Azure Kubernetes Service OS upgrades and Patching

Satish 6 Reputation points
2020-12-07T14:08:14.8+00:00

Azure Kubernetes cluster -

We would like to understand if the OS upgrades and patching of the Virtual machine scale sets created as part of AKS deployment are performed automatically or should those be manually upgraded. This applies for both Linux/Windows node pools.

As per the Virtual machine scale sets documentation (https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade) only a set of images are supported for OS upgrades with specific publisher name (for instance Microsoft Corporation).

However, the AKS deployed VMSS image publisher is (microsoft-aks) and since its not listed in the supported published images, do we need to manually perform OS upgrades and patching.

We could see the Vmss deployed by AKS cluster shows the this information "Automatic OS upgrades are not available for the image used by this scale set." under Operating system details.

Azure Kubernetes documentation below provides details on how to upgrade node pools and automate.

https://learn.microsoft.com/en-us/azure/aks/node-image-upgrade
https://learn.microsoft.com/en-us/azure/aks/node-upgrade-github-actions

Please let us know if AKS manages OS upgrades and Patching for which images / scenarios and in which cases should the manual node upgrades should be performed.

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,853 questions
{count} vote

2 answers

Sort by: Most helpful
  1. dt1984 1 Reputation point
    2020-12-08T10:09:38.95+00:00

  2. prmanhas-MSFT 17,886 Reputation points Microsoft Employee
    2020-12-30T06:00:52.777+00:00

    @Satish Apologies for delay in response and all the inconvenience caused because of the issue.

    I had discussion with our internal team which took time.

    AKS automatically applies security patches daily. The only action needed from the customer is to reboot nodes when needed (e.g. Kernel patches require a reboot to take effect). The documents you link above about node image upgrade details the process to update the VM image so that you can get updates such as new Python point release, or bugfixes etc, which aren't critical for running containers.

    There's no "VMSS only" experience currently you can enable, there's the AKS solution + OSS.

    Also there is a workitem underway to enhance the documentation based on functionality around VMSS in AKS.

    Hope it helps!!!!

    Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.