AKS on Azure Stack HCI and Windows Server 2023-05-09 Update

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Hello everyone, 

 

Before getting into the update details, we have a favor to ask: 

 

Help us support you by adding this new URL to your Allowlist - gcs.prod.monitoring.core.windows.net (port 443) to your allowlist.  

 

We have updated our telemetry to use a new service, which means we’ve changed the url.  As a reminder, we only collect diagnostic data to observe and diagnose ongoing issues faster and more efficiently. No private data will be sent to Microsoft.  This data is not linkable to a user and does not contain Customer content. System Metadata is identified as data generated while running the service or program that is not linkable to a user or tenant. 

 Please note, this new URL replaces the now deprecated adhs.events.data.microsoft.com.  For the full list of required URLs, see https://aka.ms/aks-hci-allowlists. 

 

We are pleased to announce that we have extended our support for minor Kubernetes versions for a period of up to one year, commencing with v1.23.x. In order to facilitate this, we have added a range of enhancements to our AKS hybrid platform which include: 

  • We have lifted a restriction that limited users from updating AKS hybrid management clusters when you have a target cluster that's running on a version that has been deprecated in the latest release. With the new change, update will proceed as long as the workload cluster's version is still a supported minor version. 
  • With the current release, while updates will continue to be executed in a stepped manner, we have incorporated an enhancement to expedite the process by enabling the option to skip releases as required. 
  • Read more about these changes in this blog and also review our revised support policy 

On to product improvements since the last release.   

 

Kubernetes 1.25 support  

 

In this release we are bringing in support for K8s 1.25. This version of K8s has 40 enhancements and has improved windows support by addition of Performance Dashboard, Unit Tests and Conformance Test. We also have a  

new repository created for Windows Operational Readiness.  

 

Some notable enhancements and changes: 

  • Container registry has been moved from K8s.gcr.io to registry.k8s.io. 
  • Kube-proxy images are now based on distroless images. This change will reduce image size by almost 50% and decrease the number of installed packages and files to only those strictly required for kube-proxy. 1.25 also has newly added KMS v2alpha1 API to add performance, rotation and observability improvements.  
  • EndPort in Network Policy has been promoted to GA. Network Policy providers that support endPort field now can use it to specify a range of ports to apply a Network Policy. Previously, each Network Policy could only target a single port. 
  • Local Ephemeral Storage Capacity Isolation feature is now GA providing support for capacity isolation of local ephemeral storage between pods, so that a pod can be hard limited in its consumption of shared resources by evicting Pods if its consumption of local ephemeral storage exceeds that limit. 
  • Core CSI Migration has been promoted to Stable. The CSI migration effort enables the replacement of existing in-tree storage plugins with a corresponding CSI drivers from the storage backend. If CSI Migration is working properly, Kubernetes end users shouldn’t notice a difference.  
  •  CSI Ephemeral Volume feature now available in GA, allows CSI volumes to be specified directly in the pod specification for ephemeral use cases. These can be used to inject arbitrary states, such as configuration, secrets, identity, variables or similar information, directly inside pods using a mounted volume 
  •  PodSecurityPolicy is removed while Pod Security Admission also graduates to stable. 

Deprecations: 

  • PodSecurityPolicy is removed. 
  • GlusterFS plugin deprecated from available in-tree drivers 
  • The gcp and azure auth plugins have been removed from client-go and kubectl. 

 

Restrict SSH Access to VMs under AKS hybrid 

We have added a feature that restricts Secure Shell Protocol (SSH) access to underlying VMs to certain IP addresses. By default, anyone with administrator access to AKS hybrid can access AKS hybrid service VMs through SSH on any machine.  Given access is already limited to administrators, limiting access by IP address doesn't change our security posture but can make compliance much easier for customers who need to meet strict access controls requirements. 

 

Add Pre-Install Validation tests 

This release contains the following validation tests during the execution of Set-AksHciConfig to ensure that the configuration needed for a successful execution of Install-AksHci is available ahead of the actual installation. 

Test name 

Description 

Troubleshooting 

AKS hybrid internet connectivity  

The test validates that the virtual machine hosting AKS hybrid has internet connectivity to key Microsoft endpoints. 

- Ensure that there is connectivity from the physical hosts to the internet. 

- If using a proxy, ensure that the proxy settings passed in Set-AksHciConfig are correct. 

- Ensure there is connectivity from any VMs in the the nodepool IP range provided in New-AksHciNetworkSetting parameters: “-k8sNodeIpPoolStart” and “-k8sNodeIpPoolStart” 
Blog post on troubleshooting network issues in Windows Server 
Use HUD for troubleshooting network issues in Azure Stack HCI 
Firewall requirements for Azure Stack HCI 
Troubleshooting Windows Server components 

DNS availability 

The test validates that the provided DNS servers are available 

- Ensure that the DNS servers provided in New-AksHciNetworkSetting parameter “-dnsServers” are available to VMs in the IP range provided in parameters: “-k8sNodeIpPoolStart” and “-k8sNodeIpPoolStart” 

Connectivity between the VM that hosts AKS hybrid (Management Cluster) and the Cloud Agent 

This test validates that VMs in K8sNoodPool range can reach cloud agent endpoint 

- Ensure that the DNS servers provided in New-AksHciNetworkSetting can resolve cloud agent FQDN.  

- Ensure that cloud agent endpoint is online. 

 

 

Version updates and bug fixes 

 

Software updates: 

   We have updated several components and dependencies to the latest versions to fix CVEs:

  • CVE-2023-23931 in cryptography 39.0.0. Severity: Medium 
  • CVE-2021-21272 in deislabs/oras v0.8.1. Severity: Medium  
  • CVE-2023-27561 in opencontainers v0.1.1. Severity: High 
  • CVE-2023-24056 in Alpine:3.17.1:pkgconf 1.9.3-r0. Severity: Medium 
  • CVE-2022-23648 in containerd v1.5.8. Severity: Medium 

Bug Fix:  

  • We fixed a bug with our autoscaler feature. If you ever experienced a scenario where the AKS HCI node pool autoscaling profiles. skip-nodes-with-local-storage  setting didn’t modify, meaning the setting is always "true" and won't change to "false.". We have pushed a fix in this release and you can now you all the capabilities of our autoscaler feature.  
  • This release also brings several bug fixes in Windows Admin Center.

Documentation updates 

 

Troubleshooting guide updates: 

As always, you can try AKS on Azure Stack HCI or Windows Server any time even if you do not have the hardware handy using our eval guide to set up AKS on a Windows Server Azure VM. 

 

Once you have downloaded and installed the AKS on Azure Stack HCI or Windows Server Update – you can report any issues you encounter, follow our plans, and check out recently released updates through the AKS hybrid roadmap in GitHub. 

 

We look forward to hearing from you all! 

 

Cheers, 

Shivani

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.