{"id":2586,"date":"2025-07-18T15:21:44","date_gmt":"2025-07-18T12:21:44","guid":{"rendered":"https:\/\/www.jussimetso.com\/?p=2586"},"modified":"2025-07-18T15:23:18","modified_gmt":"2025-07-18T12:23:18","slug":"azure-kubernetes-cluster-update-security","status":"publish","type":"post","link":"https:\/\/www.jussimetso.com\/index.php\/2025\/07\/18\/azure-kubernetes-cluster-update-security\/","title":{"rendered":"Azure Kubernetes Cluster update &amp; security"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div>\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"2586\" class=\"elementor elementor-2586\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0f00d34 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"0f00d34\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-d55b8f7\" data-id=\"d55b8f7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8332083 elementor-widget elementor-widget-text-editor\" data-id=\"8332083\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>I just found out (when I was starting to evaluate new features in Azure Kubernetes Services) that the Kubernetes Cluster creation in Azure portal have changed.<\/p><p>I mean there are new features published in June 2025. These are actually quite nice because most of times when I have evaluated customers Azure security status the AKS has shown a lot of\u00a0 security issues.\u00a0 So let&#8217;s find out.<\/p><p>There are also some Defender for Cloud related options to choose later described in the post. Those have come to AKS during Jan-June 2025.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c396717 elementor-toc--minimized-on-tablet elementor-widget elementor-widget-table-of-contents\" data-id=\"c396717\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;headings_by_tags&quot;:[&quot;h2&quot;,&quot;h3&quot;,&quot;h4&quot;,&quot;h5&quot;],&quot;exclude_headings_by_selector&quot;:[],&quot;no_headings_message&quot;:&quot;No headings were found on this page.&quot;,&quot;marker_view&quot;:&quot;numbers&quot;,&quot;minimize_box&quot;:&quot;yes&quot;,&quot;minimized_on&quot;:&quot;tablet&quot;,&quot;hierarchical_view&quot;:&quot;yes&quot;,&quot;min_height&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"table-of-contents.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-toc__header\">\n\t\t\t\t\t\t<h4 class=\"elementor-toc__header-title\">\n\t\t\t\tTable of Contents\t\t\t<\/h4>\n\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-toc__toggle-button elementor-toc__toggle-button--expand\" role=\"button\" tabindex=\"0\" aria-controls=\"elementor-toc__c396717\" aria-expanded=\"true\" aria-label=\"Open table of contents\"><i aria-hidden=\"true\" class=\"fas fa-chevron-down\"><\/i><\/div>\n\t\t\t\t<div class=\"elementor-toc__toggle-button elementor-toc__toggle-button--collapse\" role=\"button\" tabindex=\"0\" aria-controls=\"elementor-toc__c396717\" aria-expanded=\"true\" aria-label=\"Close table of contents\"><i aria-hidden=\"true\" class=\"fas fa-chevron-up\"><\/i><\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<div id=\"elementor-toc__c396717\" class=\"elementor-toc__body\">\n\t\t\t<div class=\"elementor-toc__spinner-container\">\n\t\t\t\t<i class=\"elementor-toc__spinner eicon-animation-spin eicon-loading\" aria-hidden=\"true\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ddfe19c elementor-widget elementor-widget-heading\" data-id=\"ddfe19c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Security options in Cluster creation process<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-61721f8 elementor-widget elementor-widget-text-editor\" data-id=\"61721f8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>I found out that there are new options to enable automatic patching\u00a0 for <span class=\"css-154\">cluster to a newer version of Kubernetes and schedule it if necessary. So if you upgrade your cluster, you can choose whether to upgrade only the control plane or to also upgrade all node pools.<\/span><\/p><p>This helps and reduce manual work because infrastructure maintenance windows are usually very short and there are lot to do.<\/p><p>This also helps customer security pain because if these upgrades and patches are automated at least cluster and node security levels are in recommended level.\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-167353a elementor-widget elementor-widget-image\" data-id=\"167353a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"640\" height=\"470\" src=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options.png?fit=640%2C470&amp;ssl=1\" class=\"attachment-large size-large wp-image-2587\" alt=\"\" srcset=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options.png?w=1105&amp;ssl=1 1105w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options.png?resize=300%2C220&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options.png?resize=1024%2C752&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options.png?resize=768%2C564&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options.png?resize=850%2C624&amp;ssl=1 850w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5e1052a elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"5e1052a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8671070 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8671070\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-c215335\" data-id=\"c215335\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c6f6c4d elementor-widget elementor-widget-heading\" data-id=\"c6f6c4d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Cluster automatic update<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bf8271b elementor-widget elementor-widget-text-editor\" data-id=\"bf8271b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>If you select to enable automatic cluster upgrade you will need to choose from 4 &#8220;enabled&#8221; options. Otherwise you choose &#8220;disable&#8221; and clusters need to be updated manually.<\/p><p>&#8220;Any upgrade operation, whether performed manually or automatically, upgrades the node image version if it&#8217;s not already on the latest version. The latest version is contingent on a full AKS release and can be determined by visiting the <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/release-tracker\" target=\"_blank\" rel=\"noopener\" data-linktype=\"relative-path\"><span style=\"text-decoration: underline;\">AKS release tracker<\/span><\/a>.<\/p><p>Auto-upgrade first upgrades the control plane, and then upgrades agent pools one by one.&#8221; -MS Learn<\/p><p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/auto-upgrade-cluster?tabs=azure-cli#cluster-auto-upgrade-channels\" target=\"_blank\" rel=\"noopener\">Link to for <span style=\"text-decoration: underline;\">more information about choices in MS learn<\/span>. (reference to the image below)<\/a><\/p><p><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/planned-maintenance?tabs=azure-cli\" target=\"_blank\" rel=\"noopener\">Link to <span style=\"text-decoration: underline;\">maintenance scheduling<\/span> in MS Learn.<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-913e8a3 elementor-widget elementor-widget-image\" data-id=\"913e8a3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"640\" height=\"515\" src=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options1.png?fit=640%2C515&amp;ssl=1\" class=\"attachment-large size-large wp-image-2588\" alt=\"\" srcset=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options1.png?w=687&amp;ssl=1 687w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options1.png?resize=300%2C241&amp;ssl=1 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">AKS cluster automatic upgrade selection<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-90c7897 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"90c7897\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b954b48 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b954b48\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5421f55\" data-id=\"5421f55\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-8b66af9 elementor-widget elementor-widget-heading\" data-id=\"8b66af9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Node security channel<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-121c556 elementor-widget elementor-widget-text-editor\" data-id=\"121c556\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Also it is possible to enable cluster node OS patching with three options.\u00a0<\/p><p>Link to <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/auto-upgrade-node-os-image?tabs=azure-cli#available-node-os-upgrade-channels\" target=\"_blank\" rel=\"noopener\" data-wplink-edit=\"true\"><span style=\"text-decoration: underline;\">node OS automatic update channels and descriptions in MS learn.<\/span><\/a> Reference to image below.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3fc4f16 elementor-widget elementor-widget-image\" data-id=\"3fc4f16\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"640\" height=\"475\" src=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options2.png?fit=640%2C475&amp;ssl=1\" class=\"attachment-large size-large wp-image-2589\" alt=\"\" srcset=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options2.png?w=685&amp;ssl=1 685w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options2.png?resize=300%2C222&amp;ssl=1 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">AKS node OS automatic patching<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-538ba1b elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"538ba1b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-85b7429 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"85b7429\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7594f71\" data-id=\"7594f71\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-cd2178b elementor-widget elementor-widget-heading\" data-id=\"cd2178b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Defender for Cloud related options<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c8e6a62 elementor-widget elementor-widget-text-editor\" data-id=\"c8e6a62\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>There are four selectable security options in Cluster creation.<\/p><ul><li>OpenID Connect<\/li><li>Workload Identity<\/li><li>Image cleaner<\/li><li>Azure Key Vault\u00a0<\/li><\/ul><p>Link to <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/auto-upgrade-node-os-image?tabs=azure-cli#available-node-os-upgrade-channels\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">node OS automatic update channels and descriptions in MS learn.<\/span><\/a> Reference to image below.<\/p><p>There are also Container security features like alerts, security recommendations and vulnenarabilities available with Defender for Containers plan. See my <a href=\"https:\/\/www.jussimetso.com\/index.php\/2025\/04\/24\/defender-for-cloud-part-10-cloud-workload-protection-cwp\/\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">post<\/span><\/a> about workload protections.\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7c5e4d2 elementor-widget elementor-widget-heading\" data-id=\"7c5e4d2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">OpenID Connect<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3d8115f elementor-widget elementor-widget-text-editor\" data-id=\"3d8115f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"text-decoration: underline;\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/fundamentals\/auth-oidc\" target=\"_blank\" rel=\"noopener\" data-linktype=\"absolute-path\">OpenID Connect<\/a><\/span> (OIDC) extends the OAuth 2.0 authorization protocol for use as another authentication protocol issued by Microsoft Entra ID. You can use OIDC to enable single sign-on (SSO) between OAuth-enabled applications on your Azure Kubernetes Service (AKS) cluster by using a security token called an ID token. With your AKS cluster, you can enable the OpenID Connect (OIDC) issuer, which allows Microsoft Entra ID, or another cloud provider&#8217;s identity and access management platform, to discover the API server&#8217;s public signing keys.<\/p><p>More info in <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/use-oidc-issuer\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">MS Learn<\/span><\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2b74e42 elementor-widget elementor-widget-heading\" data-id=\"2b74e42\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Entra Workload ID<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-23c8f56 elementor-widget elementor-widget-text-editor\" data-id=\"23c8f56\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Workloads deployed on an Azure Kubernetes Services (AKS) cluster require Microsoft Entra application credentials or managed identities to access Microsoft Entra protected resources, such as Azure Key Vault and Microsoft Graph. Microsoft Entra Workload ID integrates with the capabilities native to Kubernetes to federate with external identity providers.<\/p><p>More info in <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/workload-identity-overview?tabs=dotnet\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">MS Learn<\/span><\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-44f2703 elementor-widget elementor-widget-heading\" data-id=\"44f2703\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Image cleaner<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-aac7bb0 elementor-widget elementor-widget-text-editor\" data-id=\"aac7bb0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>When deploying images to Azure Kubernetes Service (AKS), leftover unreferenced images can accumulate, creating security risks due to potential vulnerabilities. Manual cleanup is inefficient. Using Image Cleaner automates identification and removal of these stale images, enhancing security and saving time.\u00a0<\/p><p>More info in <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/image-cleaner\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">MS Learn.<\/span><\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5d01421 elementor-widget elementor-widget-heading\" data-id=\"5d01421\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Azure Key Vault for CSI secrets<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-93db8ff elementor-widget elementor-widget-text-editor\" data-id=\"93db8ff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The Azure Key Vault provider for Secrets Store CSI Driver allows for the integration of an Azure Key Vault as a secret store with an Azure Kubernetes Service (AKS) cluster via a <a href=\"https:\/\/kubernetes-csi.github.io\/docs\/\" target=\"_blank\" rel=\"noopener\" data-linktype=\"external\"><span style=\"text-decoration: underline;\">CSI volume<\/span><\/a>.<\/p><p>More info in <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/csi-secrets-store-driver\" target=\"_blank\" rel=\"noopener\"><span style=\"text-decoration: underline;\">MS Learn<\/span><\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9f87e79 elementor-widget elementor-widget-image\" data-id=\"9f87e79\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"619\" src=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options_mdc_options.png?fit=640%2C619&amp;ssl=1\" class=\"attachment-large size-large wp-image-2590\" alt=\"\" srcset=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options_mdc_options.png?w=1105&amp;ssl=1 1105w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options_mdc_options.png?resize=300%2C290&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options_mdc_options.png?resize=1024%2C991&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options_mdc_options.png?resize=768%2C743&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_cluster_update_options_mdc_options.png?resize=850%2C822&amp;ssl=1 850w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Defender for Cloud options in AKS creation<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-851951c elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"851951c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-70eb08e6 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"70eb08e6\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4f7f339f\" data-id=\"4f7f339f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1a82aaa2 elementor-widget elementor-widget-author-box\" data-id=\"1a82aaa2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"author-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-author-box\">\n\t\t\t\t\t\t\t<div  class=\"elementor-author-box__avatar\">\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2024\/07\/jussi_06_2024.jpg?fit=262%2C300&#038;ssl=1\" alt=\"Picture of Jussi Metso\" loading=\"lazy\">\n\t\t\t\t<\/div>\n\t\t\t\n\t\t\t<div class=\"elementor-author-box__text\">\n\t\t\t\t\t\t\t\t\t<div >\n\t\t\t\t\t\t<h6 class=\"elementor-author-box__name\">\n\t\t\t\t\t\t\tJussi Metso\t\t\t\t\t\t<\/h6>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-author-box__bio\">\n\t\t\t\t\t\t<p>Author is a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. <\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Find out these new automatic cluster upgrade &#038; node OS patching options.<\/p>\n","protected":false},"author":1,"featured_media":2597,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[7],"tags":[],"class_list":["post-2586","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.jussimetso.com\/wp-content\/uploads\/2025\/07\/aks_icon_big.png?fit=561%2C478&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/pes24X-FI","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/posts\/2586","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/comments?post=2586"}],"version-history":[{"count":12,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/posts\/2586\/revisions"}],"predecessor-version":[{"id":2603,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/posts\/2586\/revisions\/2603"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/media\/2597"}],"wp:attachment":[{"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/media?parent=2586"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/categories?post=2586"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jussimetso.com\/index.php\/wp-json\/wp\/v2\/tags?post=2586"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}