Ensure that node OS auto-upgrades are enabled for Azure Kubernetes Service (AKS) clusters to help prevent vulnerabilities from unpatched OS versions, minimizing the risk of security breaches while maintaining operational stability.
Node OS auto-upgrades in Azure Kubernetes Service (AKS) automatically update the operating system of AKS nodes with security patches and updates. This is crucial for maintaining security, as it ensures nodes receive timely OS-level security patches without manual intervention. These upgrades are separate from Kubernetes version upgrades and can be customized through different channels. When node OS auto-upgrades are not enabled and configured, security updates are not applied automatically to your AKS cluster nodes, meaning you are fully responsible for ensuring they receive necessary updates.
Audit
To determine if node OS auto-upgrades are enabled for your Azure Kubernetes Service (AKS) clusters, perform the following operations:
Remediation / Resolution
To enable and configure node OS auto-upgrades for Azure Kubernetes Service (AKS) clusters, perform the following operations:
References
- Azure Official Documentation
- Upgrade options for Azure Kubernetes Service (AKS) clusters
- Auto-upgrade node OS images
- Use planned maintenance to schedule and control upgrades for your Azure Kubernetes Service cluster
- Azure PowerShell Documentation
- az account list
- az account set
- az aks list
- az aks show
- az aks