Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
Azure Linux with OS Guard (preview) is being replaced by Azure Container Linux (ACL).
Azure Container Linux is the long‑term, immutable, container‑optimized Linux operating system (OS) for Azure Kubernetes Service (AKS). It provides a secure, minimal, and operationally consistent host OS designed to run containerized workloads at scale.
For more information, see the Azure Container Linux (ACL) overview.
In AKS, nodes with the same configurations are grouped together into node pools. Each node pool contains the virtual machines (VMs) that run your applications. In the previous tutorial, you created an Azure Linux with OS Guard cluster with a single node pool. To meet the varying compute, storage, or security requirements of your applications, you can add user node pools.
In this tutorial, part two of five, you learn how to:
- Add an Azure Linux with OS Guard node pool to an existing cluster.
- Check the status of your node pools.
The commands in this tutorial use the environment variables set in Tutorial 1: Create a cluster with Azure Linux with OS Guard for AKS.
In later tutorials, you learn how to migrate nodes to Azure Linux with OS Guard and enable telemetry to monitor your clusters.
Prerequisites
- In the previous tutorial, you created and deployed an Azure Linux with OS Guard cluster. If you haven't completed these steps and want to follow along, see Tutorial 1: Create a cluster with Azure Linux with OS Guard for AKS.
- You need the latest version of Azure CLI. Use the
az versioncommand to find the version. To upgrade to the latest version, use theaz upgradecommand.
Azure Linux with OS Guard considerations and limitations
Before you begin, review the following considerations and limitations for Azure Linux with OS Guard (preview):
- Kubernetes version 1.32.0 or higher is required for Azure Linux with OS Guard.
- All Azure Linux with OS Guard images have Federal Information Process Standard (FIPS) and Trusted Launch enabled.
- Azure CLI and ARM templates are the only supported deployment methods for Azure Linux with OS Guard on AKS in preview. PowerShell and Terraform aren't supported.
- Arm64 images aren't supported with Azure Linux with OS Guard on AKS in preview.
NodeImageandNoneare the only supported operating system (OS) upgrade channels for Azure Linux with OS Guard on AKS.UnmanagedandSecurityPatchare incompatible with Azure Linux with OS Guard due to the immutable /usr directory.- Artifact Streaming isn't supported.
- Pod Sandboxing isn't supported.
- Confidential Virtual Machines (CVMs) aren't supported.
- Gen 1 virtual machines (VMs) aren't supported.
Add an Azure Linux with OS Guard node pool
Add an Azure Linux with OS Guard node pool into your existing cluster using the az aks nodepool add command and specify --os-sku AzureLinuxOSGuard. Enabling FIPS, secure boot, and vtpm is also required to use Azure Linux with OS Guard. The following example creates a node pool named osgNodePool that adds three nodes to the cluster:
az aks nodepool add \
--resource-group $RESOURCE_GROUP \
--cluster-name $CLUSTER_NAME \
--name osgNodePool \
--node-count 3 \
--os-sku AzureLinuxOSGuard
--node-osdisk-type Managed
--enable-fips-image
--enable-secure-boot
--enable-vtpm
Example output:
{
"agentPoolType": "VirtualMachineScaleSets",
"count": 3,
"name": "osgNodePool",
"osType": "Linux",
"provisioningState": "Succeeded",
"resourceGroup": "testAzureLinuxOSGuardResourceGroupxxxxx",
"type": "Microsoft.ContainerService/managedClusters/agentPools"
}
Note
The name of a node pool must start with a lowercase letter and can only contain alphanumeric characters. For Linux node pools, the length must be between one and 12 characters.
Check the node pool status
Check the status of your node pools using the az aks nodepool list command.
az aks nodepool list --resource-group $RESOURCE_GROUP --cluster-name $CLUSTER_NAME
Example output:
[
{
"agentPoolType": "VirtualMachineScaleSets",
"availabilityZones": null,
"count": 3,
"enableAutoScaling": false,
"enableEncryptionAtHost": false,
"enableFips": false,
"enableNodePublicIp": false,
"id": "/subscriptions/REDACTED/resourcegroups/myAKSResourceGroupxxxxx/providers/Microsoft.ContainerService/managedClusters/myAKSClusterxxxxx/agentPools/npxxxxxx",
"maxPods": 110,
"mode": "User",
"name": "npxxxxxx",
"nodeImageVersion": "AzureLinuxContainerHost-2025.10.03",
"orchestratorVersion": "1.32.6",
"osDiskSizeGb": 128,
"osDiskType": "Managed",
"osSku": "AzureLinux",
"osType": "Linux",
"powerState": {
"code": "Running"
},
"provisioningState": "Succeeded",
"resourceGroup": "myAKSResourceGroupxxxxx",
"type": "Microsoft.ContainerService/managedClusters/agentPools",
"vmSize": "Standard_DS2_v2"
},
{
"agentPoolType": "VirtualMachineScaleSets",
"availabilityZones": null,
"count": 3,
"enableAutoScaling": false,
"enableEncryptionAtHost": false,
"enableFips": false,
"enableNodePublicIp": false,
"id": "/subscriptions/REDACTED/resourcegroups/myAKSResourceGroupxxxxx/providers/Microsoft.ContainerService/managedClusters/myAKSClusterxxxxx/agentPools/npxxxxxx",
"maxPods": 110,
"mode": "User",
"name": "npxxxxxx",
"nodeImageVersion": "AzureLinuxOSGuard-2025.10.03",
"orchestratorVersion": "1.32.6",
"osDiskSizeGb": 128,
"osDiskType": "Managed",
"osSku": "AzureLinuxOSGuard",
"osType": "Linux",
"powerState": {
"code": "Running"
},
"provisioningState": "Succeeded",
"resourceGroup": "myAKSResourceGroupxxxxx",
"type": "Microsoft.ContainerService/managedClusters/agentPools",
"vmSize": "Standard_DS2_v2"
}
]
Next step
In this tutorial, you added an Azure Linux with OS Guard node pool to your existing cluster. In the next tutorial, you learn how to migrate existing nodes to Azure Linux with OS Guard.