From 980425bcb871bd7fc11fb22cb5fb2cbdf54c32bf Mon Sep 17 00:00:00 2001 From: Richard Taylor - Microsoft Date: Mon, 25 Nov 2024 13:20:03 +0000 Subject: [PATCH 01/11] Update secret-store-extension.md --- articles/azure-arc/kubernetes/secret-store-extension.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/articles/azure-arc/kubernetes/secret-store-extension.md b/articles/azure-arc/kubernetes/secret-store-extension.md index 2e10d2107..7e309d506 100644 --- a/articles/azure-arc/kubernetes/secret-store-extension.md +++ b/articles/azure-arc/kubernetes/secret-store-extension.md @@ -23,8 +23,8 @@ This article shows you how to install and configure the SSE as an [Azure Arc-ena ## Prerequisites -- A cluster [connected to Azure Arc](quickstart-connect-cluster.md), running Kubernetes version 1.27 or higher, and in one of the supported regions (East US, East US2, West US, West US2, West US3, West Europe, North Europe). The region is defined by the resource group region used for creating the Arc cluster. -- The examples throughout this guide use a [K3s](https://k3s.io/) cluster. +- An Arc-enabled cluster, running Kubernetes version 1.27 or higher, and in one of the supported regions (East US, East US2, West US, West US2, West US3, West Europe, North Europe). The region is defined by the resource group region used for creating the Arc cluster. +- This cluster can be one that you [connected to yourself](quickstart-connect-cluster.md) (the examples throughout this guide use a [K3s](https://k3s.io/) cluster) or a Microsoft-managed [AKS enanabled by Azure Arc](/azure/aks/hybrid/aks-overview) cluster. - Ensure you meet the [general prerequisites for cluster extensions](extensions.md#prerequisites), including the latest version of the `k8s-extension` Azure CLI extension. - cert-manager is required to support TLS for intracluster log communication. The examples later in this guide direct you though installation. For more information about cert-manager, see [cert-manager.io](https://cert-manager.io/) From b837687190dc7d856d5591832037a64fc767a6d5 Mon Sep 17 00:00:00 2001 From: Richard Taylor - Microsoft Date: Mon, 25 Nov 2024 13:35:11 +0000 Subject: [PATCH 02/11] Update secret-store-extension.md --- .../kubernetes/secret-store-extension.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/articles/azure-arc/kubernetes/secret-store-extension.md b/articles/azure-arc/kubernetes/secret-store-extension.md index 7e309d506..1e40f6a86 100644 --- a/articles/azure-arc/kubernetes/secret-store-extension.md +++ b/articles/azure-arc/kubernetes/secret-store-extension.md @@ -52,11 +52,11 @@ export KUBERNETES_NAMESPACE="my-namespace" export SERVICE_ACCOUNT_NAME="my-service-account" ``` -## Configure an identity to access secrets +## Set up workload identity federation for your cluster -To access and synchronize a given Azure Key Vault secret, the SSE requires access to an Azure managed identity with appropriate Azure permissions to access that secret. The managed identity must be linked to a Kubernetes service account through [workload identity federation](conceptual-workload-identity.md). The Kubernetes service account is what you use in a Kubernetes pod or other workload to access secrets from the Kubernetes secret store. The SSE uses the associated federated Azure managed identity to pull secrets from Azure Key Vault to your Kubernetes secret store. The following sections describe how to set this up. +To access and synchronize a given Azure Key Vault secret, the SSE requires access to an Azure managed identity with appropriate Azure permissions to access that secret. The managed identity must be linked to a Kubernetes service account through [workload identity federation](conceptual-workload-identity.md). The Kubernetes service account is what your workload uses to access secrets from the Kubernetes secret store. The SSE uses the associated federated Azure managed identity to pull secrets from Azure Key Vault to your Kubernetes secret store. The following sections describe how to set this up. -### Enable workload identity on your cluster +### [Arc-enabled Kubernetes](#tab/arc-k8s) If your cluster isn't yet connected to Azure Arc, [follow these steps](quickstart-connect-cluster.md). During these steps, enable workload identity as part of the `connect` command: @@ -70,14 +70,10 @@ If your cluster is already connected to Azure Arc, enable workload identity usin az connectedk8s update --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --enable-oidc-issuer --enable-workload-identity ``` -### Configure your cluster to enable token validation - -Your cluster must be configured to issue Service Account tokens with a new issuer URL (`service-account-issuer`) that enables Microsoft Entra ID to find the public keys necessary for it to validate these tokens. These public keys are for the cluster's own service account token issuer, and they were obtained and cloud-hosted at this URL as a result of the `--enable-oidc-issuer` option that you set above. +Now configure your to issue Service Account tokens with a new issuer URL (`service-account-issuer`) that enables Microsoft Entra ID to find the public keys necessary for it to validate these tokens. These public keys are for the cluster's own service account token issuer, and they were obtained and cloud-hosted at this URL as a result of the `--enable-oidc-issuer` option that you set above. Optionally, you can also configure limits on the SSE's own permissions as a privileged resource running in the control plane by configuring [`OwnerReferencesPermissionEnforcement`](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement) [admission controller](https://Kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-controller). This admission controller constrains how much the SSE can change other objects in the cluster. -Your Kubernetes cluster must be running Kubernetes version 1.27 or higher. - 1. Configure your [kube-apiserver](https://Kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) with the issuer URL field and permissions enforcement. The following example is for a k3s cluster. Your cluster may have different means for changing API server arguments: `--kube-apiserver-arg="--service-account-issuer=${SERVICE_ACCOUNT_ISSUER}" and --kube-apiserver-arg="--enable-admission-plugins=OwnerReferencesPermissionEnforcement"`. - Get the service account issuer URL. @@ -109,6 +105,12 @@ Your Kubernetes cluster must be running Kubernetes version 1.27 or higher. sudo systemctl restart k3s ``` +### [AKS enabled by Azure Arc](#tab/aks-arc) + +Follow + +## Create a secret and configure an identity to access it + ### Create an Azure Key Vault [Create an Azure Key Vault](/azure/key-vault/secrets/quick-create-cli) and add a secret. If you already have an Azure Key Vault and secret, you can skip this section. @@ -152,7 +154,7 @@ Next, create a user-assigned managed identity and give it permissions to access ### Create a federated identity credential -Create a Kubernetes service account for the workload that needs access to secrets. Then, create a [federated identity credential](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html) to link between the managed identity, the OIDC service account issuer, and the Kubernetes Service Account. +Create a Kubernetes service account for the workload that needs access to secrets. Then, create a [federated identity credential](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html) to link between the managed identity, the OIDC service account issuer, and the Kubernetes Service Account. This uses the workload identity federation capability that you activated earlier. 1. Create a Kubernetes Service Account that will be federated to the managed identity. Annotate it with details of the associated user-assigned managed identity. From 28254552eaf2edaebf28899b057f3bd4e2a46805 Mon Sep 17 00:00:00 2001 From: Richard Taylor - Microsoft Date: Mon, 25 Nov 2024 14:43:49 +0000 Subject: [PATCH 03/11] Update secret-store-extension.md --- .../kubernetes/secret-store-extension.md | 49 ++++++++++++++----- 1 file changed, 36 insertions(+), 13 deletions(-) diff --git a/articles/azure-arc/kubernetes/secret-store-extension.md b/articles/azure-arc/kubernetes/secret-store-extension.md index 1e40f6a86..3c5aaa9c9 100644 --- a/articles/azure-arc/kubernetes/secret-store-extension.md +++ b/articles/azure-arc/kubernetes/secret-store-extension.md @@ -52,13 +52,16 @@ export KUBERNETES_NAMESPACE="my-namespace" export SERVICE_ACCOUNT_NAME="my-service-account" ``` -## Set up workload identity federation for your cluster +## Activate workload identity federation in your cluster -To access and synchronize a given Azure Key Vault secret, the SSE requires access to an Azure managed identity with appropriate Azure permissions to access that secret. The managed identity must be linked to a Kubernetes service account through [workload identity federation](conceptual-workload-identity.md). The Kubernetes service account is what your workload uses to access secrets from the Kubernetes secret store. The SSE uses the associated federated Azure managed identity to pull secrets from Azure Key Vault to your Kubernetes secret store. The following sections describe how to set this up. +The SSE uses a feature called [workload identity federation](conceptual-workload-identity.md) to access and synchronize Azure Key Vault secrets. This section describes how to set this up. Following sections will explain how it is used in detail. ### [Arc-enabled Kubernetes](#tab/arc-k8s) -If your cluster isn't yet connected to Azure Arc, [follow these steps](quickstart-connect-cluster.md). During these steps, enable workload identity as part of the `connect` command: +> [!TIP] +> The following steps are based on the [How-to guide](/azure/azure-arc/kubernetes/workload-identity) for configuring Arc-enabled Kubernetes with workload identity federation. Refer to that documentation for any additional assistance. + +If your cluster isn't yet connected to Azure Arc, [follow these steps](quickstart-connect-cluster.md). During these steps, enable workload identity federation as part of the `connect` command: ```azurecli az connectedk8s connect --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --enable-oidc-issuer --enable-workload-identity @@ -70,7 +73,7 @@ If your cluster is already connected to Azure Arc, enable workload identity usin az connectedk8s update --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --enable-oidc-issuer --enable-workload-identity ``` -Now configure your to issue Service Account tokens with a new issuer URL (`service-account-issuer`) that enables Microsoft Entra ID to find the public keys necessary for it to validate these tokens. These public keys are for the cluster's own service account token issuer, and they were obtained and cloud-hosted at this URL as a result of the `--enable-oidc-issuer` option that you set above. +Now configure your cluster to issue Service Account tokens with a new issuer URL (`service-account-issuer`) that enables Microsoft Entra ID to find the public keys necessary for it to validate these tokens. These public keys are for the cluster's own service account token issuer, and they were obtained and cloud-hosted at this URL as a result of the `--enable-oidc-issuer` option that you set above. Optionally, you can also configure limits on the SSE's own permissions as a privileged resource running in the control plane by configuring [`OwnerReferencesPermissionEnforcement`](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement) [admission controller](https://Kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-controller). This admission controller constrains how much the SSE can change other objects in the cluster. @@ -105,12 +108,36 @@ Optionally, you can also configure limits on the SSE's own permissions as a priv sudo systemctl restart k3s ``` -### [AKS enabled by Azure Arc](#tab/aks-arc) +### [AKS on Azure Local](#tab/aks-local) + +Refer to the [How-to guide](/azure/aks/hybrid/workload-identity) for configuring AKS on Azure Local with workload identity federation by using the `--enable-oidc-issuer` and `--enable-workload-identity` flags. + +Return to these steps after this initial configuration. There is no need to complete the remainder of that guide. + +Validate the activation of workload identity federation has been succesful by obtaining the cluster's service account issuer URL. You'll use this URL in the following steps: + + ```console + export SERVICE_ACCOUNT_ISSUER="$(az connectedk8s show --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --query "oidcIssuerProfile.issuerUrl" --output tsv)" + echo $SERVICE_ACCOUNT_ISSUER + ``` + +### [AKS Edge Essentials](#tab/aks-ee) -Follow +Refer to the [How-to guide](/aks/hybrid/aks-edge-workload-identity) for configuring AKS Edge Essentials with workload identity federation. + +Return to these steps after this initial configuration. There is no need to complete the remainder of that guide. + +Validate the activation of workload identity federation has been succesful by obtaining the cluster's service account issuer URL. You'll use this URL in the following steps: + + ```console + export SERVICE_ACCOUNT_ISSUER="$(az connectedk8s show --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --query "oidcIssuerProfile.issuerUrl" --output tsv)" + echo $SERVICE_ACCOUNT_ISSUER + ``` ## Create a secret and configure an identity to access it +To access and synchronize a given Azure Key Vault secret, the SSE requires access to an Azure managed identity with appropriate Azure permissions to access that secret. The managed identity must be linked to a Kubernetes service account using the workload identity feature that you activated above. The SSE uses the associated federated Azure managed identity to pull secrets from Azure Key Vault to your Kubernetes secret store. The following sections describe how to set this up. + ### Create an Azure Key Vault [Create an Azure Key Vault](/azure/key-vault/secrets/quick-create-cli) and add a secret. If you already have an Azure Key Vault and secret, you can skip this section. @@ -178,13 +205,11 @@ Create a Kubernetes service account for the workload that needs access to secret az identity federated-credential create --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} --identity-name ${USER_ASSIGNED_IDENTITY_NAME} --resource-group ${RESOURCE_GROUP} --issuer ${SERVICE_ACCOUNT_ISSUER} --subject system:serviceaccount:${KUBERNETES_NAMESPACE}:${SERVICE_ACCOUNT_NAME} ``` -## Install and use the SSE +## Install the SSE The SSE is available as an Azure Arc extension. An [Azure Arc-enabled Kubernetes cluster](overview.md) can be extended with [Azure Arc-enabled Kubernetes extensions](extensions.md). Extensions enable Azure capabilities on your connected cluster and provide an Azure Resource Manager-driven experience for the extension installation and lifecycle management. -### Install cert-manager and trust-manager - -[cert-manager](https://cert-manager.io/) and [trust-manager](https://cert-manager.io/docs/trust/trust-manager/) are required for secure communication of logs between cluster services and must be installed before the Arc extension. +[cert-manager](https://cert-manager.io/) and [trust-manager](https://cert-manager.io/docs/trust/trust-manager/) are also required for secure communication of logs between cluster services and must be installed before the Arc extension. 1. Install cert-manager. @@ -200,9 +225,7 @@ The SSE is available as an Azure Arc extension. An [Azure Arc-enabled Kubernetes helm upgrade trust-manager jetstack/trust-manager --install --namespace cert-manager --wait ``` -### Install the SSE - -- Install the SSE to your Arc-enabled cluster using the following command: +1. Install the SSE to your Arc-enabled cluster using the following command: ``` console az k8s-extension create \ From f4c861daf9b62493013bdfa602063983d2b18914 Mon Sep 17 00:00:00 2001 From: Richard Taylor - Microsoft Date: Mon, 25 Nov 2024 14:52:18 +0000 Subject: [PATCH 04/11] Update secret-store-extension.md --- .../kubernetes/secret-store-extension.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/articles/azure-arc/kubernetes/secret-store-extension.md b/articles/azure-arc/kubernetes/secret-store-extension.md index 3c5aaa9c9..14868de0c 100644 --- a/articles/azure-arc/kubernetes/secret-store-extension.md +++ b/articles/azure-arc/kubernetes/secret-store-extension.md @@ -23,8 +23,7 @@ This article shows you how to install and configure the SSE as an [Azure Arc-ena ## Prerequisites -- An Arc-enabled cluster, running Kubernetes version 1.27 or higher, and in one of the supported regions (East US, East US2, West US, West US2, West US3, West Europe, North Europe). The region is defined by the resource group region used for creating the Arc cluster. -- This cluster can be one that you [connected to yourself](quickstart-connect-cluster.md) (the examples throughout this guide use a [K3s](https://k3s.io/) cluster) or a Microsoft-managed [AKS enanabled by Azure Arc](/azure/aks/hybrid/aks-overview) cluster. +- An Arc-enabled cluster. This can be one that you [connected to yourself](quickstart-connect-cluster.md) (the examples throughout this guide use a [K3s](https://k3s.io/) cluster) or a Microsoft-managed [AKS enanabled by Azure Arc](/azure/aks/hybrid/aks-overview) cluster. The cluster must be running Kubernetes version 1.27 or higher, and in one of the supported regions (East US, East US2, West US, West US2, West US3, West Europe, North Europe). The region is defined by the resource group region used for creating the Arc cluster. - Ensure you meet the [general prerequisites for cluster extensions](extensions.md#prerequisites), including the latest version of the `k8s-extension` Azure CLI extension. - cert-manager is required to support TLS for intracluster log communication. The examples later in this guide direct you though installation. For more information about cert-manager, see [cert-manager.io](https://cert-manager.io/) @@ -110,11 +109,11 @@ Optionally, you can also configure limits on the SSE's own permissions as a priv ### [AKS on Azure Local](#tab/aks-local) -Refer to the [How-to guide](/azure/aks/hybrid/workload-identity) for configuring AKS on Azure Local with workload identity federation by using the `--enable-oidc-issuer` and `--enable-workload-identity` flags. +Use the [How-to guide](/azure/aks/hybrid/workload-identity) to actitvate workload identity federation on AKS on Azure Local by using the `--enable-oidc-issuer` and `--enable-workload-identity` flags. -Return to these steps after this initial configuration. There is no need to complete the remainder of that guide. +Return to these steps after the initial activation. There is no need to complete the remainder of that guide. -Validate the activation of workload identity federation has been succesful by obtaining the cluster's service account issuer URL. You'll use this URL in the following steps: +Validate the activation has been succesful by obtaining the cluster's service account issuer URL. You'll use this URL in the following steps: ```console export SERVICE_ACCOUNT_ISSUER="$(az connectedk8s show --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --query "oidcIssuerProfile.issuerUrl" --output tsv)" @@ -123,11 +122,11 @@ Validate the activation of workload identity federation has been succesful by ob ### [AKS Edge Essentials](#tab/aks-ee) -Refer to the [How-to guide](/aks/hybrid/aks-edge-workload-identity) for configuring AKS Edge Essentials with workload identity federation. +Use the [How-to guide](/azure/aks/hybrid/aks-edge-workload-identity) to activate workload identity federation on AKS Edge Essentials. -Return to these steps after this initial configuration. There is no need to complete the remainder of that guide. +Return to these steps after the initial activation. There is no need to complete the remainder of that guide. -Validate the activation of workload identity federation has been succesful by obtaining the cluster's service account issuer URL. You'll use this URL in the following steps: +Validate the activation has been succesful by obtaining the cluster's service account issuer URL. You'll use this URL in the following steps: ```console export SERVICE_ACCOUNT_ISSUER="$(az connectedk8s show --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --query "oidcIssuerProfile.issuerUrl" --output tsv)" @@ -181,7 +180,7 @@ Next, create a user-assigned managed identity and give it permissions to access ### Create a federated identity credential -Create a Kubernetes service account for the workload that needs access to secrets. Then, create a [federated identity credential](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html) to link between the managed identity, the OIDC service account issuer, and the Kubernetes Service Account. This uses the workload identity federation capability that you activated earlier. +Create a Kubernetes service account for the workload that needs access to secrets. Then, create a [federated identity credential](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html) to link between the managed identity, the OIDC service account issuer, and the Kubernetes Service Account. 1. Create a Kubernetes Service Account that will be federated to the managed identity. Annotate it with details of the associated user-assigned managed identity. From c6f289ed7519860bc676218facc4e7671bf46b56 Mon Sep 17 00:00:00 2001 From: Richard Taylor - Microsoft Date: Mon, 25 Nov 2024 14:57:36 +0000 Subject: [PATCH 05/11] Update secret-store-extension.md --- articles/azure-arc/kubernetes/secret-store-extension.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/articles/azure-arc/kubernetes/secret-store-extension.md b/articles/azure-arc/kubernetes/secret-store-extension.md index 14868de0c..99d2691ea 100644 --- a/articles/azure-arc/kubernetes/secret-store-extension.md +++ b/articles/azure-arc/kubernetes/secret-store-extension.md @@ -133,6 +133,8 @@ Validate the activation has been succesful by obtaining the cluster's service ac echo $SERVICE_ACCOUNT_ISSUER ``` +--- + ## Create a secret and configure an identity to access it To access and synchronize a given Azure Key Vault secret, the SSE requires access to an Azure managed identity with appropriate Azure permissions to access that secret. The managed identity must be linked to a Kubernetes service account using the workload identity feature that you activated above. The SSE uses the associated federated Azure managed identity to pull secrets from Azure Key Vault to your Kubernetes secret store. The following sections describe how to set this up. From 4dfc90d8fef5b6f82f291b9e8272ed0df0f68608 Mon Sep 17 00:00:00 2001 From: Richard Taylor - Microsoft Date: Tue, 26 Nov 2024 17:10:23 +0000 Subject: [PATCH 06/11] Update articles/azure-arc/kubernetes/secret-store-extension.md Co-authored-by: Rebecca Holt <64870235+rebeccaleigh@users.noreply.github.com> --- articles/azure-arc/kubernetes/secret-store-extension.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/articles/azure-arc/kubernetes/secret-store-extension.md b/articles/azure-arc/kubernetes/secret-store-extension.md index 99d2691ea..3028d53da 100644 --- a/articles/azure-arc/kubernetes/secret-store-extension.md +++ b/articles/azure-arc/kubernetes/secret-store-extension.md @@ -213,6 +213,9 @@ The SSE is available as an Azure Arc extension. An [Azure Arc-enabled Kubernetes [cert-manager](https://cert-manager.io/) and [trust-manager](https://cert-manager.io/docs/trust/trust-manager/) are also required for secure communication of logs between cluster services and must be installed before the Arc extension. 1. Install cert-manager. + ```azurecli + helm repo add jetstack https://charts.jetstack.io/ --force-update + helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.16.2 --set crds.enabled=true ```azurecli kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml From 3fc096d92d5b1e2ec6bbb37d4a210233fe8770b2 Mon Sep 17 00:00:00 2001 From: Richard Taylor - Microsoft Date: Tue, 26 Nov 2024 17:17:03 +0000 Subject: [PATCH 07/11] Update secret-store-extension.md --- articles/azure-arc/kubernetes/secret-store-extension.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/articles/azure-arc/kubernetes/secret-store-extension.md b/articles/azure-arc/kubernetes/secret-store-extension.md index 3028d53da..83619e2e2 100644 --- a/articles/azure-arc/kubernetes/secret-store-extension.md +++ b/articles/azure-arc/kubernetes/secret-store-extension.md @@ -216,16 +216,11 @@ The SSE is available as an Azure Arc extension. An [Azure Arc-enabled Kubernetes ```azurecli helm repo add jetstack https://charts.jetstack.io/ --force-update helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.16.2 --set crds.enabled=true - - ```azurecli - kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml ``` 1. Install trust-manager. ```azurecli - helm repo add jetstack https://charts.jetstack.io - helm repo update helm upgrade trust-manager jetstack/trust-manager --install --namespace cert-manager --wait ``` From 0a3e89ab81a55ceba7fee2532f00409d72e53649 Mon Sep 17 00:00:00 2001 From: Phil Huang Date: Wed, 4 Dec 2024 01:40:05 +0800 Subject: [PATCH 08/11] Updated Azure Portal Framework related Firewall rules Updated Azure Portal Framework related Firewall rules based on https://portal.azure.com/selfhelp and actual testing. --- articles/azure-portal/azure-portal-safelist-urls.md | 1 + 1 file changed, 1 insertion(+) diff --git a/articles/azure-portal/azure-portal-safelist-urls.md b/articles/azure-portal/azure-portal-safelist-urls.md index c37398561..664434692 100644 --- a/articles/azure-portal/azure-portal-safelist-urls.md +++ b/articles/azure-portal/azure-portal-safelist-urls.md @@ -55,6 +55,7 @@ management.azure.com *.ext.azure.com *.graph.windows.net *.graph.microsoft.com +hosting.partners.azure.net ``` #### Account data From 3bc20cc4845ec25d04ec592cf41cfa263f58e3e9 Mon Sep 17 00:00:00 2001 From: Richard Taylor - Microsoft Date: Tue, 10 Dec 2024 18:39:15 +0000 Subject: [PATCH 09/11] Update articles/azure-arc/kubernetes/secret-store-extension.md Co-authored-by: JH <16583997+JnHs@users.noreply.github.com> --- articles/azure-arc/kubernetes/secret-store-extension.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/articles/azure-arc/kubernetes/secret-store-extension.md b/articles/azure-arc/kubernetes/secret-store-extension.md index 83619e2e2..b8f8dcca2 100644 --- a/articles/azure-arc/kubernetes/secret-store-extension.md +++ b/articles/azure-arc/kubernetes/secret-store-extension.md @@ -109,7 +109,7 @@ Optionally, you can also configure limits on the SSE's own permissions as a priv ### [AKS on Azure Local](#tab/aks-local) -Use the [How-to guide](/azure/aks/hybrid/workload-identity) to actitvate workload identity federation on AKS on Azure Local by using the `--enable-oidc-issuer` and `--enable-workload-identity` flags. +Use the [How-to guide](/azure/aks/hybrid/workload-identity) to activate workload identity federation on AKS on Azure Local by using the `--enable-oidc-issuer` and `--enable-workload-identity` flags. Return to these steps after the initial activation. There is no need to complete the remainder of that guide. From d2f153633050bf0d4f1909e21991e7209915dea1 Mon Sep 17 00:00:00 2001 From: JH <16583997+JnHs@users.noreply.github.com> Date: Tue, 10 Dec 2024 12:27:23 -0800 Subject: [PATCH 10/11] Learn Editor: Update get-information-resource-graph.md --- articles/copilot/get-information-resource-graph.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/articles/copilot/get-information-resource-graph.md b/articles/copilot/get-information-resource-graph.md index 807860260..da83fc1c0 100644 --- a/articles/copilot/get-information-resource-graph.md +++ b/articles/copilot/get-information-resource-graph.md @@ -49,7 +49,7 @@ You can ask Microsoft Copilot in Azure (preview) to write queries with prompts l :::image type="content" source="media/get-information-resource-graph/azure-resource-graph-explorer-list-vms.png" alt-text="Screenshot of Microsoft Copilot in Azure responding to a request to list VMs."::: -If the generated query isn't exactly what you want, you can ask Microsoft Copilot in Azure (preview) to make changes. In this example, the first prompt is "**Write a KQL query to list my VMs by OS.**" After the query is shown, the additional prompt "Sorted alphabetically" results in a revised query that lists the OS alphabetically by name. +If the generated query isn't exactly what you want, you can ask Microsoft Copilot in Azure (preview) to make changes. In this example, the first prompt is "**Write a KQL query to list my VMs by OS.**" After the query is shown, the additional prompt "**Sorted alphabetically**" results in a revised query that lists the OS alphabetically by name. :::image type="content" source="media/get-information-resource-graph/azure-resource-graph-query-refine.png" alt-text="Screenshot of Microsoft Copilot in Azure (preview) generating and then revising a query to list VMs by OS."::: From 640c04c18fe56502e5e771ba28bfa086e1f9661b Mon Sep 17 00:00:00 2001 From: JH <16583997+JnHs@users.noreply.github.com> Date: Tue, 10 Dec 2024 12:27:31 -0800 Subject: [PATCH 11/11] Learn Editor: Update get-information-resource-graph.md