AKS on Azure Stack HCI and Windows Server - September 2022 update

Hello everyone,

This is an exciting month for us in the AKS hybrid team.  Not only do I get to share the September update of AKS on Azure Stack HCI and Windows Server but Ignite also just began and will include some exciting announcements.

Looking at the September release, this update is absolutely packed with new things from new PowerShell controls for pre-downloading images to Mariner 2.0 support.  Stay tuned for a follow up blog post with all of the Ignite sessions you should follow to follow our other product updates.

As always, you can try AKS on Azure Stack HCI or Windows Server any time using our get-started guide.  If you do not have the hardware handy to evaluate AKS on physical hardware you can use our eval guide to set up AKS on a Windows Server Azure VM.

Here are more details about the changes you'll see in this update:

PowerShell support for pre-downloading install and update content (preview)
We have seen a number of people running AKS on HCI or Windows Server in semi-connected or low-quality networking environments.  We have introduced new PowerShell cmdlets to pre-download AKS hybrid images so that update and install are more reliable in places where large data downloads need to be pre-staged.  Read more.

Software Defined Networking (SDN) support has been promoted to GA
Last month we announced Microsoft SDN integration had been integrated into our GA build as a preview feature.  We have completed validation, added documentation, and are officially moving SDN from preview to GA.

Updated Linux container base image to Mariner 2.0

Mariner 2.0 is just under half the size of Mariner 1.0 but comes with security improvements, faster upgrades, and ~3000 added or updated packages.  We’re excited.

As a reminder, the Mariner image under all of our Linux container workloads provides a Linux kernel for Linux-based Kubernetes clusters.  You can, of course, run any Linux container you'd like on this base image (ubuntu, alpine, redis, busybox, etc).

Support for multiple administrators using system Administrators group
Some of you may have experienced an annoying permission error when someone other than the user who installed AKS hybrid tries to upgrade, make new clusters, or generally interact with the AKS service.

Starting with the September release, AKS on Azure Stack HCI and Windows Server permissions are integrated with the local 'Administrators' user group; now any Administrator on the system to create/delete clusters and manage the AKS service.

Documentation updates

The biggest documentation update is that we have moved our eval guide to documentation so it's easier to try AKS hybrid in a virtual machine before investing in hardware and larger-scale deployment.    Check out our AKS on Azure Stack HCI and Windows Server in Azure Virtual Machine Evaluation Guide.

We have a lot of new content this month to support our new capabilities, including:

• How to pre-download images for install and update
  Plus supporting PowerShell references:
• enable-akshciofflinedownload
• disable-akshciofflinedownload
• set-akshcioffsiteconfig
• set-akshciconfig (not new but updated with new params)
• get-akshcirelease
• Updates to SDN guidance to reflect general availability
• Updated Active Directory single sign on doc based on feedback.

Finally, there are a handful of new troubleshooting guides this month for issues we have seen:

• Error 'Certificate expired - Unable to connect to the server: x509'
• KMS pod fails and the KMS pod logs contain errors
• Error 'System.Collections.Hashtable.generic_non_zero 1 [Error: Certificate has expired: Expired]
• SDN + AKS HCI Known Issue - Update, Invoke, and Repair AKSHCI PowerShell cmdlets sometimes fail because they can't connect through security isolation on an overlay virtual network.  This script is available to download that will connect the HCI host to the virtual network on-demand so that the AKSHCI commands run as expected.

Security updates

Mariner - Release CBL-Mariner 2.0 September 2022 Update 3 · microsoft/CBL-Mariner (github.com)

Bug fixes:

• Introduced auto-renewal for mocctl certificate expiry issue which improves quality past 90 days.
• Added an install precheck for root folders for the CSV (eg: c:\clusterstorage\volume1) as workingDir.
• Improved reliability when starting/stopping cluster VMs.
• Updated the pattern internally for identifying control plane VMs to improve cert repair behavior.  This improves update reliability.

Once you have downloaded and installed the AKS on Azure Stack HCI or Windows Server Update – you can report any issues you encounter and track future feature work on our GitHub Project at  https://github.com/Azure/aks-hci.

We look forward to hearing from you all!

Cheers,

Sarah