Edit

Tutorial: Create a cluster with the Azure Linux with OS Guard (preview) for Azure Kubernetes Service (AKS)

Note

Azure Linux with OS Guard (preview) is being replaced by Azure Container Linux (ACL).

Azure Container Linux is the long‑term, immutable, container‑optimized Linux operating system (OS) for Azure Kubernetes Service (AKS). It provides a secure, minimal, and operationally consistent host OS designed to run containerized workloads at scale.

For more information, see the Azure Container Linux (ACL) overview.

Deploy and Explore

In this tutorial, part one of five, you learn how to:

  • Install the Kubernetes CLI, kubectl.
  • Install the aks-preview Azure CLI extension.
  • Register the AzureLinuxOSGuardPreview feature flag.
  • Create an Azure resource group.
  • Create and deploy an Azure Linux with OS Guard cluster.
  • Configure kubectl to connect to your Azure Linux with OS Guard cluster.

In later tutorials, you learn how to add an Azure Linux with OS Guard node pool to an existing cluster and migrate existing nodes to Azure Linux with OS Guard.

Prerequisites

Azure Linux with OS Guard considerations and limitations

Before you begin, review the following considerations and limitations for Azure Linux with OS Guard (preview):

Install the aks-preview Azure CLI extension

Important

AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:

Install the aks-preview extension using the az extension add command.

az extension add --name aks-preview

Update to the latest version of the extension using the az extension update command.

az extension update --name aks-preview

Register the AzureLinuxOSGuardPreview feature flag

  1. Register the AzureLinuxOSGuardPreview feature flag using the az feature register command.

    az feature register --namespace "Microsoft.ContainerService" --name "AzureLinuxOSGuardPreview"

    It takes a few minutes for the status to show Registered.

  2. Verify the registration status using the az feature show command.

    az feature show --namespace "Microsoft.ContainerService" --name "AzureLinuxOSGuardPreview"

  3. When the status reflects Registered, refresh the registration of the Microsoft.ContainerService resource provider using the az provider register command.

    az provider register --namespace "Microsoft.ContainerService"

Set environment variables

Set the following environment variables to create unique resource names for each deployment:

export RESOURCE_GROUP="<your-resource-group-name>"
export REGION="<your-region>"
export CLUSTER_NAME="<your-cluster-name>"

Create a resource group

When creating a resource group in Azure, you're required to specify a location. This location is the storage location of your resource group metadata and where your resources run in Azure if you don't specify another region when creating a resource.

Create a resource group using the az group create command.

az group create --name $RESOURCE_GROUP --location $REGION

Example output:

{
  "id": "/subscriptions/xxxxx/resourceGroups/testAzureLinuxOSGuardResourceGroupxxxxx",
  "location": "EastUS2",
  "managedBy": null,
  "name": "testAzureLinuxOSGuardResourceGroupxxxxx",
  "properties": {
    "provisioningState": "Succeeded"
  },
  "tags": null,
  "type": "Microsoft.Resources/resourceGroups"
}

Create an Azure Linux with OS Guard (preview) cluster

Create an AKS cluster using the az aks create command with the --os-sku AzureLinuxOSGuard parameter to provision an Azure Linux with OS Guard cluster. Enabling FIPS, secure boot, and vtpm is required to use Azure Linux with OS Guard.

az aks create --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --os-sku AzureLinuxOSGuard --node-osdisk-type Managed --enable-fips-image --enable-secure-boot --enable-vtpm

Example output:

{
  "id": "/subscriptions/xxxxx/resourceGroups/testAzureLinuxOSGuardResourceGroupxxxxx/providers/Microsoft.ContainerService/managedClusters/testAzureLinuxOSGuardClusterxxxxx",
  "location": "WestUS2",
  "name": "testAzureLinuxOSGuardClusterxxxxx",
  "properties": {
    "provisioningState": "Succeeded"
  },
  "type": "Microsoft.ContainerService/managedClusters"
}

After a few minutes, the command completes and returns JSON-formatted information about the cluster.

Connect to the cluster using kubectl

  1. Configure kubectl to connect to your Kubernetes cluster using the az aks get-credentials command.

    az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME

  2. Verify the connection to your cluster using the kubectl get nodes command to return a list of the cluster nodes.

    kubectl get nodes

    Example output:

    NAME                           STATUS   ROLES   AGE     VERSION
aks-nodepool1-00000000-0       Ready    agent   10m     v1.20.7
aks-nodepool1-00000000-1       Ready    agent   10m     v1.20.7

Next step

In this tutorial, you created and deployed an Azure Linux with OS Guard cluster. In the next tutorial, you learn how to add an Azure Linux with OS Guard node pool to an existing cluster.

Add an Azure Linux with OS Guard node pool

  • Last updated on