Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
AKS deploys infrastructure into your subscription for connecting to and running your applications. Changes made directly to resources in the node resource group can affect cluster operations or cause future issues. For example, scaling, storage, or network configurations should be made through the Kubernetes API and not directly on these resources.
To prevent changes from being made to the node resource group, you can apply a deny assignment and block users from modifying resources created as part of the AKS cluster.
Important
AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:
Before you begin
Before you begin, you need the following resources installed and configured:
- The Azure CLI version 2.44.0 or later. Run
az --versionto find the current version. If you need to install or upgrade, see Install Azure CLI. - The
aks-previewextension version 0.5.126 or later. - The
NRGLockdownPreviewfeature flag registered on your subscription.
Install the aks-preview CLI extension
Install or update the aks-preview extension using the az extension add or the az extension update command.
# Install the aks-preview extension
az extension add --name aks-preview
# Update to the latest version of the aks-preview extension
az extension update --name aks-preview
Register the NRGLockdownPreview feature flag
Register the
NRGLockdownPreviewfeature flag using theaz feature registercommand.az feature register --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview"It takes a few minutes for the status to show Registered.
Verify the registration status using the
az feature showcommand.az feature show --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview"When the status reflects Registered, refresh the registration of the Microsoft.ContainerService resource provider using the
az provider registercommand.az provider register --namespace Microsoft.ContainerService
Create an AKS cluster with node resource group lockdown
Create a cluster with node resource group lockdown using the az aks create command with the --nrg-lockdown-restriction-level flag set to ReadOnly. This configuration allows you to view the resources but not modify them.
az aks create \
--name $CLUSTER_NAME \
--resource-group $RESOURCE_GROUP_NAME \
--nrg-lockdown-restriction-level ReadOnly \
--generate-ssh-keys
Update an existing cluster with node resource group lockdown
Update an existing cluster with node resource group lockdown using the az aks update command with the --nrg-lockdown-restriction-level flag set to ReadOnly. This configuration allows you to view the resources but not modify them.
az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME --nrg-lockdown-restriction-level ReadOnly
Remove node resource group lockdown from a cluster
Remove node resource group lockdown from an existing cluster using the az aks update command with the --nrg-restriction-level flag set to Unrestricted. This configuration allows you to view and modify the resources.
az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME --nrg-lockdown-restriction-level Unrestricted
Next steps
To learn more about the node resource group in AKS, see Node resource group.