Merge branch 'release-local-2506' into 6b-sec-updates-2506

Author: v-sissondan

.acrolinx-config.edn

@@ -1,2 +1,2 @@
 {:allowed-branchname-matches ["main" "release-.*"]
-:allowed-filename-matches ["azure-stack" "AKS-Hybrid" "azure-managed-lustre" "azure-local"]}
+:allowed-filename-matches ["azure-stack" "azure-managed-lustre" "azure-local" "(?i)(AKS-Arc)(?!/reference)"]}

AKS-Arc/TOC.yml

@@ -5,6 +5,8 @@
   items:
   - name: What is AKS enabled by Azure Arc?
     href: aks-overview.md
+  - name: Compare AKS across platforms
+    href: aks-platforms-compare.md 
   - name: Supported Kubernetes versions
     href: supported-kubernetes-versions.md  
   - name: Data collection
@@ -125,7 +127,7 @@
         href: cluster-labels.md
       - name: Taints
         href: aks-arc-use-node-taints.md
-    - name: Use auto-scaler
+    - name: Use autoscaler
       href: auto-scale-aks-arc.md
     - name: Upgrade Kubernetes clusters
       href: cluster-upgrade.md

AKS-Arc/aks-platforms-compare.md

@@ -21,7 +21,7 @@ AKS on Azure Local uses Azure Arc to create new Kubernetes clusters on Azure Loc
 
 The following Kubernetes cluster deployment and management capabilities are available:
 
-- **Pricing**: AKS is now included in Azure Local pricing, effective January 2025. This means that you only need to pay for Azure Local. There are no separate costs for running AKS clusters, including Linux and Windows node pools.
+- **Pricing**: AKS is now included in Azure Local pricing, effective January 2025. This means that you only need to pay for Azure Local.
 - **Simplified infrastructure deployment on Azure Local**. Infrastructure components of AKS Arc like Arc Resource Bridge, Custom Location and the Kubernetes Extension for the AKS Arc operator, are all deployed as part of the Azure Local. The whole lifecycle management of AKS Arc infrastructure follows the same approach as the other components on Azure Local.
 - **Cloud-based management**: Create and manage Kubernetes clusters on Azure Local with familiar tools such as the Azure portal, Azure CLI, Azure Resource Manager, and Bicep and Terraform templates.
 - **Arc Gateway integration**: Deploy AKS Arc clusters with pod-level Arc Proxy and communicate with the Arc gateway, reducing the list of outbound URLs to configure in an isolated network environment.

AKS-Arc/aks-windows-server-retirement.md

@@ -1,13 +1,13 @@
 ---
 title: Use auto-scaling in a Kubernetes cluster
-description: Learn how to use Az CLI for cluster autoscaling.
+description: Learn how to use Azure CLI for cluster autoscaling.
 ms.topic: how-to
 ms.custom: devx-track-azurecli
 author: sethmanheim
 ms.author: sethm
-ms.date: 05/02/2025
+ms.date: 06/09/2025
 ms.reviewer: abha
-ms.lastreviewed: 05/02/2025
+ms.lastreviewed: 06/09/2025
 
 # Intent: As a Kubernetes user, I want to use cluster autoscaling to grow my nodes to keep up with application demand.
 # Keyword: cluster autoscaling Kubernetes
@@ -147,6 +147,18 @@ az aksarc update \
   --cluster-autoscaler-profile ""
 ```
 
+## Make effective use of autoscaler
+
+Now that the cluster and node pool are configured to automatically scale, you can optionally configure a workload to also scale in a way that makes use of the horizontal autoscaler capabilities.
+
+> [!NOTE]
+> The following guidance is not officially supported by Microsoft. It's shared as a best-effort recommendation based on open-source practices.
+
+There are two methods available for workload scaling:
+
+- **Kubernetes Horizontal Pod Autoscaler**: Based on load characteristics, the Horizontal Pod Autoscaler (also known as the *horizontal autoscaler*) scales the pods of an application deployment to available nodes in the Kubernetes cluster. If no more nodes are available to be scheduled, the horizontal autoscaler instantiates a new node to which to schedule the pods. If the application load subsides, the nodes are scaled back again. For the Horizontal Pod Autoscaler to work, you must manually deploy the Metrics Server component in your AKS cluster. For more information about horizontal pod autoscaler rules, see [Kubernetes horizontal pod autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).
+- **Kubernetes node anti-affinity rules**: Anti-affinity rules for a Kubernetes deployment can specify that a set of pods can't be scaled on the same node, and a different node is required to scale the workload. In combination with either load characteristics or the number of target pods for the application instances, the horizontal autoscaler instantiates new nodes in the node pool to satisfy requests. If application demand subsides, the horizontal autoscaler scales down the node pool again. For more information about Kubernetes pod affinity rules, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node).
+
 ## Next steps
 
 This article showed you how to automatically scale the number of AKS Arc nodes. To scale node pools manually, see [manage node pools in AKS Arc clusters](manage-node-pools.md).

AKS-Arc/auto-scale-aks-arc.md

@@ -3,7 +3,7 @@ title: Concepts - Storage options for applications in AKS enabled by Azure Arc
 description: Storage options for applications in AKS enabled by Azure Arc.
 author: sethmanheim
 ms.topic: conceptual
-ms.date: 06/24/2024
+ms.date: 06/16/2025
 ms.author: sethm 
 ms.lastreviewed: 1/14/2022
 ms.reviewer: abha
@@ -112,6 +112,23 @@ volumeMounts:
           name: k-dir 
 ```
 
+## Secure pod access to mounted volumes
+
+For your applications to run correctly, pods should run as a defined user or group and not as *root*. The `securityContext` for a pod or container lets you define settings such as *fsGroup* to assume the appropriate permissions on the mounted volumes.
+
+**fsGroup** is a field within the `securityContext` of a Kubernetes pod specification. It defines a supplemental group ID that Kubernetes assigns to all processes in the pod, and recursively to the files in mounted volumes. This ensures that the pod has the correct group-level access to shared storage volumes.
+
+When a volume is mounted, Kubernetes changes the ownership of the volume's contents to match the **fsGroup** value. This is particularly useful when containers run as non-root users and need write access to shared volumes.
+
+The following example YAML shows the **fsgroup** value:
+
+```yaml
+securityContext:
+  fsGroup: 2000
+```
+
+In this example, all files in mounted volumes are accessible by GID 2000.
+
 ## Next steps
 
 - [Use the AKS on Azure Local disk Container Storage Interface (CSI) drivers](./container-storage-interface-disks.md).

AKS-Arc/concepts-storage.md

@@ -3,7 +3,7 @@ title: Use Container Storage Interface (CSI) file drivers in AKS enabled by Azur
 description: Learn how to use Container Storage Interface (CSI) drivers to manage files in AKS Arc.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 08/20/2024
+ms.date: 06/16/2025
 ms.author: sethm 
 ms.lastreviewed: 01/14/2022
 ms.reviewer: abha
@@ -31,7 +31,7 @@ If multiple nodes need concurrent access to the same storage volumes in AKS Arc,
 
 ### [AKS on Azure Local](#tab/local)
 
-1. Make sure the SMB driver is deployed. The SMB CSI driver is installed by default when you create a Kubernetes cluster using the Azure portal or the `az aksarc create` command. If you create a Kubernetes cluster by using `--disable-smb-driver`, you must enable the SMB driver on this cluster using the `az aksarc update` command:
+1. Make sure the SMB driver is deployed. The SMB CSI driver is installed by default when you create a Kubernetes cluster using the `az aksarc create` command. If you create a Kubernetes cluster by using the Azure portal, Azure Resource Manager (ARM) template, or Terraform, or by using the `az aksarc create` command with `--disable-smb-driver`, you must enable the SMB driver on this cluster using the `az aksarc update` command:
 
    ```azurecli
    az aksarc update -n $aksclustername -g $resource_group --enable-smb-driver
@@ -78,7 +78,7 @@ If multiple nodes need concurrent access to the same storage volumes in AKS Arc,
 
 ### [AKS on Azure Local](#tab/local)
 
-1. Make sure the NFS driver is deployed. The NFS CSI driver is installed by default when you create a Kubernetes cluster using the Azure portal or the `az aksarc create` command. If you create a Kubernetes cluster by using `--disable-nfs-driver`, you must enable the the NFS driver on this cluster using the `az aksarc update` command:
+1. Make sure the NFS driver is deployed. The NFS CSI driver is installed by default when you create a Kubernetes cluster using the `az aksarc create` command. If you create a Kubernetes cluster by using the Azure portal, Azure Resource Manager (ARM) template, or Terraform, or by using the `az aksarc create` command with `--disable-nfs-driver`, you must enable the the NFS driver on this cluster using the `az aksarc update` command:
 
    ```azurecli
    az aksarc update -n $aksclustername -g $resource_group --enable-nfs-driver

AKS-Arc/container-storage-interface-files.md

@@ -4,9 +4,9 @@ description: Learn how to deploy an AI model on AKS enabled by Azure Arc with th
 author: sethmanheim
 ms.author: sethm
 ms.topic: how-to
-ms.date: 05/20/2025
+ms.date: 05/27/2025
 ms.reviewer: haojiehang
-ms.lastreviewed: 05/20/2025
+ms.lastreviewed: 05/27/2025
 
 ---
 
@@ -167,12 +167,7 @@ kubectl run -it --rm --restart=Never curl --image=curlimages/curl -- curl -X POS
 
 ```powershell
 $CLUSTERIP = $(kubectl get svc workspace-llm -o jsonpath="{.spec.clusterIPs[0]}" )
-$jsonContent = '{
-    "model": "phi-3.5-mini-instruct",
-    "prompt": "What is kubernetes?",
-    "max_tokens": 20,
-    "temperature": 0
-  }'
+$jsonContent = '{"model":"phi-3.5-mini-instruct","prompt":"What is kubernetes","max_tokens":200,"temperature":0}' | ConvertTo-Json
 
 kubectl run -it --rm --restart=Never curl --image=curlimages/curl -- curl -X POST http://$CLUSTERIP/v1/completions -H "accept: application/json" -H "Content-Type: application/json" -d $jsonContent
 ```
@@ -209,4 +204,5 @@ The following table shows the supported GPU models and their corresponding VM SK
 
 ## Next steps
 
-In this article, you learned how to deploy an AI model on AKS enabled by Azure Arc with the Kubernetes AI toolchain operator (KAITO). For more information about the KAITO project, see the [KAITO GitHub repo](https://github.com/kaito-project/kaito).
+* [Monitor the inference metrics](/azure/aks/ai-toolchain-operator-monitoring) in Managed Prometheus and Managed Grafana
+* For more information about KAITO, see [KAITO GitHub Repo](https://github.com/kaito-project/kaito)

AKS-Arc/deploy-ai-model.md

@@ -3,7 +3,7 @@ title: Monitor Kubernetes audit events in AKS enabled by Azure Arc
 description: Learn how to create a diagnostic setting to access Kubernetes audit logs.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 05/08/2024
+ms.date: 06/12/2025
 ms.author: sethm 
 ms.lastreviewed: 02/26/2024
 ms.reviewer: guanghu
@@ -18,7 +18,7 @@ You can access Kubernetes audit logs in Kubernetes control plane logs. Control p
 
 ## Create a diagnostic setting
 
-Before creating the diagnostic setting, install the **Arc K8S** extension, which enables log collection from the AKS cluster.
+Before you create the diagnostic setting, install the **Arc K8S** extension, which enables log collection from the AKS cluster.
 
 Install the Arc K8S extension by running the following command:
 
@@ -56,4 +56,4 @@ az k8s-extension delete -g <resouerce-group-name> -c <cluster-name> --cluster-ty
 
 ## Next steps
 
-[Monitor Kubernetes object events](kubernetes-monitor-object-events.md)
+[Monitor Kubernetes object events](kubernetes-monitor-object-events.md)

AKS-Arc/kubernetes-monitor-audit-events.md

@@ -233,6 +233,8 @@ items:
         items:
         - name: Using Azure Marketplace images
           href: manage/virtual-machine-image-azure-marketplace.md
+        - name: Using Azure Compute Gallery images
+          href: manage/virtual-machine-image-azure-compute-gallery.md
         - name: Using images in Azure Storage account
           href: manage/virtual-machine-image-storage-account.md
         - name: Using images in local share