K8S upgrade without node reimage

Newbie to this forum. We have been running K8S on VMs(IaaS) on Azure cloud but thinking of moving to AKS (Azure Kubernetes Service) to leverage auto scale, security, version upgrade more seamless. But with current self managed way, we use kuebspray to upgrade the versions which does not make any changes to underlying OS configurations which is a requirement by our Infosec policy.

With managed K8S, AKS and other players are removing a worker node and creating a new node which is wiping our existing OS config and hardening standards. Looking for advise from community experts. Thanks.

Cluster information:

Kubernetes version: 1.17
Cloud being used: (put bare-metal if not on a public cloud) Azure
Installation method: Kubespray
Host OS: Ubuntu 18 LTS
CNI and version: Weave
CRI and version:

Advice: Don’t treat nodes as pets. Find ways to apply the hardening automatically (e.g. a daemonset) so you are not swimming upstream. Managed providers use that “edge” to upgrade the OS and kernel, which matters to you even if you don’t see it as plainly.