start using Security Patches for OS upgrade channel to get Node OS Le…

…vel automatically
mspnp · Mar 7, 2024 · 2218f2e · 2218f2e
1 parent 7cd7be0
commit 2218f2e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/01-prerequisites.md b/01-prerequisites.md
@@ -38,8 +38,15 @@ This is the starting point for the instructions on deploying the [AKS baseline r
    # Keep running until all say "Registered." (This may take up to 20 minutes.)
    az feature list -o table --query "[?name=='Microsoft.ContainerService/EnableImageCleanerPreview'].{Name:name,State:properties.state}"
 
+   # Node OS Level Automatic Security Patches are currently in Preview and requies the following feature
+   az feature register --namespace "Microsoft.ContainerService" -n "NodeOsUpgradeChannelPreview"
+
+   # Keep running until all say "Registered." (It takes a few minutes for the status to be udated)
+   az feature show --namespace "Microsoft.ContainerService" --name "NodeOsUpgradeChannelPreview"
+
    # When all say "Registered" then re-register the AKS resource provider
    az provider register --namespace Microsoft.ContainerService
+
    ```
 
 1. Clone/download this repo locally, or even better fork this repository.

diff --git a/cluster-stamp.bicep b/cluster-stamp.bicep
@@ -1657,7 +1657,7 @@ resource pdzAksIngress 'Microsoft.Network/privateDnsZones@2020-06-01' = {
   }
 }
 
-resource mc 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
+resource mc 'Microsoft.ContainerService/managedClusters@2024-01-01' = {
   name: clusterName
   location: location
   tags: {
@@ -1817,6 +1817,7 @@ resource mc 'Microsoft.ContainerService/managedClusters@2023-02-02-preview' = {
       enabled: false // Using Microsoft Entra Workload IDs for pod identities.
     }
     autoUpgradeProfile: {
+      nodeOSUpgradeChannel: 'SecurityPatch'
       upgradeChannel: 'node-image'
     }
     azureMonitorProfile: {