Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SecurityPatch element to NodeOsUpgradeChannel Enum #29468

Merged
merged 1 commit into from
Jun 21, 2024
Merged

Add SecurityPatch element to NodeOsUpgradeChannel Enum #29468

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion ...ce/resource-manager/Microsoft.ContainerService/aks/stable/2024-05-01/managedClusters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5085,7 +5085,8 @@
"enum": [
"Unmanaged",
"None",
"NodeImage"
"NodeImage",
"SecurityPatch"
],
"x-ms-enum": {
"name": "nodeOSUpgradeChannel",
Expand All @@ -5102,6 +5103,10 @@
{
"value": "NodeImage",
"description": "AKS will update the nodes with a newly patched VHD containing security fixes and bugfixes on a weekly cadence. With the VHD update machines will be rolling reimaged to that VHD following maintenance windows and surge settings. No extra VHD cost is incurred when choosing this option as AKS hosts the images."
},
{
"value": "SecurityPatch",
"description": "AKS downloads and updates the nodes with tested security updates. These updates honor the maintenance window settings and produce a new VHD that is used on new nodes. On some occasions it's not possible to apply the updates in place, in such cases the existing nodes will also be re-imaged to the newly produced VHD in order to apply the changes. This option incurs an extra cost of hosting the new Security Patch VHDs in your resource group for just in time consumption."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: the description is not the same as what's defined in preview API version

AKS will update the nodes VHD with patches from the image maintainer labelled "security only" on a regular basis. Where possible, patches will also be applied without reimaging to existing nodes. Some patches, such as kernel patches, cannot be applied to existing nodes without disruption. For such patches, the VHD will be updated, and machines will be rolling reimaged to that VHD following maintenance windows and surge settings. This option incurs the extra cost of hosting the VHDs in your node resource group.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this change is per API review: https://dev.azure.com/msazure/CloudNativeCompute/_wiki/wikis/CloudNativeCompute.wiki/670213/Security-Patch-GA

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we correct the preview APIs documentation so that it matches the approved GA docs?

Ideally preview + ga should be in sync in terms of what they are saying.

Thanks @FumingZhang for thinking to check this!

}
]
},
Expand Down