[English Below]

Bonjour,

Dans cet article nous allons voir ensemble comment mettre à jour l’images de vos nodes. Pour cela nous allons utiliser la fonctionnalité nodes images AKS qui est encore en pré-version au moment où j’écris cet article.

# Register the preview feature 

az feature register --namespace "Microsoft.ContainerService" --name "NodeImageUpgradePreview"

# Verify the feature is registered

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/NodeImageUpgradePreview')].{Name:name,State:properties.state}"

# Install the aks-preview extension 

az extension add --name aks-preview # Update the extension to make sure you have the latest version installed az extension update --name aks-preview

# Mettre à jour l'ensemble de vos nodes pour l'ensemble des node pools de votre cluster

az aks upgrade \ --resource-group myResourceGroup \ --name myAKSCluster \ --node-image-only

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.kubernetes.azure.com\/node-image-version}{"\n"}{end}'

az aks show \ --resource-group myResourceGroup \ --name myAKSCluster
-----------------------------------------------------
# Mettre à jour un node pool spécifique
az aks nodepool upgrade \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name mynodepool \ --node-image-only

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.kubernetes.azure.com\/node-image-version}{"\n"}{end}'

az aks nodepool show \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name mynodepool

Maxime.

—

Hi,

In this article, I would like to share with you how we can upgrade all nodes in all node pool of your AKS cluster or you can upgrade a specific node pool.

# Register the preview feature 

az feature register --namespace "Microsoft.ContainerService" --name "NodeImageUpgradePreview"

# Verify the feature is registered 

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/NodeImageUpgradePreview')].{Name:name,State:properties.state}"

# Install the aks-preview extension 

az extension add --name aks-preview # Update the extension to make sure you have the latest version installed az extension update --name aks-preview

# Upgrade all nodes in all node pools

az aks upgrade --resource-group myResourceGroup --name myAKSCluster --node-image-only

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.kubernetes.azure.com\/node-image-version}{"\n"}{end}'

az aks show --resource-group myResourceGroup --name myAKSCluster
----------------------------------------------------------
# Upgrade a specific node pool
az aks nodepool upgrade --resource-group myResourceGroup --cluster-name myAKSCluster --name mynodepool --node-image-only

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.kubernetes.azure.com\/node-image-version}{"\n"}{end}'

az aks nodepool show --resource-group myResourceGroup --cluster-name myAKSCluster --name mynodepool

Maxime.

[English Below]

Bonjour,

Dans cet article, je vais vous présenter comment créer un cluster AKS en utilisant des machines virtuelles de type gen2.

L’avantage d’utiliser des machines de types Gen2 est de pouvoir bénécifier de fonctionnalités de sécurité comme:

•  Intel Software Guard Extensions (Intel SGX)
• virtualized persistent memory (vPMEM)
• https://docs.microsoft.com/en-us/azure/virtual-machines/windows/generation-2

Pour cela, je vous invite à saisir les commandes suivantes depuis Azure Cloud Shell par exemple (https://shell.azure.com)

az feature register --name "Gen2VMPreview" --namespace "Microsoft.ContainerService"    

# wait for the feature to register
az feature show --name Gen2VMPreview --namespace "Microsoft.ContainerService"

# Re-register the AKS namespace by performing the below
az provider register --namespace 'Microsoft.ContainerService'

# Finally create the cluster
az aks create -n aks -g aks -s Standard_D2s_v3 --aks-custom-headers usegen2vm=true

Maxime.

---

Hello,

In this article, I would like to share with you how you can create an AKS cluster with gen2 virtual machines.

With Azure Gen2 Virtual Machines, you can use advance security features like:

•  Intel Software Guard Extensions (Intel SGX)
• virtualized persistent memory (vPMEM)
• https://docs.microsoft.com/en-us/azure/virtual-machines/windows/generation-2

From Azure Cloud Shell (https://shell.azure.com), please use this commands:

az feature register --name "Gen2VMPreview" --namespace "Microsoft.ContainerService"    

# wait for the feature to register
az feature show --name Gen2VMPreview --namespace "Microsoft.ContainerService"

# Re-register the AKS namespace by performing the below
az provider register --namespace 'Microsoft.ContainerService'

# Finally create the cluster
az aks create -n aks -g aks -s Standard_D2s_v3 --aks-custom-headers usegen2vm=true

Maxime.

Hi,

In this article, I would like to share with you a security notice about a new security vulnerability. This vulnerability has been identified in the container networking implementation (CNI) in CNI plugin versions v0.8.6 and older that may affect older AKS clusters.

Details

An AKS cluster configured to use an affected container networking implementation is susceptible to man-in-the-middle (MitM) attacks. By sending “rogue” router advertisements, a malicious container can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker-controlled container. Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond.

This vulnerability has been given an initial severity of Medium with a score of 6.0.

Vulnerability analysis and verification

All AKS clusters created or upgraded with a Node Image Version later or equal than “2019.04.24” are not vulnerable, as they set net.ipv6.conf.all.accept_ra to 0 and enforce TLS with proper certificate validation.

Clusters created or last upgraded before that date are susceptible to this vulnerability.

You can verify if your current Node Image is vulnerable by running: https://aka.ms/aks/MitM-check-20200601  on a machine that has CLI access to the cluster’s nodes.

Windows nodes are not affected by this vulnerability.

Mitigation

If you identify nodes that are vulnerable, you can mitigate the vulnerability by performing a cluster upgrade using the following command:
$ az aks upgrade -n <cluster name> -g <cluster resource group> -k <newer supported kubernetes version>.

In addition, a permanent fix for this CVE is available at: https://github.com/containernetworking/plugins/releases/tag/v0.8.6 . AKS is rolling out this fix on the most recent VHD version.

Source: https://azure.microsoft.com/en-gb/updates/cni-security-vulnerability-in-older-aks-clusters-and-mitigation-steps/

Maxime.