AKS | Mariner Container Optimized OS on AKS


Mariner is an open-source Linux distribution created by Microsoft and is now available for preview as a container host on Azure Kubernetes Service (AKS). Optimized for AKS, the Mariner container host provides reliability and consistency from cloud to edge across the AKS, AKS-HCI, and Arc products. You can deploy Mariner node pools in a new cluster, add Mariner node pools to your existing Ubuntu clusters, or migrate your Ubuntu nodes to Mariner nodes.

Key Capabilities Of CBL-Mariner:

CBL-Mariner provides many of the traditional benefits of using Linux. In addition to that, CBL-Mariner provides hardened security and efficient lifecycle management.

  • CBL-Mariner core

Minimal core system that supports a variety of profiles (Azure VM or on bare-metal x64 or ARM64) and allows the customer to build on top of it as needed.

Lightweight footprint: 450MB uncompressed.

  • Support & Updates

SLA for vulnerabilities.

Patches automatically available for the customer to update when most convenient for them.

dnf infrastructure used for upgrading packages.

  • Security hardened

The kernel and other aspects of the OS are built with an emphasis on security and follow the secure-by-default principle, compliant with Microsoft security standards and industry certifications.

  • Federated Builds

Enables teams to innovate on top by allowing the generation and maintenance of packages on top of the CBL-Mariner builds.

With over 6000 packages already built, teams can customize their image easily.

  • Robust Testing

Through a robust testing matrix of package, image and kernel tests, we allow for earlier issue detections and mitigations prior to the image being published.

  • Virtualization

CBL-Mariner supports a container host image that includes the Kubernetes infrastructure.

  • Efficient lifecycle management

CBL-Mariner supports both RPM package and image-based update mechanisms for releases – with an “evergreen” release alongside specific security-patched stable snaps. New releases are made available annually and each release is supported for 18 months.

If you want to replace your existing AKS Ubuntu Node Pool by Mariner, please follow this link: https://microsoft.github.io/CBL-Mariner/docs/#using-cbl-mariner-with-aks


Microsoft Ignite 2022, Seattle WA


I had the pleasure to be speaker at Microsoft Ignite 2022 in Seattle, WA! That was my first in-person conference since the Covid-19. This year the experience of Microsoft Ignite was different from what I have already seen during the previous editions. Lot of sessions were available in real-time online and in-person, I think that was a great idea for the people who can’t travel to Seattle.

During these two days of sessions, I had the pleasure to meet a great number of Microsoft MVP, Microsoft employees and attendees.

To give you an idea of the event, please find below a series of photos:


Storage Account | Permitted scope for copy operations


I will show a new storage account feature which can help you to prevent data breach. This feature will help you to restrict the copy operations at the storage account level.

Three options are available:

  • From any storage accounts (default value)
  • From storage accounts in the same Azure AD tenant
  • From storage accounts that have a private endpoint to the same virtual network

I will recommend you to protect all your storage account with a custom Azure Policy which uses the alias parameter: allowedCopyScope