Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this tutorial, part one of five, you learn how to:
- Install the Kubernetes CLI,
kubectl. - Install the
aks-previewAzure CLI extension. - Register the
AzureLinuxOSGuardPreviewfeature flag. - Create an Azure resource group.
- Create and deploy an Azure Linux with OS Guard cluster.
- Configure
kubectlto connect to your Azure Linux with OS Guard cluster.
In later tutorials, you learn how to add an Azure Linux with OS Guard node pool to an existing cluster and migrate existing nodes to Azure Linux with OS Guard.
Considerations and limitations
Before you begin, review the following considerations and limitations for Azure Linux with OS Guard (preview):
- Kubernetes version 1.32.0 or higher is required for Azure Linux with OS Guard.
- All Azure Linux with OS Guard images have Federal Information Process Standard (FIPS) and Trusted Launch enabled.
- Azure CLI and ARM templates are the only supported deployment methods for Azure Linux with OS Guard on AKS in preview. PowerShell and Terraform aren't supported.
- Arm64 images aren't supported with Azure Linux with OS Guard on AKS in preview.
NodeImageandNoneare the only supported OS Upgrade channels for Azure Linux with OS Guard on AKS.UnmanagedandSecurityPatchare incompatible with Azure Linux with OS Guard due to the immutable /usr directory.- Artifact Streaming isn't supported.
- Pod Sandboxing isn't supported.
- Confidential Virtual Machines (CVMs) aren't supported.
- Gen 1 virtual machines (VMs) aren't supported.
Prerequisites
- You need the latest version of Azure CLI. Use the
az versioncommand to find the version. To upgrade to the latest version, use theaz upgradecommand. - Install the
aks-previewAzure CLI extension. - Register the
AzureLinuxOSGuardPreviewfeature flag.
Install the aks-preview Azure CLI extension
Important
AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:
Install the
aks-previewextension using theaz extension addcommand.az extension add --name aks-previewUpdate to the latest version of the extension using the
az extension updatecommand.az extension update --name aks-preview
Register the Azure Linux OS Guard Preview feature flag
Register the
AzureLinuxOSGuardPreviewfeature flag using theaz feature registercommand.az feature register --namespace "Microsoft.ContainerService" --name "AzureLinuxOSGuardPreview"It takes a few minutes for the status to show Registered.
Verify the registration status using the
az feature showcommand.az feature show --namespace "Microsoft.ContainerService" --name "AzureLinuxOSGuardPreview"When the status reflects Registered, refresh the registration of the
Microsoft.ContainerServiceresource provider using theaz provider registercommand.az provider register --namespace "Microsoft.ContainerService"
Create a resource group
An Azure resource group is a logical group in which Azure resources are deployed and managed. When creating a resource group, it's required to specify a location. This location is:
- The storage location of your resource group metadata.
- Where your resources run in Azure if you don't specify another region when creating a resource.
Create a resource group using the az group create command. Before running the command, environment variables are declared to ensure unique resource names for each deployment.
export REGION="EastUS2"
az group create --name $RESOURCE_GROUP_NAME --location $REGION
Example output:
{
"id": "/subscriptions/xxxxx/resourceGroups/testAzureLinuxOSGuardResourceGroupxxxxx",
"location": "EastUS2",
"managedBy": null,
"name": "testAzureLinuxOSGuardResourceGroupxxxxx",
"properties": {
"provisioningState": "Succeeded"
},
"tags": null,
"type": "Microsoft.Resources/resourceGroups"
}
Create an Azure Linux with OS Guard (preview) cluster
Create an AKS cluster using the az aks create command with the --os-sku AzureLinuxOSGuard parameter to provision an Azure Linux with OS Guard cluster. Enabling FIPS, secure boot, and vtpm are required to use Azure Linux with OS Guard. The following example creates an Azure Linux with OS Guard cluster:
az aks create --name $MY_AZ_CLUSTER_NAME --resource-group $MY_RESOURCE_GROUP_NAME --os-sku AzureLinuxOSGuard --node-osdisk-type Managed --enable-fips-image --enable-secure-boot --enable-vtpm
Example output:
{
"id": "/subscriptions/xxxxx/resourceGroups/testAzureLinuxOSGuardResourceGroupxxxxx/providers/Microsoft.ContainerService/managedClusters/testAzureLinuxOSGuardClusterxxxxx",
"location": "WestUS2",
"name": "testAzureLinuxOSGuardClusterxxxxx",
"properties": {
"provisioningState": "Succeeded"
},
"type": "Microsoft.ContainerService/managedClusters"
}
After a few minutes, the command completes and returns JSON-formatted information about the cluster.
Connect to the cluster using kubectl
Configure kubectl to connect to your Kubernetes cluster using the az aks get-credentials command. The following example gets credentials for the Azure Linux Container Host cluster using the resource group and cluster name created earlier:
az aks get-credentials --resource-group $RESOURCE_GROUP_NAME --name $CLUSTER_NAME
Verify the connection to your cluster using the kubectl get nodes command to return a list of the cluster nodes.
kubectl get nodes
Example output:
NAME STATUS ROLES AGE VERSION
aks-nodepool1-00000000-0 Ready agent 10m v1.20.7
aks-nodepool1-00000000-1 Ready agent 10m v1.20.7
Next steps
In this tutorial, you created and deployed an Azure Linux with OS Guard cluster. In the next tutorial, you learn how to add an Azure Linux with OS Guard node pool to an existing cluster.