azure aks preventing external resource modifications by enforcing resource group lockdown

Azure AKS can now prevent unwannted resource modification externally via azure portal that may cause issue later for the cluster, especially when we need to maintain the cluster. 

We can do this by registering this component here

az feature register --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview"

To check if this feature is already enabled, run the following command

az feature show --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview"

Then update the cluster to enable lockdown

az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME --nrg-lockdown-restriction-level ReadOnly 

And you can also remove those lockdown if you wanted to. 

So what type of resources are we talking about here? 

And now, lets try an delete the public IP for my cluster and see what happens. So I get the folloing error here below:-

The access is denied because of the deny assignment with name 'kubernetes.azure.com: node resource group deny assignment created by Azure Kubernetes Services for nrg-lockdown, see: https://aka.ms/aks/nrg_lockdown'

Can I delete the cluster by removing the entire resource group? 

Yes you can do that. 


Comments

Post a Comment

Popular posts from this blog

gemini cli getting file not defined error

Image
 While trying to run gemini cli on my windows linux subsystem, i bump into this error here - "/Roaming/npm/node_modules/@google/gemini-cli/node_modules/undici/lib/web/webidl/index.js:512 webidl.is.File = webidl.util.MakeTypeAssertion(File)"  "ReferenceError: File is not defined" In Node.js, there’s no built-in File (until very recent Node 20+ with experimental WHATWG APIs). So, unless polyfilled, File is undefined, leading to the ReferenceError. And to resolve this, I had to upgrade to node 22 (might work for node 20) and then I was able to run it.
Read more

NodeJS: Error: spawn EINVAL in window for node version 20.20 and 18.20

Encounter this issue when running autorest (that uses nodejs).  I am using node version:  v18.20.2 After i revert to use node v18.12.0, then i was able to get my app to run without this error. Since i am working with Azure devops yaml, i was able to use the following to resolve my issue.  - task : NodeTool@0   inputs :     versionSource : 'spec'     versionSpec : '18.18.0'
Read more

vllm : Failed to infer device type

Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
Read more