AKS on Azure Stack HCI and Windows Server - November 2022 update

Hello everyone,

The last release for 2022 is now available!  This is a combination October/November release with a pile of new previews and tools to try out over the winter holiday season.  This is a great release for us as it allows you to enable the Azure Hybrid Benefits announced at ignite!

Go try out Azure AD role-based access controls (RBAC) preview and apply Azure Hybrid Benefits if you (or your company) have Software Assurance.

Before getting into the update details, we have a few Announcements:

• We will retire AKS-HCI versions, starting with February 2022, March 2022 and May 2022 updates in January 2023. This release also marks the end-of-support for the August 2022 update (AKS-HCI versions 1.0.13.10907). Please update your clusters to remain in support.
• SDN + AKS HCI update Known Issue - there is a bug in the SDN cluster upgrade logic that impacts cluster update.  This bug will be resolved by next AKS update (January) and does not impact new SDN + AKS-HCI cluster is being built, these deployments are not impacted.
• If you plan on shutting down your AKS clusters or skip updating during the holiday season, you will likely have internal certificates or tokens expiring when you restart your environment. You can follow these steps to recover your AKS cluster from expired certs.

Ok!  On to new features and things to check out.

As always, you can try AKS on Azure Stack HCI or Windows Server any time using our get-started guide.  If you do not have the hardware handy to evaluate AKS on physical hardware you can use our eval guide to set up AKS on a Windows Server Azure VM.

Azure Hybrid Benefit for AKS

Azure Hybrid Benefit for Azure Kubernetes Service is now generally available. With Azure Hybrid Benefit, customers can now apply their existing Windows Server Software Assurance and Cloud Solution Provider subscriptions to AKS. For more details on how to activate this benefit, visit AKS hybrid public documentation.

Azure RBAC support in AKS hybrid clusters (preview)

This feature uses Azure pre-built and custom roles to authorize users in lieu of using local cluster permissions, users can access their on-premises cluster either from their network or over the internet.

You can now update internal certificate authorities (preview)

If you're using customer certificate authorities with AKS hybrid today, you know that we're currently asking folks to overload the proxy cert option in PowerShell with a list of certificates.  Starting in this release, you can update the proxy cert list to change the list of custom certificates propagated through each cluster.  While the cert list can be updated at any point, changes won't be applied until the next update.

Kubernetes 1.24 support + breaking change to node pool taint labels

This release includes support for Kubernetes 1.24!

Kubernetes 1.24 has one significant breaking change everyone needs to be aware of - in Kubernetes 1.24, the “master” label/taint in kubeadm control plane nodes has been updates to "control-plane". In your specs, please change the “master” label to “control-plane”.

There are also two security updates which shouldn't impact applications or developer workflows but do improve security.

1. Removal of Dockershim from kubelet - while Kubernetes has been moving from dockershim to containerd for quite a while, dockershim has been completely removed from kubelet in 1.24 for both Windows and Linux clusters. While this shouldn't impact any of your applications (AKS on HCI + WS moved to containerd last month) you can read more about seeing how dockershim removal affects you.
2. Beta APIs off by default - From this release onwards, it will be up to the provider to see which beta features should be enabled. For this release, AKS hybrid has followed the Kubernetes upstream default, but we plan to align with AKS by switching the Beta APIs on in coming releases.

Azure Stack HCI 22H2

Officially announcing 22H2 as a supported host for AKS. Customers running AKS on 21H2 and older versions should update their host OS without any issues.

Documentation updates

We have a ton of new content this month to support all of the new features in this release:

• Apply Azure Hybrid Benefit for Azure Kubernetes Service
• Set up Trust in Azure Kubernetes Service on AKS hybrid - this article has been updated to include how to update certificates
• Set-AksHciConfig for AKS on Azure Stack HCI and Windows Server
• We've added a section in our docs explaining the meaning of our version numbers -  Concepts - Upgrade the AKS host in AKS hybrid using PowerShell

Troubleshooting guide updates

• Cluster controlplane - certificate expired - Unable to connect to the server: x509
• Target cluster pod logs are not accessible - remote error: tls: internal error
• Set-AksHciConfig fails with the error "GetCatalog error returned by API call: … proxyconnect tcp: tls: first record does not look like a TLS Handshake"
• Error: 'Install-Moc failed. Exception [An issue happened while registering the resource name as a computer object with the domain controller and/or the DNS server.]

Bug fixes:

• First set of prechecks added to Set-AksHciConfig to validate the readiness of host, config, failover cluster, Hyper-V
• Precheck cloud service IP against cluster network and gateway IP
• Precheck AD permissions to create child computer objects

Once you have downloaded and installed the AKS on Azure Stack HCI or Windows Server Update – you can report any issues you encounter and track future feature work on our GitHub Project at  https://github.com/Azure/aks-hci.

We look forward to hearing from you all!

Cheers,

Sarah