Updated text

Author: ronmiab

AKS-Arc/aks-platforms-compare.md

@@ -3,7 +3,7 @@ title: Azure Kubernetes Service (AKS) Cloud, Edge, and On-Premises Comparison
 description: Learn about Azure Kubernetes Service (AKS) features, capabilities, and pricing across cloud, edge, and on-premises environments to choose the best deployment for your needs.
 author: sethmanheim
 ms.topic: concept-article
-ms.date: 06/12/2025
+ms.date: 06/16/2025
 ms.author: sethm
 ms.reviewer: rmody
 ---
@@ -23,7 +23,7 @@ This article describes how AKS extends features across multiple platforms and hi
 
 ## General comparison of AKS across platforms
 
-| Platform | Azure (Cloud) | Azure Local (Edge/On-premises) | Edge Essentials (Edge/On-premises, Windows IoT client/server) | Windows Server (Edge/On-premises) |
+| Feature | Azure (Cloud) | Azure Local (Edge/On-premises) | Edge Essentials (Edge/On-premises, Windows IoT client/server) | Windows Server (Edge/On-premises) |
 | --- | --- | --- | --- | --- |
 | Supported infrastructure for Kubernetes cluster | Azure cloud | Azure Local, version 23H2 or later | - Windows 10/11 IoT Enterprise<br>- Windows 10/11 Enterprise<br>- Windows 10/11 Pro<br>- Windows Server 2019/2022 | - Windows Server 2019<br>- Windows Server 2022 |
 | CNCF conformant | Yes | Yes | Yes | Yes |
@@ -38,7 +38,7 @@ This article describes how AKS extends features across multiple platforms and hi
 
 ## Monitoring and diagnostic capabilities
 
-|   Feature       |     Azure Cloud    |     AKS on Azure Local    |      Edge Essentials (Windows IoT client/server)    |     Windows Server    |
+|   Feature       | Azure (Cloud) | Azure Local (Edge/On-premises) | Edge Essentials (Edge/On-premises, Windows IoT client/server) | Windows Server (Edge/On-premises) |
 | --- | --- | --- | --- | --- |
 |     Azure Monitor Container Insights     |     Yes    |     Yes, via Arc extensions    |     Yes, via Arc extensions    |     Yes, via Arc extensions    |
 |     Azure Monitor Managed Prometheus and control plane metrics scraping     |     Yes    |     Yes, via Arc extensions    |     Yes, via Arc extensions    |     Yes, via Arc extensions    |
@@ -48,7 +48,7 @@ This article describes how AKS extends features across multiple platforms and hi
 
 ## Node pool capabilities
 
-|  Feature                      | Azure Cloud | AKS on Azure Local    | Edge Essentials (Windows IoT client/server) | Windows Server |
+|   Feature       | Azure (Cloud) | Azure Local (Edge/On-premises) | Edge Essentials (Edge/On-premises, Windows IoT client/server) | Windows Server (Edge/On-premises) |
 | --- | --- | --- | --- | --- |
 | Windows node pool support      | - Yes<br>- Windows Server 2019 Datacenter<br>- Windows Server 2022 Datacenter | - Yes<br>- Windows Server 2019 Datacenter<br>- Windows Server 2022 Datacenter | - Yes<br>- Windows Server 2022 Datacenter (Core) | - Yes<br>- Windows Server 2019 Datacenter<br>- Windows Server 2022 Datacenter |
 | Linux OS offerings            | - Ubuntu 18.04<br>- Azure Linux | [CBL-Mariner](https://github.com/microsoft/CBL-Mariner) | [CBL-Mariner](https://github.com/microsoft/CBL-Mariner) | [CBL-Mariner](https://github.com/microsoft/CBL-Mariner) |
@@ -67,7 +67,7 @@ This article describes how AKS extends features across multiple platforms and hi
 
 ## Networking capabilities
 
-|  Feature                      | Azure Cloud | AKS on Azure Local    | Edge Essentials (Windows IoT /Client/Server) | Windows Server |
+|   Feature       | Azure (Cloud) | Azure Local (Edge/On-premises) | Edge Essentials (Edge/On-premises, Windows IoT client/server) | Windows Server (Edge/On-premises) |
 | --- | --- | --- | --- | --- |
 | Network creation and management | By default, Azure creates a virtual network and subnet for you. You can also choose an existing virtual network in which to create your AKS clusters. | Setting up networking parameters is a required prerequisite to deploy AKS on Azure Local. Network must have connectivity and IP address availability for successful operation of the cluster. | You must provide the IP address range for node IPs and service IPs that are available and have the right connection. The network configuration needed for the cluster is handled by AKS. See [AKS Edge Essentials networking](aks-edge-concept-networking.md). | You must create the network in Windows Server before creating an AKS cluster. Network must have connectivity and IP address availability for successful operation of the cluster. |
 | Supported networking option    | Bring your own Azure virtual network for AKS clusters. | Static IP networks with/without VLAN ID. | Static IP address or use reserved IPs when using DHCP. | - DHCP networks with/without VLAN ID.<br>- Static IP networks with/without VLAN ID. |
@@ -79,7 +79,7 @@ This article describes how AKS extends features across multiple platforms and hi
 
 ## Storage features
 
-| Feature                       | Azure Cloud                                                          | AKS on Azure Local                                                                                 | Edge Essentials (Windows IoT /Client/Server) | Windows Server                        |
+|   Feature       | Azure (Cloud) | Azure Local (Edge/On-premises) | Edge Essentials (Edge/On-premises, Windows IoT client/server) | Windows Server (Edge/On-premises) |
 | --- | --- | --- | --- | --- |
 | Types of supported persistent volumes | - Read Write Once<br>- Read Write Many                                         | - VHDX – Read Write Once<br>- SMB or NFS – Read Write Many<br>- ACSA - Read Write Many                             | - PVC using local storage<br>- ACSA                 | - VHDX – Read Write Once<br>- SMB or NFS - Read Write Many |
 | Container storage interface (CSI) support | Yes                                                                      | Yes                                                                                                    | Yes                                             | Yes                                         |
@@ -90,7 +90,7 @@ This article describes how AKS extends features across multiple platforms and hi
 
 ## Security and authentication options
 
-| Feature                       | Azure Cloud | AKS on Azure Local    | Edge Essentials (Windows IoT /Client/Server) | Windows Server |
+|   Feature       | Azure (Cloud) | Azure Local (Edge/On-premises) | Edge Essentials (Edge/On-premises, Windows IoT client/server) | Windows Server (Edge/On-premises) |
 | --- | --- | --- | --- | --- |
 | Access to Kubernetes cluster             | Kubectl         | Kubectl                   | Kubectl                                         | Kubectl              |
 | Kubernetes cluster authorization (RBAC)  | - Kubernetes RBAC<br>- Azure RBAC | - Kubernetes RBAC<br>- Azure RBAC | Kubernetes RBAC                                 | Kubernetes RBAC      |
@@ -107,15 +107,15 @@ This article describes how AKS extends features across multiple platforms and hi
 
 ## Pricing and SLA details
 
-| Feature                       | Azure Cloud                                                                           | AKS on Azure Local                        | Edge Essentials (Windows IoT client/server) | Windows Server                                               |
+|   Feature       | Azure (Cloud) | Azure Local (Edge/On-premises) | Edge Essentials (Edge/On-premises, Windows IoT client/server) | Windows Server (Edge/On-premises) |
 | --- | --- | --- | --- | --- |
 | Pricing                           | - Unlimited free clusters, pay for on-demand compute of worker node VMs.<br>- Paid tier available with uptime SLA, support for 5k nodes. | Included in Azure Local at no extra cost.  | Cost is per device per month.                        | Pricing is based on the number of workload cluster vCPUs. Control plane nodes and load balancer VMs are free. |
 | Azure Hybrid Benefit support       | Not applicable                                                                            | Not applicable - AKS already included at no extra cost. | No                                              | Yes                                                               |
 | SLA                               | Paid uptime SLA clusters for production with fixed cost on the API + worker node compute, storage and networking costs. | No SLA offered as the Kubernetes cluster is running on premises. | No SLA offered as the Kubernetes cluster is running on premises. | No SLA offered as the Kubernetes cluster is running on premises.           |
 
 ### AI/ML capabilities offered in each platform
 
-| Feature                      | Azure Cloud | AKS on Azure Local    | Edge Essentials (Windows IoT /Client/Server) | Windows Server |
+|   Feature       | Azure (Cloud) | Azure Local (Edge/On-premises) | Edge Essentials (Edge/On-premises, Windows IoT client/server) | Windows Server (Edge/On-premises) |
 | --- | --- | --- | --- | --- |
 | GPU support                       | Yes             | Yes                       | Yes                                             | Yes                  |
 | KAITO (Kubernetes AI toolchain operator) | Yes             | Yes, via Arc extensions   | No                                              | No                   |

AKS-Arc/concepts-storage.md

@@ -3,7 +3,7 @@ title: Concepts - Storage options for applications in AKS enabled by Azure Arc
 description: Storage options for applications in AKS enabled by Azure Arc.
 author: sethmanheim
 ms.topic: conceptual
-ms.date: 06/24/2024
+ms.date: 06/16/2025
 ms.author: sethm 
 ms.lastreviewed: 1/14/2022
 ms.reviewer: abha
@@ -112,6 +112,23 @@ volumeMounts:
           name: k-dir 
 ```
 
+## Secure pod access to mounted volumes
+
+For your applications to run correctly, pods should run as a defined user or group and not as *root*. The `securityContext` for a pod or container lets you define settings such as *fsGroup* to assume the appropriate permissions on the mounted volumes.
+
+**fsGroup** is a field within the `securityContext` of a Kubernetes pod specification. It defines a supplemental group ID that Kubernetes assigns to all processes in the pod, and recursively to the files in mounted volumes. This ensures that the pod has the correct group-level access to shared storage volumes.
+
+When a volume is mounted, Kubernetes changes the ownership of the volume's contents to match the **fsGroup** value. This is particularly useful when containers run as non-root users and need write access to shared volumes.
+
+The following example YAML shows the **fsgroup** value:
+
+```yaml
+securityContext:
+  fsGroup: 2000
+```
+
+In this example, all files in mounted volumes are accessible by GID 2000.
+
 ## Next steps
 
 - [Use the AKS on Azure Local disk Container Storage Interface (CSI) drivers](./container-storage-interface-disks.md).

AKS-Arc/container-storage-interface-files.md

@@ -3,7 +3,7 @@ title: Use Container Storage Interface (CSI) file drivers in AKS enabled by Azur
 description: Learn how to use Container Storage Interface (CSI) drivers to manage files in AKS Arc.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 08/20/2024
+ms.date: 06/16/2025
 ms.author: sethm 
 ms.lastreviewed: 01/14/2022
 ms.reviewer: abha
@@ -31,7 +31,8 @@ If multiple nodes need concurrent access to the same storage volumes in AKS Arc,
 
 ### [AKS on Azure Local](#tab/local)
 
-1. Make sure the SMB driver is deployed. The SMB CSI driver is installed by default when you create a Kubernetes cluster using the Azure portal or the `az aksarc create` command. If you create a Kubernetes cluster by using `--disable-smb-driver`, you must enable the SMB driver on this cluster using the `az aksarc update` command:
+1. Make sure the SMB driver is deployed. The SMB CSI driver is installed by default when you create a Kubernetes cluster using the `az aksarc create` command. If you create the AKS cluster using the Azure portal, an Azure Resource Manager (ARM) template, or Terraform, the SMB CSI driver is not installed by default. You must enable the SMB driver on the AKS cluster.
+The equivalent Azure CLI command to update an existing AKS cluster and enable SMB is:
 
    ```azurecli
    az aksarc update -n $aksclustername -g $resource_group --enable-smb-driver
@@ -78,7 +79,8 @@ If multiple nodes need concurrent access to the same storage volumes in AKS Arc,
 
 ### [AKS on Azure Local](#tab/local)
 
-1. Make sure the NFS driver is deployed. The NFS CSI driver is installed by default when you create a Kubernetes cluster using the Azure portal or the `az aksarc create` command. If you create a Kubernetes cluster by using `--disable-nfs-driver`, you must enable the the NFS driver on this cluster using the `az aksarc update` command:
+1. Make sure the SMB driver is deployed. The SMB CSI driver is installed by default when you create a Kubernetes cluster using the `az aksarc create` command. If you create the AKS cluster using the Azure portal, an Azure Resource Manager (ARM) template, or Terraform, the SMB CSI driver is not installed by default. You must enable the SMB driver on the AKS cluster.
+The equivalent Azure CLI command to update an existing AKS cluster and enable SMB is:
 
    ```azurecli
    az aksarc update -n $aksclustername -g $resource_group --enable-nfs-driver

AKS-Arc/kubernetes-walkthrough-powershell.md

@@ -3,7 +3,7 @@ title: Use PowerShell to set up Kubernetes on Windows Server clusters
 description: Learn how to set up an AKS host and create Kubernetes clusters using Windows PowerShell.
 author: sethmanheim
 ms.topic: quickstart
-ms.date: 03/28/2025
+ms.date: 06/16/2025
 ms.author: sethm 
 ms.lastreviewed: 05/02/2022
 ms.reviewer: abha
@@ -117,7 +117,7 @@ Set-AksHciConfig -imageDir $csvPath\Images -workingDir $csvPath\ImageStore -clou
 ```
 
 > [!NOTE]
-> You must customize the values shown in this example command for your environment.
+> You must customize the values shown in this example command for your environment, but you can't change the VM name on the host or on the Kubernetes cluster.
 
 ## Step 4: sign in to Azure and configure registration settings