Tutorial: Add an Azure Linux with OS Guard (preview) node pool to an existing Azure Kubernetes Service (AKS) cluster

Deploy and Explore

In Azure Kubernetes Service (AKS), nodes with the same configurations are grouped together into node pools. Each node pool contains the virtual machines (VMs) that run your applications. In the previous tutorial, you created an Azure Linux with OS Guard cluster with a single node pool. To meet the varying compute, storage, or security requirements of your applications, you can add user node pools.

In this tutorial, part two of five, you learn how to:

• Add an Azure Linux with OS Guard node pool to an existing cluster.
• Check the status of your node pools.

In later tutorials, you learn how to migrate nodes to Azure Linux with OS Guard and enable telemetry to monitor your clusters.

Considerations and limitations

Before you begin, review the following considerations and limitations for Azure Linux with OS Guard (preview):

• Kubernetes version 1.32.0 or higher is required for Azure Linux with OS Guard.
• All Azure Linux with OS Guard images have Federal Information Process Standard (FIPS) and Trusted Launch enabled.
• Azure CLI and ARM templates are the only supported deployment methods for Azure Linux with OS Guard on AKS in preview. PowerShell and Terraform aren't supported.
• Arm64 images aren't supported with Azure Linux with OS Guard on AKS in preview.
• NodeImage and None are the only supported OS Upgrade channels for Azure Linux with OS Guard on AKS. Unmanaged and SecurityPatch are incompatible with Azure Linux with OS Guard due to the immutable /usr directory.
• Artifact Streaming isn't supported.
• Pod Sandboxing isn't supported.
• Confidential Virtual Machines (CVMs) aren't supported.
• Gen 1 virtual machines (VMs) aren't supported.

Prerequisites

• In the previous tutorial, you created and deployed an Azure Linux with OS Guard cluster. If you haven't completed these steps and want to follow along, see Tutorial 1: Create a cluster with Azure Linux with OS Guard for AKS.
• You need the latest version of Azure CLI. Use the az version command to find the version. To upgrade to the latest version, use the az upgrade command.

Install the aks-preview Azure CLI extension

Important

AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:

• AKS support policies
• Azure support FAQ

• Install the aks-preview extension using the az extension add command.

  az extension add --name aks-preview
  

• Update to the latest version of the extension using the az extension update command.

  az extension update --name aks-preview
  

Register the Azure Linux OS Guard Preview feature flag

1. Register the AzureLinuxOSGuardPreview feature flag using the az feature register command.

   az feature register --namespace "Microsoft.ContainerService" --name "AzureLinuxOSGuardPreview"
   

   It takes a few minutes for the status to show Registered.

2. Verify the registration status using the az feature show command.

   az feature show --namespace "Microsoft.ContainerService" --name "AzureLinuxOSGuardPreview"
   

3. When the status reflects Registered, refresh the registration of the Microsoft.ContainerService resource provider using the az provider register command.

   az provider register --namespace "Microsoft.ContainerService"
   

Add an Azure Linux with OS Guard node pool

Add an Azure Linux with OS Guard node pool into your existing cluster using the az aks nodepool add command and specify --os-sku AzureLinuxOSGuard. Enabling FIPS, secure boot, and vtpm are also required to use Azure Linux with OS Guard. The following example creates a node pool named osgNodepool that adds three nodes in the testAzureLinuxOSGuardCluster cluster in the testAzureLinuxOSGuardResourceGroup resource group. Environment variables are declared and a random suffix is appended to the resource group and cluster names to ensure uniqueness.

export RANDOM_SUFFIX=$(openssl rand -hex 3)
export NODEPOOL_NAME="np$RANDOM_SUFFIX"

az aks nodepool add \
    --resource-group $RESOURCE_GROUP \
    --cluster-name $CLUSTER_NAME \
    --name $NODEPOOL_NAME \
    --node-count 3 \
    --os-sku AzureLinuxOSGuard
    --node-osdisk-type Managed 
    --enable-fips-image 
    --enable-secure-boot 
    --enable-vtpm

Example output:

{
  "agentPoolType": "VirtualMachineScaleSets",
  "count": 3,
  "name": "osgNodepool",
  "osType": "Linux",
  "provisioningState": "Succeeded",
  "resourceGroup": "testAzureLinuxOSGuardResourceGroupxxxxx",
  "type": "Microsoft.ContainerService/managedClusters/agentPools"
}

Note

The name of a node pool must start with a lowercase letter and can only contain alphanumeric characters. For Linux node pools, the length must be between one and 12 characters.

Check the node pool status

Check the status of your node pools using the az aks nodepool list command and specify your resource group and cluster name.

az aks nodepool list --resource-group $RESOURCE_GROUP --cluster-name $CLUSTER_NAME

Example output:

[
  {
    "agentPoolType": "VirtualMachineScaleSets",
    "availabilityZones": null,
    "count": 3,
    "enableAutoScaling": false,
    "enableEncryptionAtHost": false,
    "enableFips": false,
    "enableNodePublicIp": false,
    "id": "/subscriptions/REDACTED/resourcegroups/myAKSResourceGroupxxxxx/providers/Microsoft.ContainerService/managedClusters/myAKSClusterxxxxx/agentPools/npxxxxxx",
    "maxPods": 110,
    "mode": "User",
    "name": "npxxxxxx",
    "nodeImageVersion": "AzureLinuxContainerHost-2025.10.03",
    "orchestratorVersion": "1.32.6",
    "osDiskSizeGb": 128,
    "osDiskType": "Managed",
    "osSku": "AzureLinux",
    "osType": "Linux",
    "powerState": {
      "code": "Running"
    },
    "provisioningState": "Succeeded",
    "resourceGroup": "myAKSResourceGroupxxxxx",
    "type": "Microsoft.ContainerService/managedClusters/agentPools",
    "vmSize": "Standard_DS2_v2"
  },
  {
    "agentPoolType": "VirtualMachineScaleSets",
    "availabilityZones": null,
    "count": 3,
    "enableAutoScaling": false,
    "enableEncryptionAtHost": false,
    "enableFips": false,
    "enableNodePublicIp": false,
    "id": "/subscriptions/REDACTED/resourcegroups/myAKSResourceGroupxxxxx/providers/Microsoft.ContainerService/managedClusters/myAKSClusterxxxxx/agentPools/npxxxxxx",
    "maxPods": 110,
    "mode": "User",
    "name": "npxxxxxx",
    "nodeImageVersion": "AzureLinuxOSGuard-2025.10.03",
    "orchestratorVersion": "1.32.6",
    "osDiskSizeGb": 128,
    "osDiskType": "Managed",
    "osSku": "AzureLinuxOSGuard",
    "osType": "Linux",
    "powerState": {
      "code": "Running"
    },
    "provisioningState": "Succeeded",
    "resourceGroup": "myAKSResourceGroupxxxxx",
    "type": "Microsoft.ContainerService/managedClusters/agentPools",
    "vmSize": "Standard_DS2_v2"
  }
]

Next steps

In this tutorial, you added an Azure Linux with OS Guard node pool to your existing cluster. In the next tutorial, you learn how to migrate existing nodes to Azure Linux with OS Guard.

Migrate to Azure Linux with OS Guard