Use the Mariner container host on Azure Kubernetes Service (AKS)

Mariner is an open-source Linux distribution created by Microsoft, and it’s now available for preview as a container host on Azure Kubernetes Service (AKS). The Mariner container host provides reliability and consistency from cloud to edge across the AKS, AKS-HCI, and Arc products. You can deploy Mariner node pools in a new cluster, add Mariner node pools to your existing Ubuntu clusters, or migrate your Ubuntu nodes to Mariner nodes. To learn more about Mariner, see the Mariner documentation.

Why use Mariner

The Mariner container host on AKS uses a native AKS image that provides one place to do all Linux development. Every package is built from source and validated, ensuring your services run on proven components. Mariner is lightweight, only including the necessary set of packages needed to run container workloads. It provides a reduced attack surface and eliminates patching and maintenance of unnecessary packages. At Mariner's base layer, it has a Microsoft hardened kernel tuned for Azure. Learn more about the key capabilities of Mariner.

How to use Mariner on AKS

To get started using Mariner on AKS, see:

• Creating a cluster with Mariner
• Add a Mariner node pool to your existing cluster
• Ubuntu to Mariner migration

How to upgrade Mariner nodes

We recommend keeping your clusters up to date and secured by enabling automatic upgrades for your cluster. To enable automatic upgrades, see:

• Automatically upgrade an Azure Kubernetes Service (AKS) cluster
• Deploy kured in an AKS cluster

To manually upgrade the node-image on a cluster, you can run az aks nodepool upgrade:

az aks nodepool upgrade \
    --resource-group myResourceGroup \
    --cluster-name myAKSCluster \
    --name myNodePool \
    --node-image-only

Regional availability

Mariner is available for use in the same regions as AKS.

Limitations

Mariner currently has the following limitations:

• Image SKUs for SGX and FIPS are not available.
• It doesn't meet the Federal Information Processing Standard (FIPS) 140 compliance requirements and Center for Internet Security (CIS) certification.
• Mariner can't yet be deployed through the Azure portal.
• Qualys, Trivy, and Microsoft Defender for Containers are the only vulnerability scanning tools that support Mariner today.
• Mariner doesn't support AppArmor. Support for SELinux can be manually configured.
• Some addons, extensions, and open-source integrations may not be supported yet on Mariner. Azure Monitor, Grafana, Helm, Key Vault, and Container Insights are supported.