Deploy a fully managed resource group using node resource group lockdown (preview) in Azure Kubernetes Service (AKS)

AKS deploys infrastructure into your subscription for connecting to and running your applications. Changes made directly to resources in the node resource group can affect cluster operations or cause future issues. For example, scaling, storage, or network configurations should be made through the Kubernetes API and not directly on these resources.

To prevent changes from being made to the node resource group, you can apply a deny assignment and block users from modifying resources created as part of the AKS cluster.

Important

AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:

Before you begin

Before you begin, you need the following resources installed and configured:

  • The Azure CLI version 2.44.0 or later. Run az --version to find the current version. If you need to install or upgrade, see Install Azure CLI.
  • The aks-preview extension version 0.5.126 or later.
  • The NRGLockdownPreview feature flag registered on your subscription.

Install the aks-preview CLI extension

Install or update the aks-preview extension using the az extension add or the az extension update command.

# Install the aks-preview extension
az extension add --name aks-preview

# Update to the latest version of the aks-preview extension
az extension update --name aks-preview

Register the NRGLockdownPreview feature flag

  1. Register the NRGLockdownPreview feature flag using the az feature register command.

    az feature register --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview"
    

    It takes a few minutes for the status to show Registered.

  2. Verify the registration status using the az feature show command.

    az feature show --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview"
    
  3. When the status reflects Registered, refresh the registration of the Microsoft.ContainerService resource provider using the az provider register command.

    az provider register --namespace Microsoft.ContainerService
    

Create an AKS cluster with node resource group lockdown

Create a cluster with node resource group lockdown using the az aks create command with the --nrg-lockdown-restriction-level flag set to ReadOnly. This configuration allows you to view the resources but not modify them.

az aks create \
    --name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP_NAME \
    --nrg-lockdown-restriction-level ReadOnly \
    --generate-ssh-keys

Update an existing cluster with node resource group lockdown

Update an existing cluster with node resource group lockdown using the az aks update command with the --nrg-lockdown-restriction-level flag set to ReadOnly. This configuration allows you to view the resources but not modify them.

az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME --nrg-lockdown-restriction-level ReadOnly

Remove node resource group lockdown from a cluster

Remove node resource group lockdown from an existing cluster using the az aks update command with the --nrg-restriction-level flag set to Unrestricted. This configuration allows you to view and modify the resources.

az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME --nrg-lockdown-restriction-level Unrestricted

Next steps

To learn more about the node resource group in AKS, see Node resource group.