Edit

Deploy and manage node resource group lockdown in Azure Kubernetes Service (AKS)

Applies to: ✔️ AKS Automatic ✔️ AKS Standard

AKS deploys infrastructure into your subscription for connecting to and running your applications. Changes made directly to resources in the node resource group can affect cluster operations or cause future issues. For example, scaling, storage, or network configurations should be made through the Kubernetes API and not directly on these resources.

To prevent changes from being made to the node resource group, you can apply a deny assignment and block users from modifying resources created as part of the AKS cluster.

AKS Automatic is the recommended production-ready default for most AKS workloads. In AKS Automatic, node resource group lockdown is preconfigured as part of the fully managed node resource group model.

In AKS Standard, node resource group lockdown is optional and you can configure it with restriction levels.

For more information about AKS Automatic, see What is AKS Automatic?

Before you begin

If you're configuring lockdown on AKS Standard using Azure CLI, you need:

  • Azure CLI version 2.44.0 or later. Run az --version to find the current version. If you need to install or upgrade, see Install Azure CLI.

Restriction levels

Restriction level Behavior
ReadOnly You can view node resource group resources, but a deny assignment blocks direct updates.
Unrestricted Direct updates to node resource group resources are allowed.

AKS Automatic

Node resource group lockdown is preconfigured on AKS Automatic clusters. You don't need to run a separate enable command.

To create an AKS Automatic cluster, see Create an Azure Kubernetes Service (AKS) Automatic cluster.

AKS Standard: create a cluster with node resource group lockdown

Create an AKS Standard cluster with node resource group lockdown using the az aks create command with the --nrg-lockdown-restriction-level flag set to ReadOnly. This configuration allows you to view the resources but not modify them.

# Set environment variables
export RESOURCE_GROUP_NAME=<your-resource-group-name>
export CLUSTER_NAME=<your-cluster-name>

# Create an AKS Standard cluster with node resource group lockdown
az aks create \
    --name $CLUSTER_NAME \
    --resource-group $RESOURCE_GROUP_NAME \
    --nrg-lockdown-restriction-level ReadOnly \
    --generate-ssh-keys

AKS Standard: update a cluster with node resource group lockdown

Update an existing AKS Standard cluster with node resource group lockdown using the az aks update command with the --nrg-lockdown-restriction-level flag set to ReadOnly. This configuration allows you to view the resources but not modify them.

# Set environment variables
export RESOURCE_GROUP_NAME=<your-resource-group-name>
export CLUSTER_NAME=<your-cluster-name>

# Update an existing AKS Standard cluster with node resource group lockdown
az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME --nrg-lockdown-restriction-level ReadOnly

AKS Standard: remove node resource group lockdown

Remove node resource group lockdown from an existing AKS Standard cluster using the az aks update command with the --nrg-lockdown-restriction-level flag set to Unrestricted. This configuration allows you to view and modify the resources.

# Set environment variables
export RESOURCE_GROUP_NAME=<your-resource-group-name>
export CLUSTER_NAME=<your-cluster-name>

# Remove node resource group lockdown from an existing AKS Standard cluster
az aks update --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP_NAME --nrg-lockdown-restriction-level Unrestricted

Frequently asked questions (FAQs)

Is node resource group lockdown enabled by default on AKS Automatic?

Yes, it's preconfigured on AKS Automatic clusters.

Do I need to run lockdown commands on AKS Automatic?

No, lockdown commands are for AKS Standard configuration.

When should I use ReadOnly on AKS Standard?

Use ReadOnly when you want stronger protection against direct infrastructure edits and prefer cluster changes through AKS and Kubernetes APIs.