Deploy a fully managed resource group using node resource group lockdown (preview) in Azure Kubernetes Service (AKS)
AKS deploys infrastructure into your subscription for connecting to and running your applications. Changes made directly to resources in the node resource group can affect cluster operations or cause future issues. For example, scaling, storage, or network configurations should be made through the Kubernetes API and not directly on these resources.
To prevent changes from being made to the node resource group, you can apply a deny assignment and block users from modifying resources created as part of the AKS cluster.
Important
AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:
Before you begin
Before you begin, you need the following resources installed and configured:
- The Azure CLI version 2.44.0 or later. Run
az --version
to find the current version. If you need to install or upgrade, see Install Azure CLI. - The
aks-preview
extension version 0.5.126 or later. - The
NRGLockdownPreview
feature flag registered on your subscription.
Install the aks-preview
CLI extension
Install or update the aks-preview
extension using the az extension add
or the az extension update
command.
# Install the aks-preview extension
az extension add --name aks-preview
# Update to the latest version of the aks-preview extension
az extension update --name aks-preview
Register the NRGLockdownPreview
feature flag
Register the
NRGLockdownPreview
feature flag using theaz feature register
command.az feature register --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview"
It takes a few minutes for the status to show Registered.
Verify the registration status using the
az feature show
command.az feature show --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview"
When the status reflects Registered, refresh the registration of the Microsoft.ContainerService resource provider using the
az provider register
command.az provider register --namespace Microsoft.ContainerService
Create an AKS cluster with node resource group lockdown
Create a cluster with node resource group lockdown using the az aks create
command with the --nrg-lockdown-restriction-level
flag set to ReadOnly
. This configuration allows you to view the resources but not modify them.
az aks create \
--name $CLUSTER_NAME \
--resource-group $RESOURCE_GROUP_NAME \
--nrg-lockdown-restriction-level ReadOnly \
--generate-ssh-keys
Update an existing cluster with node resource group lockdown
Update an existing cluster with node resource group lockdown using the az aks update
command with the --nrg-lockdown-restriction-level
flag set to ReadOnly
. This configuration allows you to view the resources but not modify them.
az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME --nrg-lockdown-restriction-level ReadOnly
Remove node resource group lockdown from a cluster
Remove node resource group lockdown from an existing cluster using the az aks update
command with the --nrg-restriction-level
flag set to Unrestricted
. This configuration allows you to view and modify the resources.
az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME --nrg-lockdown-restriction-level Unrestricted
Next steps
To learn more about the node resource group in AKS, see Node resource group.