-point comprehensive premise:
 
 - Servicing updates
 - Read-only root filesystem
@@ -27,7 +27,7 @@ Deployments can only create one Linux VM on a given host machine. This Linux VM
 
 Running a Windows node is optional and you can create a Windows node if you need to deploy Windows containers. This node runs as a Windows virtual machine based on [Windows 10 IoT Enterprise LTSC 2019](/lifecycle/products/windows-10-iot-enterprise-ltsc-2019). The Windows VM brings all the security features and capabilities of Windows 10.
 
-You can define the amount of CPU and memory resources that you'd like to allocate for each of the VMs. This static allocation enables you to control how resources are used and ensures that applications running on the host have the required resources.
+You can define the amount of CPU and memory resources that you want to allocate for each of the VMs. This static allocation enables you to control how resources are used and ensures that applications running on the host have the required resources.
 
 Finally, AKS Edge Essentials doesn't offer dynamic creation of virtual machines. If a node VM goes down, you have to recreate it. That said, if you have a full deployment with multiple control plane nodes and worker nodes, if a VM goes down, Kubernetes moves workloads to an active node.
 
@@ -47,7 +47,7 @@ After you set up your machines, you can deploy AKS Edge Essentials in the follow
 
 ![Diagram showing AKS Edge Essentials deployment scenarios.](./media/aks-edge/aks-edge-deployment-options.jpg)
 
-Once you've created your cluster, you can deploy your applications and connect your cluster to Arc, to enable Arc extensions such as Azure Monitor and Azure Policy. You can also choose to use GitOps to manage your deployments.
+Once you create your cluster, you can deploy your applications and connect your cluster to Arc, to enable Arc extensions such as Azure Monitor and Azure Policy. You can also choose to use GitOps to manage your deployments.
 
 ## Next steps
 

AKS-Arc/certificates-overview.md

@@ -3,10 +3,10 @@ title: Overview of certificate management in AKS on Windows Server
 description: Learn how to manage certificates for secure communication between in-cluster components in AKS by provisioning and managing certificates in AKS on Windows Server.
 author: sethmanheim
 ms.topic: concept-article
-ms.date: 01/10/2024
+ms.date: 07/03/2025
 ms.author: sethm 
 ms.lastreviewed: 04/01/2023
-ms.reviewer: sulahiri
+ms.reviewer: leslielin
 
 # Intent: As an IT Pro, I want to learn how to use certificates to secure communication between in-cluster components on my AKS deployment.
 # Keyword: control plane nodes secure communication certificate revocation
@@ -105,9 +105,9 @@ A `notBefore` time can be specified to revoke only certificates that are issued
 > [!NOTE]
 > Revocation of `kubelet` server certificates is currently not available.
 
-If you use a serial number when you perform a revocation, you can use the `Repair-AksHciClusterCerts` PowerShell command, described below, to get your cluster into a working state. If you use any of the other fields listed earlier, make sure to specify a `notBefore` time.
+If you use a serial number when you perform a revocation, you can use the `Repair-AksHciClusterCerts` PowerShell command, described as follows, to get your cluster into a working state. If you use any of the other fields listed earlier, make sure to specify a `notBefore` time.
 
-```console
+```yaml
 apiVersion: certificates.microsoft.com/v1 
 kind: RenewRevocation 
 metadata: 

AKS-Arc/concepts-security-access-identity.md

@@ -3,7 +3,7 @@ title: Access and identity options for Azure Kubernetes Service (AKS) Arc
 description: Learn about options in access and identity management on a Kubernetes cluster in AKS on Azure Local.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 07/30/2024
+ms.date: 07/03/2025
 ms.author: sethm
 ms.lastreviewed: 07/30/2024
 ms.reviewer: leslielin
@@ -41,7 +41,7 @@ For more information, see [Using Kubernetes RBAC authorization](https://kubernet
 
 #### Roles
 
-Before assigning permissions to users with Kubernetes RBAC, you define user permissions as a *role*. Grant permissions within a Kubernetes namespace using roles.
+Before assigning permissions to users with Kubernetes RBAC, you define user permissions as a role. Grant permissions within a Kubernetes namespace using roles.
 
 Kubernetes roles grant permissions; they don't deny permissions. To grant permissions across the entire cluster or to cluster resources outside a given namespace, you can use *ClusterRoles*.
 
@@ -51,7 +51,7 @@ A ClusterRole grants and applies permissions to resources across the entire clus
 
 ### RoleBindings and ClusterRoleBindings
 
-Once you define roles to grant permissions to resources, you assign those Kubernetes RBAC permissions with a *RoleBinding*. If your AKS cluster [integrates with Microsoft Entra ID](#microsoft-entra-integration), RoleBindings grant permissions to Microsoft Entra users to perform actions within the cluster. See [Control access using Microsoft Entra ID and Kubernetes RBAC](kubernetes-rbac-local.md)
+Once you define roles to grant permissions to resources, you assign those Kubernetes RBAC permissions with a *RoleBinding*. If your AKS cluster [integrates with Microsoft Entra ID](#microsoft-entra-integration), RoleBindings grant permissions to Microsoft Entra users to perform actions within the cluster. See [Control access using Microsoft Entra ID and Kubernetes RBAC](kubernetes-rbac-local.md).
 
 #### RoleBindings
 
@@ -82,7 +82,7 @@ Azure Role-based Access Control (RBAC) is an authorization system built on [Azur
 
 With Azure RBAC, you create a *role definition* that outlines the permissions to be applied. You then assign a user or group this role definition via a *role assignment* for a particular *scope*. The scope can be an individual resource, a resource group, or across the subscription.
 
-For more information, see [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview)
+For more information, see [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview).
 
 There are two required levels of access to fully operate an AKS Arc cluster:
 
@@ -113,15 +113,15 @@ In this scenario, you use Azure RBAC mechanisms and APIs to assign users built-i
 With this feature, you not only give users permissions to the AKS resource across subscriptions, but you also configure the role and permissions for inside each of those clusters controlling Kubernetes API access. There are four built-in roles available for this data plane action, each with its own scope of permissions, [as described in the built-in roles](#built-in-roles) section.
 
 > [!IMPORTANT]
-> You must enable Azure RBAC for Kubernetes authorization before doing role assignment. For more details and step by step guidance, see [Use Azure RBAC for Kubernetes authorization](azure-rbac-local.md).
+> You must enable Azure RBAC for Kubernetes authorization before doing role assignment. For more details and step-by-step guidance, see [Use Azure RBAC for Kubernetes authorization](azure-rbac-local.md).
 
 ### Built-in roles
 
 [!INCLUDE [built-in-roles](includes/built-in-roles.md)]
 
 ## Microsoft Entra integration
 
-Enhance your AKS cluster security with Microsoft Entra integration. Built on enterprise identity management experience, Microsoft Entra ID is a multitenant, cloud-based directory and identity management service that combines core directory services, application access management, and identity protection. With Microsoft Entra ID, you can integrate on-premises identities into AKS clusters to provide a single source for account management and security.
+Microsoft Entra integration can help to enhance your AKS cluster security. Built on enterprise identity management experience, Microsoft Entra ID is a multitenant, cloud-based directory and identity management service that combines core directory services, application access management, and identity protection. With Microsoft Entra ID, you can integrate on-premises identities into AKS clusters to provide a single source for account management and security.
 
 :::image type="content" source="media/concepts-security-access-identity/entra-integration.png" alt-text="Flowchart showing Entra integration." lightbox="media/concepts-security-access-identity/entra-integration.png":::
 
@@ -143,7 +143,6 @@ The following table contains a summary of how users can authenticate to Kubernet
 3. Run `kubectl` commands.
    - The first command can trigger browser-based authentication to authenticate to the Kubernetes cluster, as described in the following table.
 
-
 | Description                                                  | Role grant required                                          | Cluster admin Microsoft Entra groups                       | When to use                                                  |
 | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
 | Admin login using client certificate                  | [Azure Kubernetes Service Arc Cluster Admin Role](/azure/role-based-access-control/built-in-roles/containers#azure-kubernetes-service-arc-cluster-admin-role). This role allows `az aksarc get-credentials` to be used with the `--admin` flag, which downloads a non-Microsoft Entra cluster admin certificate into the user's **.kube/config**. This is the only purpose of the Azure Kubernetes Admin role. | n/a                                                          | If you're permanently blocked by not having access to a valid Microsoft Entra group with access to your cluster. |

AKS-Arc/container-storage-interface-disks.md

@@ -3,7 +3,7 @@ title: Use Container Storage Interface (CSI) disk drivers in AKS enabled by Azur
 description: Learn how to use Container Storage Interface (CSI) drivers to manage disks in AKS enabled by Arc.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 03/14/2024
+ms.date: 07/03/2025
 ms.author: sethm
 ms.lastreviewed: 01/14/2022
 ms.reviewer: abha
@@ -23,19 +23,19 @@ This article describes how to use Container Storage Interface (CSI) built-in sto
 
 ## Dynamically create disk persistent volumes using built-in storage class
 
-A *storage class* is used to define how a unit of storage is dynamically created with a persistent volume. For more information on how to use storage classes, see [Kubernetes storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/). 
+A *storage class* is used to define how a unit of storage is dynamically created with a persistent volume. For more information about how to use storage classes, see [Kubernetes storage classes](https://kubernetes.io/docs/concepts/storage/storage-classes/).
 
-In AKS Arc, the **default** storage class is created by default and uses CSI to create VHDX-backed volumes. The reclaim policy ensures that the underlying VHDX is deleted when the persistent volume that used it is deleted. The storage class also configures the persistent volumes to be expandable; you just need to edit the persistent volume claim with the new size.
+In AKS Arc, the default storage class uses CSI to create VHDX-backed volumes. The reclaim policy ensures that the underlying VHDX is deleted when the persistent volume that used it is deleted. The storage class also configures the persistent volumes to be expandable; you just need to edit the persistent volume claim with the new size.
 
-To leverage this storage class, create a [PVC](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) and a respective pod that references and uses it. A PVC is used to automatically provision storage based on a storage class. A PVC can use one of the pre-created storage classes or a user-defined storage class to create a VHDX of the desired size. When you create a pod definition, the PVC is specified to request the desired storage.
+To use this storage class, create a [Persistent Volume Claim (PVC)](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) and a respective pod that references and uses it. A PVC is used to automatically provision storage based on a storage class. A PVC can use one of the pre-created storage classes or a user-defined storage class to create a VHDX of the desired size. When you create a pod definition, the PVC is specified to request the desired storage.
 
 ## Create custom storage class for disks
 
 The default storage class is suitable for most common scenarios. However, in some cases, you may want to create your own storage class that stores PVs at a particular location mapped to a specific performance tier.
 
 If you have Linux workloads (pods), you must create a custom storage class with the parameter `fsType: ext4`. This requirement applies to Kubernetes versions 1.19 and 1.20 or later. The following example shows a custom storage class definition with `fsType` parameter defined:
 
-```YAML
+```yaml
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
@@ -56,7 +56,7 @@ volumeBindingMode: Immediate
 allowVolumeExpansion: true  
 ```
 
-If you create a custom storage class, you can specify the location where you want to store PVs. If the underlying infrastructure is Azure Local, this new location could be a volume that's backed by high-performing SSDs/NVMe or a cost-optimized volume backed by HDDs.
+If you create a custom storage class, you can specify the location in which you want to store PVs. If the underlying infrastructure is Azure Local, this new location could be a volume that's backed by high-performing SSDs/NVMe, or a cost-optimized volume backed by HDDs.
 
 Creating a custom storage class is a two-step process:
 
@@ -75,7 +75,8 @@ Creating a custom storage class is a two-step process:
    ```azurecli
    $storagepathID = az stack-hci-vm storagepath show --name $storagepathname --resource-group $resource_group --query "id" -o tsv 
    ```
-2. Create a new custom storage class using the new storage path.
+
+1. Create a new custom storage class using the new storage path.
 
    1. Create a file named **sc-aks-hci-disk-custom.yaml**, and then copy the manifest from the following YAML file. The storage class is the same as the default storage class except with the new `container`. Use the `storage path ID` created in the previous step for `container`. For `group` and `hostname`, query the default storage class by running `kubectl get storageclass default -o yaml`, and then use the values that are specified:
 
@@ -100,9 +101,9 @@ Creating a custom storage class is a two-step process:
       volumeBindingMode: Immediate
       ```
 
-   2. Create the storage class with the [kubectl apply](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply/) command and specify your **sc-aks-hci-disk-custom.yaml** file: 
+   1. Create the storage class with the [kubectl apply](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply/) command and specify your **sc-aks-hci-disk-custom.yaml** file:
 
-      ```console
+      ```azurecli
        $ kubectl apply -f sc-aks-hci-disk-custom.yaml
        storageclass.storage.k8s.io/aks-hci-disk-custom created
       ```
@@ -121,7 +122,7 @@ Creating a custom storage class is a two-step process:
    Get-AksHciStorageContainer -Name "customStorageContainer"
    ```
 
-2. Create a new custom storage class using the new storage path.
+1. Create a new custom storage class using the new storage path.
 
    1. Create a file named **sc-aks-hci-disk-custom.yaml**, and then copy the manifest from the following YAML file. The storage class is the same as the default storage class except with the new `container`. Use the `storage container name` created in the previous step for `container`. For `group` and `hostname`, query the default storage class by running `kubectl get storageclass default -o yaml`, and then use the values that are specified:
 
@@ -146,15 +147,15 @@ Creating a custom storage class is a two-step process:
       volumeBindingMode: Immediate
       ```
 
-   2. Create the storage class with the [kubectl apply](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply/) command and specify your **sc-aks-hci-disk-custom.yaml** file: 
-  
-      ```console
-       $ kubectl apply -f sc-aks-hci-disk-custom.yaml
-       storageclass.storage.k8s.io/aks-hci-disk-custom created
+   1. Create the storage class with the [kubectl apply](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply/) command and specify your **sc-aks-hci-disk-custom.yaml** file:
+
+      ```azurecli
+      $ kubectl apply -f sc-aks-hci-disk-custom.yaml
+      storageclass.storage.k8s.io/aks-hci-disk-custom created
       ```
 
    ---
 
 ## Next steps
 
-- [Use the file Container Storage Interface drivers](container-storage-interface-files.md)
+[Use the Container Storage Interface file drivers](container-storage-interface-files.md)

AKS-Arc/create-kubernetes-cluster.md

@@ -3,7 +3,7 @@ title: Quickstart to create a local Kubernetes cluster using Windows Admin Cente
 description: Learn how to create a local Kubernetes cluster using Windows Admin Center
 author: sethmanheim
 ms.topic: quickstart
-ms.date: 12/27/2023
+ms.date: 07/03/2025
 ms.author: sethm 
 ms.lastreviewed: 1/14/2022
 ms.reviewer: dawhite