Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
AKS deploys infrastructure into your subscription for connecting to and running your applications. Changes made directly to resources in the node resource group can affect cluster operations or cause future issues. For example, scaling, storage, or network configurations should be made through the Kubernetes API and not directly on these resources.
To prevent changes from being made to the node resource group, you can apply a deny assignment and block users from modifying resources created as part of the AKS cluster.
Before you begin
Before you begin, you need the following resources installed and configured:
- The Azure CLI version 2.44.0 or later. Run
az --versionto find the current version. If you need to install or upgrade, see Install Azure CLI.
Create an AKS cluster with node resource group lockdown
Create a cluster with node resource group lockdown using the az aks create command with the --nrg-lockdown-restriction-level flag set to ReadOnly. This configuration allows you to view the resources but not modify them.
az aks create \
--name $CLUSTER_NAME \
--resource-group $RESOURCE_GROUP_NAME \
--nrg-lockdown-restriction-level ReadOnly \
--generate-ssh-keys
Update an existing cluster with node resource group lockdown
Update an existing cluster with node resource group lockdown using the az aks update command with the --nrg-lockdown-restriction-level flag set to ReadOnly. This configuration allows you to view the resources but not modify them.
az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME --nrg-lockdown-restriction-level ReadOnly
Remove node resource group lockdown from a cluster
Remove node resource group lockdown from an existing cluster using the az aks update command with the --nrg-restriction-level flag set to Unrestricted. This configuration allows you to view and modify the resources.
az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME --nrg-lockdown-restriction-level Unrestricted
Next steps
To learn more about the node resource group in AKS, see Node resource group.