Edit

Share via

Tutorial: Upgrade Azure Linux with OS Guard (preview) nodes

Deploy and Explore

Azure Linux with OS Guard ships updates through updated node images and automatic package updates. As part of the application and cluster lifecycle, we recommend keeping your clusters up to date and secured by enabling upgrades for your cluster. You can enable automatic node image upgrades to ensure your clusters use the latest Azure Linux with OS Guard image when it scales up. You can also manually upgrade the node image on a cluster.

In this tutorial, part five of five, you learn how to:

  • Manually upgrade the node image on a cluster.
  • Automatically upgrade an Azure Linux with OS Guard cluster.
  • Deploy Kured in an Azure Linux with OS Guard cluster.

Note

Any upgrade operation, whether performed manually or automatically, upgrades the node image version if it's not already on the latest version. The latest version is contingent on a full AKS release, and you can determine it by visiting the AKS release tracker.

Prerequisites

Manually upgrade your cluster

Manually upgrade the node image on your cluster using the az aks nodepool ugprade command.

az aks nodepool upgrade --resource-group $RESOURCE_GROUP --cluster-name $CLUSTER_NAME --name $NODEPOOL_NAME

Automatically upgrade your cluster

Auto-upgrades provides a "set once and forget" that yields time and operational cost benefits, ensuring your clusters are up to date and don't miss the latest Azure Linux with OS Guard features or patches from AKS and upstream Kubernetes.

Automatic upgrades are functionally the same as manual upgrades. The selected channel determines the timing of upgrades. When making changes to auto-upgrade, allow 24 hours for the changes to take effect.

Set the auto-upgrade channel on an existing cluster using the az aks update command with the --auto-upgrade-channel parameter.

az aks update --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --auto-upgrade-channel stable

Example output:

{
  "id": "/subscriptions/xxxxx/resourceGroups/testAzureLinuxResourceGroup",
  "location": "WestUS2",
  "name": "testAzureLinuxCluster",
  "properties": {
    "autoUpgradeChannel": "stable",
    "provisioningState": "Succeeded"
  }
}

For more information on upgrade channels, see Using cluster auto-upgrade.

Automatically upgrade your node OS image

AKS also provides multiple autoupgrade channels dedicated to timely node-level OS security updates. This channel is different from cluster-level Kubernetes version upgrades and supersedes it.

Please note, NodeImage and None are the only supported OS Upgrade channels for Azure Linux with OS Guard on AKS. Unmanaged and SecurityPatch are incompatible with Azure Linux with OS Guard due to the immutable /usr directory.

Set the node OS upgrade channel on an existing cluster using the az aks update command with the --node-os-upgrade-channel parameter.

az aks update --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --node-os-upgrade-channel NodeImage

Example output:

{
  "id": "/subscriptions/xxxxx/resourceGroups/testAzureLinuxResourceGroup",
  "location": "WestUS2",
  "name": "testAzureLinuxCluster",
  "properties": {
    "nodeOsUpgradeChannel": "NodeImage",
    "provisioningState": "Succeeded"
  }
}

For more information on node upgrade channels, see Using node OS auto-upgrade.

Clean up resources

As this tutorial is the last part of the series, you may want to delete your Azure Linux Container Host cluster. The Kubernetes nodes run on Azure virtual machines and continue incurring charges even if you don't use the cluster.

az aks delete --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME

Next steps

In this tutorial, you upgraded your Azure Linux Container Host cluster.

For more information on Azure Linux with OS Guard, see the Azure Linux with OS Guard overview.

  • Last updated on