Microsoft.ContainerService managedClusters 2021-03-01

Remarks

For information about available add-ons, see Add-ons, extensions, and other integrations with Azure Kubernetes Service.

Bicep resource definition

The managedClusters resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerService/managedClusters resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.ContainerService/managedClusters@2021-03-01' = {
  extendedLocation: {
    name: 'string'
    type: 'string'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    aadProfile: {
      adminGroupObjectIDs: [
        'string'
      ]
      clientAppID: 'string'
      enableAzureRBAC: bool
      managed: bool
      serverAppID: 'string'
      serverAppSecret: 'string'
      tenantID: 'string'
    }
    addonProfiles: {
      {customized property}: {
        config: {
          {customized property}: 'string'
        }
        enabled: bool
      }
    }
    agentPoolProfiles: [
      {
        availabilityZones: [
          'string'
        ]
        count: int
        enableAutoScaling: bool
        enableEncryptionAtHost: bool
        enableFIPS: bool
        enableNodePublicIP: bool
        gpuInstanceProfile: 'string'
        kubeletConfig: {
          allowedUnsafeSysctls: [
            'string'
          ]
          containerLogMaxFiles: int
          containerLogMaxSizeMB: int
          cpuCfsQuota: bool
          cpuCfsQuotaPeriod: 'string'
          cpuManagerPolicy: 'string'
          failSwapOn: bool
          imageGcHighThreshold: int
          imageGcLowThreshold: int
          podMaxPids: int
          topologyManagerPolicy: 'string'
        }
        kubeletDiskType: 'string'
        linuxOSConfig: {
          swapFileSizeMB: int
          sysctls: {
            fsAioMaxNr: int
            fsFileMax: int
            fsInotifyMaxUserWatches: int
            fsNrOpen: int
            kernelThreadsMax: int
            netCoreNetdevMaxBacklog: int
            netCoreOptmemMax: int
            netCoreRmemDefault: int
            netCoreRmemMax: int
            netCoreSomaxconn: int
            netCoreWmemDefault: int
            netCoreWmemMax: int
            netIpv4IpLocalPortRange: 'string'
            netIpv4NeighDefaultGcThresh1: int
            netIpv4NeighDefaultGcThresh2: int
            netIpv4NeighDefaultGcThresh3: int
            netIpv4TcpFinTimeout: int
            netIpv4TcpkeepaliveIntvl: int
            netIpv4TcpKeepaliveProbes: int
            netIpv4TcpKeepaliveTime: int
            netIpv4TcpMaxSynBacklog: int
            netIpv4TcpMaxTwBuckets: int
            netIpv4TcpTwReuse: bool
            netNetfilterNfConntrackBuckets: int
            netNetfilterNfConntrackMax: int
            vmMaxMapCount: int
            vmSwappiness: int
            vmVfsCachePressure: int
          }
          transparentHugePageDefrag: 'string'
          transparentHugePageEnabled: 'string'
        }
        maxCount: int
        maxPods: int
        minCount: int
        mode: 'string'
        name: 'string'
        nodeLabels: {
          {customized property}: 'string'
        }
        nodePublicIPPrefixID: 'string'
        nodeTaints: [
          'string'
        ]
        orchestratorVersion: 'string'
        osDiskSizeGB: int
        osDiskType: 'string'
        osSKU: 'string'
        osType: 'string'
        podSubnetID: 'string'
        proximityPlacementGroupID: 'string'
        scaleSetEvictionPolicy: 'string'
        scaleSetPriority: 'string'
        spotMaxPrice: int
        tags: {
          {customized property}: 'string'
        }
        type: 'string'
        upgradeSettings: {
          maxSurge: 'string'
        }
        vmSize: 'string'
        vnetSubnetID: 'string'
      }
    ]
    apiServerAccessProfile: {
      authorizedIPRanges: [
        'string'
      ]
      enablePrivateCluster: bool
      privateDNSZone: 'string'
    }
    autoScalerProfile: {
      balance-similar-node-groups: 'string'
      expander: 'string'
      max-empty-bulk-delete: 'string'
      max-graceful-termination-sec: 'string'
      max-node-provision-time: 'string'
      max-total-unready-percentage: 'string'
      new-pod-scale-up-delay: 'string'
      ok-total-unready-count: 'string'
      scale-down-delay-after-add: 'string'
      scale-down-delay-after-delete: 'string'
      scale-down-delay-after-failure: 'string'
      scale-down-unneeded-time: 'string'
      scale-down-unready-time: 'string'
      scale-down-utilization-threshold: 'string'
      scan-interval: 'string'
      skip-nodes-with-local-storage: 'string'
      skip-nodes-with-system-pods: 'string'
    }
    autoUpgradeProfile: {
      upgradeChannel: 'string'
    }
    disableLocalAccounts: bool
    diskEncryptionSetID: 'string'
    dnsPrefix: 'string'
    enablePodSecurityPolicy: bool
    enableRBAC: bool
    fqdnSubdomain: 'string'
    httpProxyConfig: {
      httpProxy: 'string'
      httpsProxy: 'string'
      noProxy: [
        'string'
      ]
      trustedCa: 'string'
    }
    identityProfile: {
      {customized property}: {
        clientId: 'string'
        objectId: 'string'
        resourceId: 'string'
      }
    }
    kubernetesVersion: 'string'
    linuxProfile: {
      adminUsername: 'string'
      ssh: {
        publicKeys: [
          {
            keyData: 'string'
          }
        ]
      }
    }
    networkProfile: {
      dnsServiceIP: 'string'
      dockerBridgeCidr: 'string'
      loadBalancerProfile: {
        allocatedOutboundPorts: int
        effectiveOutboundIPs: [
          {
            id: 'string'
          }
        ]
        idleTimeoutInMinutes: int
        managedOutboundIPs: {
          count: int
        }
        outboundIPPrefixes: {
          publicIPPrefixes: [
            {
              id: 'string'
            }
          ]
        }
        outboundIPs: {
          publicIPs: [
            {
              id: 'string'
            }
          ]
        }
      }
      loadBalancerSku: 'string'
      networkMode: 'string'
      networkPlugin: 'string'
      networkPolicy: 'string'
      outboundType: 'string'
      podCidr: 'string'
      serviceCidr: 'string'
    }
    nodeResourceGroup: 'string'
    podIdentityProfile: {
      allowNetworkPluginKubenet: bool
      enabled: bool
      userAssignedIdentities: [
        {
          bindingSelector: 'string'
          identity: {
            clientId: 'string'
            objectId: 'string'
            resourceId: 'string'
          }
          name: 'string'
          namespace: 'string'
        }
      ]
      userAssignedIdentityExceptions: [
        {
          name: 'string'
          namespace: 'string'
          podLabels: {
            {customized property}: 'string'
          }
        }
      ]
    }
    privateLinkResources: [
      {
        groupId: 'string'
        id: 'string'
        name: 'string'
        requiredMembers: [
          'string'
        ]
        type: 'string'
      }
    ]
    servicePrincipalProfile: {
      clientId: 'string'
      secret: 'string'
    }
    windowsProfile: {
      adminPassword: 'string'
      adminUsername: 'string'
      enableCSIProxy: bool
      licenseType: 'string'
    }
  }
  sku: {
    name: 'string'
    tier: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

AgentPoolUpgradeSettings

Name Description Value
maxSurge Count or percentage of additional nodes to be added during upgrade. If empty uses AKS default string

Components1Umhcm8SchemasManagedclusteridentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

ComponentsQit0EtSchemasManagedclusterpropertiesPropertiesIdentityprofileAdditionalproperties

Name Description Value
clientId The client id of the user assigned identity. string
objectId The object id of the user assigned identity. string
resourceId The resource id of the user assigned identity. string

ContainerServiceLinuxProfile

Name Description Value
adminUsername The administrator username to use for Linux VMs. string

Constraints:
Pattern = ^[A-Za-z][-A-Za-z0-9_]*$ (required)
ssh SSH configuration for Linux-based VMs running on Azure. ContainerServiceSshConfiguration (required)

ContainerServiceNetworkProfile

Name Description Value
dnsServiceIP An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. string

Constraints:
Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
dockerBridgeCidr A CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
loadBalancerProfile Profile of the cluster load balancer. ManagedClusterLoadBalancerProfile
loadBalancerSku The load balancer sku for the managed cluster. 'basic'
'standard'
networkMode Network mode used for building Kubernetes network. 'bridge'
'transparent'
networkPlugin Network plugin used for building Kubernetes network. 'azure'
'kubenet'
networkPolicy Network policy used for building Kubernetes network. 'azure'
'calico'
outboundType The outbound (egress) routing method. 'loadBalancer'
'userDefinedRouting'
podCidr A CIDR notation IP range from which to assign pod IPs when kubenet is used. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
serviceCidr A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$

ContainerServiceSshConfiguration

Name Description Value
publicKeys The list of SSH public keys used to authenticate with Linux-based VMs. Only expect one key specified. ContainerServiceSshPublicKey[] (required)

ContainerServiceSshPublicKey

Name Description Value
keyData Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. string (required)

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

KubeletConfig

Name Description Value
allowedUnsafeSysctls Allowlist of unsafe sysctls or unsafe sysctl patterns (ending in *). string[]
containerLogMaxFiles The maximum number of container log files that can be present for a container. The number must be ≥ 2. int

Constraints:
Min value = 2
containerLogMaxSizeMB The maximum size (e.g. 10Mi) of container log file before it is rotated. int
cpuCfsQuota Enable CPU CFS quota enforcement for containers that specify CPU limits. bool
cpuCfsQuotaPeriod Sets CPU CFS quota period value. string
cpuManagerPolicy CPU Manager policy to use. string
failSwapOn If set to true it will make the Kubelet fail to start if swap is enabled on the node. bool
imageGcHighThreshold The percent of disk usage after which image garbage collection is always run. int
imageGcLowThreshold The percent of disk usage before which image garbage collection is never run. int
podMaxPids The maximum number of processes per pod. int
topologyManagerPolicy Topology Manager policy to use. string

LinuxOSConfig

Name Description Value
swapFileSizeMB SwapFileSizeMB specifies size in MB of a swap file will be created on each node. int
sysctls Sysctl settings for Linux agent nodes. SysctlConfig
transparentHugePageDefrag Transparent Huge Page defrag configuration. string
transparentHugePageEnabled Transparent Huge Page enabled configuration. string

ManagedClusterAADProfile

Name Description Value
adminGroupObjectIDs AAD group object IDs that will have admin role of the cluster. string[]
clientAppID The client AAD application ID. string
enableAzureRBAC Whether to enable Azure RBAC for Kubernetes authorization. bool
managed Whether to enable managed AAD. bool
serverAppID The server AAD application ID. string
serverAppSecret The server AAD application secret. string
tenantID The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. string

ManagedClusterAddonProfile

Name Description Value
config Key-value pairs for configuring an add-on. ManagedClusterAddonProfileConfig
enabled Whether the add-on is enabled or not. bool (required)

ManagedClusterAddonProfileConfig

Name Description Value

ManagedClusterAgentPoolProfile

Name Description Value
availabilityZones Availability zones for nodes. Must use VirtualMachineScaleSets AgentPoolType. string[]
count Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 100 (inclusive) for user pools and in the range of 1 to 100 (inclusive) for system pools. The default value is 1. int
enableAutoScaling Whether to enable auto-scaler bool
enableEncryptionAtHost Whether to enable EncryptionAtHost bool
enableFIPS Whether to use FIPS enabled OS bool
enableNodePublicIP Enable public IP for nodes bool
gpuInstanceProfile GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. Supported values are MIG1g, MIG2g, MIG3g, MIG4g and MIG7g. 'MIG1g'
'MIG2g'
'MIG3g'
'MIG4g'
'MIG7g'
kubeletConfig KubeletConfig specifies the configuration of kubelet on agent nodes. KubeletConfig
kubeletDiskType KubeletDiskType determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. Currently allows one value, OS, resulting in Kubelet using the OS disk for data. 'OS'
'Temporary'
linuxOSConfig LinuxOSConfig specifies the OS configuration of linux agent nodes. LinuxOSConfig
maxCount Maximum number of nodes for auto-scaling int
maxPods Maximum number of pods that can run on a node. int
minCount Minimum number of nodes for auto-scaling int
mode AgentPoolMode represents mode of an agent pool 'System'
'User'
name Unique name of the agent pool profile in the context of the subscription and resource group. string

Constraints:
Pattern = ^[a-z][a-z0-9]{0,11}$ (required)
nodeLabels Agent pool node labels to be persisted across all nodes in agent pool. ManagedClusterAgentPoolProfilePropertiesNodeLabels
nodePublicIPPrefixID Public IP Prefix ID. VM nodes use IPs assigned from this Public IP Prefix. string
nodeTaints Taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. string[]
orchestratorVersion Version of orchestrator specified when creating the managed cluster. string
osDiskSizeGB OS Disk Size in GB to be used to specify the disk size for every machine in this master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. int

Constraints:
Min value = 0
Max value = 2048
osDiskType OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. 'Ephemeral'
'Managed'
osSKU OsSKU to be used to specify os sku. Choose from Ubuntu(default) and CBLMariner for Linux OSType. Not applicable to Windows OSType. 'CBLMariner'
'Ubuntu'
osType OsType to be used to specify os type. Choose from Linux and Windows. Default to Linux. 'Linux'
'Windows'
podSubnetID Pod SubnetID specifies the VNet's subnet identifier for pods. string
proximityPlacementGroupID The ID for Proximity Placement Group. string
scaleSetEvictionPolicy ScaleSetEvictionPolicy to be used to specify eviction policy for Spot virtual machine scale set. Default to Delete. 'Deallocate'
'Delete'
scaleSetPriority ScaleSetPriority to be used to specify virtual machine scale set priority. Default to regular. 'Regular'
'Spot'
spotMaxPrice SpotMaxPrice to be used to specify the maximum price you are willing to pay in US Dollars. Possible values are any decimal value greater than zero or -1 which indicates default price to be up-to on-demand. int
tags Agent pool tags to be persisted on the agent pool virtual machine scale set. ManagedClusterAgentPoolProfilePropertiesTags
type AgentPoolType represents types of an agent pool 'AvailabilitySet'
'VirtualMachineScaleSets'
upgradeSettings Settings for upgrading the agentpool AgentPoolUpgradeSettings
vmSize Size of agent VMs. string
vnetSubnetID VNet SubnetID specifies the VNet's subnet identifier for nodes and maybe pods string

ManagedClusterAgentPoolProfilePropertiesNodeLabels

Name Description Value

ManagedClusterAgentPoolProfilePropertiesTags

Name Description Value

ManagedClusterAPIServerAccessProfile

Name Description Value
authorizedIPRanges Authorized IP Ranges to kubernetes API server. string[]
enablePrivateCluster Whether to create the cluster as a private cluster or not. bool
privateDNSZone Private dns zone mode for private cluster. string

ManagedClusterAutoUpgradeProfile

Name Description Value
upgradeChannel upgrade channel for auto upgrade. 'node-image'
'none'
'patch'
'rapid'
'stable'

ManagedClusterHttpProxyConfig

Name Description Value
httpProxy HTTP proxy server endpoint to use. string
httpsProxy HTTPS proxy server endpoint to use. string
noProxy Endpoints that should not go through proxy. string[]
trustedCa Alternative CA cert to use for connecting to proxy servers. string

ManagedClusterIdentity

Name Description Value
type The type of identity used for the managed cluster. Type 'SystemAssigned' will use an implicitly created identity in master components and an auto-created user assigned identity in MC_ resource group in agent nodes. Type 'None' will not use MSI for the managed cluster, service principal will be used instead. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the managed cluster. This identity will be used in control plane and only one user assigned identity is allowed. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedClusterIdentityUserAssignedIdentities

ManagedClusterIdentityUserAssignedIdentities

Name Description Value

ManagedClusterLoadBalancerProfile

Name Description Value
allocatedOutboundPorts Desired number of allocated SNAT ports per VM. Allowed values must be in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. int

Constraints:
Min value = 0
Max value = 64000
effectiveOutboundIPs The effective outbound IP resources of the cluster load balancer. ResourceReference[]
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values must be in the range of 4 to 120 (inclusive). The default value is 30 minutes. int

Constraints:
Min value = 4
Max value = 120
managedOutboundIPs Desired managed outbound IPs for the cluster load balancer. ManagedClusterLoadBalancerProfileManagedOutboundIPs
outboundIPPrefixes Desired outbound IP Prefix resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPPrefixes
outboundIPs Desired outbound IP resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPs

ManagedClusterLoadBalancerProfileManagedOutboundIPs

Name Description Value
count Desired number of outbound IP created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. int

Constraints:
Min value = 1
Max value = 100

ManagedClusterLoadBalancerProfileOutboundIPPrefixes

Name Description Value
publicIPPrefixes A list of public IP prefix resources. ResourceReference[]

ManagedClusterLoadBalancerProfileOutboundIPs

Name Description Value
publicIPs A list of public IP resources. ResourceReference[]

ManagedClusterPodIdentity

Name Description Value
bindingSelector Binding selector to use for the AzureIdentityBinding resource. string
identity Information of the user assigned identity. UserAssignedIdentity (required)
name Name of the pod identity. string (required)
namespace Namespace of the pod identity. string (required)

ManagedClusterPodIdentityException

Name Description Value
name Name of the pod identity exception. string (required)
namespace Namespace of the pod identity exception. string (required)
podLabels Pod labels to match. ManagedClusterPodIdentityExceptionPodLabels (required)

ManagedClusterPodIdentityExceptionPodLabels

Name Description Value

ManagedClusterPodIdentityProfile

Name Description Value
allowNetworkPluginKubenet Customer consent for enabling AAD pod identity addon in cluster using Kubenet network plugin. bool
enabled Whether the pod identity addon is enabled. bool
userAssignedIdentities User assigned pod identity settings. ManagedClusterPodIdentity[]
userAssignedIdentityExceptions User assigned pod identity exception settings. ManagedClusterPodIdentityException[]

ManagedClusterProperties

Name Description Value
aadProfile Profile of Azure Active Directory configuration. ManagedClusterAADProfile
addonProfiles Profile of managed cluster add-on. ManagedClusterPropertiesAddonProfiles
agentPoolProfiles Properties of the agent pool. ManagedClusterAgentPoolProfile[]
apiServerAccessProfile Access profile for managed cluster API server. ManagedClusterAPIServerAccessProfile
autoScalerProfile Parameters to be applied to the cluster-autoscaler when enabled ManagedClusterPropertiesAutoScalerProfile
autoUpgradeProfile Profile of auto upgrade configuration. ManagedClusterAutoUpgradeProfile
disableLocalAccounts If set to true, getting static credential will be disabled for this cluster. Expected to only be used for AAD clusters. bool
diskEncryptionSetID ResourceId of the disk encryption set to use for enabling encryption at rest. string
dnsPrefix DNS prefix specified when creating the managed cluster. string
enablePodSecurityPolicy (DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy. bool
enableRBAC Whether to enable Kubernetes Role-Based Access Control. bool
fqdnSubdomain FQDN subdomain specified when creating private cluster with custom private dns zone. string
httpProxyConfig Configurations for provisioning the cluster with HTTP proxy servers. ManagedClusterHttpProxyConfig
identityProfile Identities associated with the cluster. ManagedClusterPropertiesIdentityProfile
kubernetesVersion Version of Kubernetes specified when creating the managed cluster. string
linuxProfile Profile for Linux VMs in the container service cluster. ContainerServiceLinuxProfile
networkProfile Profile of network configuration. ContainerServiceNetworkProfile
nodeResourceGroup Name of the resource group containing agent pool nodes. string
podIdentityProfile Profile of managed cluster pod identity. ManagedClusterPodIdentityProfile
privateLinkResources Private link resources associated with the cluster. PrivateLinkResource[]
servicePrincipalProfile Information about a service principal identity for the cluster to use for manipulating Azure APIs. ManagedClusterServicePrincipalProfile
windowsProfile Profile for Windows VMs in the container service cluster. ManagedClusterWindowsProfile

ManagedClusterPropertiesAddonProfiles

Name Description Value

ManagedClusterPropertiesAutoScalerProfile

Name Description Value
balance-similar-node-groups string
expander 'least-waste'
'most-pods'
'priority'
'random'
max-empty-bulk-delete string
max-graceful-termination-sec string
max-node-provision-time string
max-total-unready-percentage string
new-pod-scale-up-delay string
ok-total-unready-count string
scale-down-delay-after-add string
scale-down-delay-after-delete string
scale-down-delay-after-failure string
scale-down-unneeded-time string
scale-down-unready-time string
scale-down-utilization-threshold string
scan-interval string
skip-nodes-with-local-storage string
skip-nodes-with-system-pods string

ManagedClusterPropertiesIdentityProfile

Name Description Value

ManagedClusterServicePrincipalProfile

Name Description Value
clientId The ID for the service principal. string (required)
secret The secret password associated with the service principal in plain text. string

ManagedClusterSKU

Name Description Value
name Name of a managed cluster SKU. 'Basic'
tier Tier of a managed cluster SKU. 'Free'
'Paid'

ManagedClusterWindowsProfile

Name Description Value
adminPassword Specifies the password of the administrator account.

Minimum-length: 8 characters

Max-length: 123 characters

Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])

Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
string
adminUsername Specifies the name of the administrator account.

restriction: Cannot end in "."

Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".

Minimum-length: 1 character

Max-length: 20 characters
string (required)
enableCSIProxy Whether to enable CSI proxy. bool
licenseType The licenseType to use for Windows VMs. Windows_Server is used to enable Azure Hybrid User Benefits for Windows VMs. 'None'
'Windows_Server'

Microsoft.ContainerService/managedClusters

Name Description Value
extendedLocation The extended location of the Virtual Machine. ExtendedLocation
identity The identity of the managed cluster, if configured. ManagedClusterIdentity
location Resource location string (required)
name The resource name string

Constraints:
Min length = 1
Max length = 1
Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$ (required)
properties Properties of a managed cluster. ManagedClusterProperties
sku The managed cluster SKU. ManagedClusterSKU
tags Resource tags Dictionary of tag names and values. See Tags in templates

PrivateLinkResource

Name Description Value
groupId The group ID of the resource. string
id The ID of the private link resource. string
name The name of the private link resource. string
requiredMembers RequiredMembers of the resource string[]
type The resource type. string

ResourceReference

Name Description Value
id The fully qualified Azure resource id. string

ResourceTags

Name Description Value

SysctlConfig

Name Description Value
fsAioMaxNr Sysctl setting fs.aio-max-nr. int
fsFileMax Sysctl setting fs.file-max. int
fsInotifyMaxUserWatches Sysctl setting fs.inotify.max_user_watches. int
fsNrOpen Sysctl setting fs.nr_open. int
kernelThreadsMax Sysctl setting kernel.threads-max. int
netCoreNetdevMaxBacklog Sysctl setting net.core.netdev_max_backlog. int
netCoreOptmemMax Sysctl setting net.core.optmem_max. int
netCoreRmemDefault Sysctl setting net.core.rmem_default. int
netCoreRmemMax Sysctl setting net.core.rmem_max. int
netCoreSomaxconn Sysctl setting net.core.somaxconn. int
netCoreWmemDefault Sysctl setting net.core.wmem_default. int
netCoreWmemMax Sysctl setting net.core.wmem_max. int
netIpv4IpLocalPortRange Sysctl setting net.ipv4.ip_local_port_range. string
netIpv4NeighDefaultGcThresh1 Sysctl setting net.ipv4.neigh.default.gc_thresh1. int
netIpv4NeighDefaultGcThresh2 Sysctl setting net.ipv4.neigh.default.gc_thresh2. int
netIpv4NeighDefaultGcThresh3 Sysctl setting net.ipv4.neigh.default.gc_thresh3. int
netIpv4TcpFinTimeout Sysctl setting net.ipv4.tcp_fin_timeout. int
netIpv4TcpkeepaliveIntvl Sysctl setting net.ipv4.tcp_keepalive_intvl. int
netIpv4TcpKeepaliveProbes Sysctl setting net.ipv4.tcp_keepalive_probes. int
netIpv4TcpKeepaliveTime Sysctl setting net.ipv4.tcp_keepalive_time. int
netIpv4TcpMaxSynBacklog Sysctl setting net.ipv4.tcp_max_syn_backlog. int
netIpv4TcpMaxTwBuckets Sysctl setting net.ipv4.tcp_max_tw_buckets. int
netIpv4TcpTwReuse Sysctl setting net.ipv4.tcp_tw_reuse. bool
netNetfilterNfConntrackBuckets Sysctl setting net.netfilter.nf_conntrack_buckets. int
netNetfilterNfConntrackMax Sysctl setting net.netfilter.nf_conntrack_max. int
vmMaxMapCount Sysctl setting vm.max_map_count. int
vmSwappiness Sysctl setting vm.swappiness. int
vmVfsCachePressure Sysctl setting vm.vfs_cache_pressure. int

UserAssignedIdentity

Name Description Value
clientId The client id of the user assigned identity. string
objectId The object id of the user assigned identity. string
resourceId The resource id of the user assigned identity. string

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
AKS Cluster with a NAT Gateway and an Application Gateway This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Azure Container Service (AKS) Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts
Azure Container Service (AKS) Deploy a managed cluster with Azure Container Service (AKS)
Azure Container Service (AKS) with Helm Deploy a managed cluster with Azure Container Service (AKS) with Helm
Azure Kubernetes Service (AKS) Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS)
Azure Machine Learning end-to-end secure setup This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy) This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Create a Private AKS Cluster This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create AKS with Prometheus and Grafana with privae link This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard

ARM template resource definition

The managedClusters resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerService/managedClusters resource, add the following JSON to your template.

{
  "type": "Microsoft.ContainerService/managedClusters",
  "apiVersion": "2021-03-01",
  "name": "string",
  "extendedLocation": {
    "name": "string",
    "type": "string"
  },
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "aadProfile": {
      "adminGroupObjectIDs": [ "string" ],
      "clientAppID": "string",
      "enableAzureRBAC": "bool",
      "managed": "bool",
      "serverAppID": "string",
      "serverAppSecret": "string",
      "tenantID": "string"
    },
    "addonProfiles": {
      "{customized property}": {
        "config": {
          "{customized property}": "string"
        },
        "enabled": "bool"
      }
    },
    "agentPoolProfiles": [
      {
        "availabilityZones": [ "string" ],
        "count": "int",
        "enableAutoScaling": "bool",
        "enableEncryptionAtHost": "bool",
        "enableFIPS": "bool",
        "enableNodePublicIP": "bool",
        "gpuInstanceProfile": "string",
        "kubeletConfig": {
          "allowedUnsafeSysctls": [ "string" ],
          "containerLogMaxFiles": "int",
          "containerLogMaxSizeMB": "int",
          "cpuCfsQuota": "bool",
          "cpuCfsQuotaPeriod": "string",
          "cpuManagerPolicy": "string",
          "failSwapOn": "bool",
          "imageGcHighThreshold": "int",
          "imageGcLowThreshold": "int",
          "podMaxPids": "int",
          "topologyManagerPolicy": "string"
        },
        "kubeletDiskType": "string",
        "linuxOSConfig": {
          "swapFileSizeMB": "int",
          "sysctls": {
            "fsAioMaxNr": "int",
            "fsFileMax": "int",
            "fsInotifyMaxUserWatches": "int",
            "fsNrOpen": "int",
            "kernelThreadsMax": "int",
            "netCoreNetdevMaxBacklog": "int",
            "netCoreOptmemMax": "int",
            "netCoreRmemDefault": "int",
            "netCoreRmemMax": "int",
            "netCoreSomaxconn": "int",
            "netCoreWmemDefault": "int",
            "netCoreWmemMax": "int",
            "netIpv4IpLocalPortRange": "string",
            "netIpv4NeighDefaultGcThresh1": "int",
            "netIpv4NeighDefaultGcThresh2": "int",
            "netIpv4NeighDefaultGcThresh3": "int",
            "netIpv4TcpFinTimeout": "int",
            "netIpv4TcpkeepaliveIntvl": "int",
            "netIpv4TcpKeepaliveProbes": "int",
            "netIpv4TcpKeepaliveTime": "int",
            "netIpv4TcpMaxSynBacklog": "int",
            "netIpv4TcpMaxTwBuckets": "int",
            "netIpv4TcpTwReuse": "bool",
            "netNetfilterNfConntrackBuckets": "int",
            "netNetfilterNfConntrackMax": "int",
            "vmMaxMapCount": "int",
            "vmSwappiness": "int",
            "vmVfsCachePressure": "int"
          },
          "transparentHugePageDefrag": "string",
          "transparentHugePageEnabled": "string"
        },
        "maxCount": "int",
        "maxPods": "int",
        "minCount": "int",
        "mode": "string",
        "name": "string",
        "nodeLabels": {
          "{customized property}": "string"
        },
        "nodePublicIPPrefixID": "string",
        "nodeTaints": [ "string" ],
        "orchestratorVersion": "string",
        "osDiskSizeGB": "int",
        "osDiskType": "string",
        "osSKU": "string",
        "osType": "string",
        "podSubnetID": "string",
        "proximityPlacementGroupID": "string",
        "scaleSetEvictionPolicy": "string",
        "scaleSetPriority": "string",
        "spotMaxPrice": "int",
        "tags": {
          "{customized property}": "string"
        },
        "type": "string",
        "upgradeSettings": {
          "maxSurge": "string"
        },
        "vmSize": "string",
        "vnetSubnetID": "string"
      }
    ],
    "apiServerAccessProfile": {
      "authorizedIPRanges": [ "string" ],
      "enablePrivateCluster": "bool",
      "privateDNSZone": "string"
    },
    "autoScalerProfile": {
      "balance-similar-node-groups": "string",
      "expander": "string",
      "max-empty-bulk-delete": "string",
      "max-graceful-termination-sec": "string",
      "max-node-provision-time": "string",
      "max-total-unready-percentage": "string",
      "new-pod-scale-up-delay": "string",
      "ok-total-unready-count": "string",
      "scale-down-delay-after-add": "string",
      "scale-down-delay-after-delete": "string",
      "scale-down-delay-after-failure": "string",
      "scale-down-unneeded-time": "string",
      "scale-down-unready-time": "string",
      "scale-down-utilization-threshold": "string",
      "scan-interval": "string",
      "skip-nodes-with-local-storage": "string",
      "skip-nodes-with-system-pods": "string"
    },
    "autoUpgradeProfile": {
      "upgradeChannel": "string"
    },
    "disableLocalAccounts": "bool",
    "diskEncryptionSetID": "string",
    "dnsPrefix": "string",
    "enablePodSecurityPolicy": "bool",
    "enableRBAC": "bool",
    "fqdnSubdomain": "string",
    "httpProxyConfig": {
      "httpProxy": "string",
      "httpsProxy": "string",
      "noProxy": [ "string" ],
      "trustedCa": "string"
    },
    "identityProfile": {
      "{customized property}": {
        "clientId": "string",
        "objectId": "string",
        "resourceId": "string"
      }
    },
    "kubernetesVersion": "string",
    "linuxProfile": {
      "adminUsername": "string",
      "ssh": {
        "publicKeys": [
          {
            "keyData": "string"
          }
        ]
      }
    },
    "networkProfile": {
      "dnsServiceIP": "string",
      "dockerBridgeCidr": "string",
      "loadBalancerProfile": {
        "allocatedOutboundPorts": "int",
        "effectiveOutboundIPs": [
          {
            "id": "string"
          }
        ],
        "idleTimeoutInMinutes": "int",
        "managedOutboundIPs": {
          "count": "int"
        },
        "outboundIPPrefixes": {
          "publicIPPrefixes": [
            {
              "id": "string"
            }
          ]
        },
        "outboundIPs": {
          "publicIPs": [
            {
              "id": "string"
            }
          ]
        }
      },
      "loadBalancerSku": "string",
      "networkMode": "string",
      "networkPlugin": "string",
      "networkPolicy": "string",
      "outboundType": "string",
      "podCidr": "string",
      "serviceCidr": "string"
    },
    "nodeResourceGroup": "string",
    "podIdentityProfile": {
      "allowNetworkPluginKubenet": "bool",
      "enabled": "bool",
      "userAssignedIdentities": [
        {
          "bindingSelector": "string",
          "identity": {
            "clientId": "string",
            "objectId": "string",
            "resourceId": "string"
          },
          "name": "string",
          "namespace": "string"
        }
      ],
      "userAssignedIdentityExceptions": [
        {
          "name": "string",
          "namespace": "string",
          "podLabels": {
            "{customized property}": "string"
          }
        }
      ]
    },
    "privateLinkResources": [
      {
        "groupId": "string",
        "id": "string",
        "name": "string",
        "requiredMembers": [ "string" ],
        "type": "string"
      }
    ],
    "servicePrincipalProfile": {
      "clientId": "string",
      "secret": "string"
    },
    "windowsProfile": {
      "adminPassword": "string",
      "adminUsername": "string",
      "enableCSIProxy": "bool",
      "licenseType": "string"
    }
  },
  "sku": {
    "name": "string",
    "tier": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

AgentPoolUpgradeSettings

Name Description Value
maxSurge Count or percentage of additional nodes to be added during upgrade. If empty uses AKS default string

Components1Umhcm8SchemasManagedclusteridentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

ComponentsQit0EtSchemasManagedclusterpropertiesPropertiesIdentityprofileAdditionalproperties

Name Description Value
clientId The client id of the user assigned identity. string
objectId The object id of the user assigned identity. string
resourceId The resource id of the user assigned identity. string

ContainerServiceLinuxProfile

Name Description Value
adminUsername The administrator username to use for Linux VMs. string

Constraints:
Pattern = ^[A-Za-z][-A-Za-z0-9_]*$ (required)
ssh SSH configuration for Linux-based VMs running on Azure. ContainerServiceSshConfiguration (required)

ContainerServiceNetworkProfile

Name Description Value
dnsServiceIP An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. string

Constraints:
Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
dockerBridgeCidr A CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
loadBalancerProfile Profile of the cluster load balancer. ManagedClusterLoadBalancerProfile
loadBalancerSku The load balancer sku for the managed cluster. 'basic'
'standard'
networkMode Network mode used for building Kubernetes network. 'bridge'
'transparent'
networkPlugin Network plugin used for building Kubernetes network. 'azure'
'kubenet'
networkPolicy Network policy used for building Kubernetes network. 'azure'
'calico'
outboundType The outbound (egress) routing method. 'loadBalancer'
'userDefinedRouting'
podCidr A CIDR notation IP range from which to assign pod IPs when kubenet is used. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
serviceCidr A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$

ContainerServiceSshConfiguration

Name Description Value
publicKeys The list of SSH public keys used to authenticate with Linux-based VMs. Only expect one key specified. ContainerServiceSshPublicKey[] (required)

ContainerServiceSshPublicKey

Name Description Value
keyData Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. string (required)

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

KubeletConfig

Name Description Value
allowedUnsafeSysctls Allowlist of unsafe sysctls or unsafe sysctl patterns (ending in *). string[]
containerLogMaxFiles The maximum number of container log files that can be present for a container. The number must be ≥ 2. int

Constraints:
Min value = 2
containerLogMaxSizeMB The maximum size (e.g. 10Mi) of container log file before it is rotated. int
cpuCfsQuota Enable CPU CFS quota enforcement for containers that specify CPU limits. bool
cpuCfsQuotaPeriod Sets CPU CFS quota period value. string
cpuManagerPolicy CPU Manager policy to use. string
failSwapOn If set to true it will make the Kubelet fail to start if swap is enabled on the node. bool
imageGcHighThreshold The percent of disk usage after which image garbage collection is always run. int
imageGcLowThreshold The percent of disk usage before which image garbage collection is never run. int
podMaxPids The maximum number of processes per pod. int
topologyManagerPolicy Topology Manager policy to use. string

LinuxOSConfig

Name Description Value
swapFileSizeMB SwapFileSizeMB specifies size in MB of a swap file will be created on each node. int
sysctls Sysctl settings for Linux agent nodes. SysctlConfig
transparentHugePageDefrag Transparent Huge Page defrag configuration. string
transparentHugePageEnabled Transparent Huge Page enabled configuration. string

ManagedClusterAADProfile

Name Description Value
adminGroupObjectIDs AAD group object IDs that will have admin role of the cluster. string[]
clientAppID The client AAD application ID. string
enableAzureRBAC Whether to enable Azure RBAC for Kubernetes authorization. bool
managed Whether to enable managed AAD. bool
serverAppID The server AAD application ID. string
serverAppSecret The server AAD application secret. string
tenantID The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. string

ManagedClusterAddonProfile

Name Description Value
config Key-value pairs for configuring an add-on. ManagedClusterAddonProfileConfig
enabled Whether the add-on is enabled or not. bool (required)

ManagedClusterAddonProfileConfig

Name Description Value

ManagedClusterAgentPoolProfile

Name Description Value
availabilityZones Availability zones for nodes. Must use VirtualMachineScaleSets AgentPoolType. string[]
count Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 100 (inclusive) for user pools and in the range of 1 to 100 (inclusive) for system pools. The default value is 1. int
enableAutoScaling Whether to enable auto-scaler bool
enableEncryptionAtHost Whether to enable EncryptionAtHost bool
enableFIPS Whether to use FIPS enabled OS bool
enableNodePublicIP Enable public IP for nodes bool
gpuInstanceProfile GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. Supported values are MIG1g, MIG2g, MIG3g, MIG4g and MIG7g. 'MIG1g'
'MIG2g'
'MIG3g'
'MIG4g'
'MIG7g'
kubeletConfig KubeletConfig specifies the configuration of kubelet on agent nodes. KubeletConfig
kubeletDiskType KubeletDiskType determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. Currently allows one value, OS, resulting in Kubelet using the OS disk for data. 'OS'
'Temporary'
linuxOSConfig LinuxOSConfig specifies the OS configuration of linux agent nodes. LinuxOSConfig
maxCount Maximum number of nodes for auto-scaling int
maxPods Maximum number of pods that can run on a node. int
minCount Minimum number of nodes for auto-scaling int
mode AgentPoolMode represents mode of an agent pool 'System'
'User'
name Unique name of the agent pool profile in the context of the subscription and resource group. string

Constraints:
Pattern = ^[a-z][a-z0-9]{0,11}$ (required)
nodeLabels Agent pool node labels to be persisted across all nodes in agent pool. ManagedClusterAgentPoolProfilePropertiesNodeLabels
nodePublicIPPrefixID Public IP Prefix ID. VM nodes use IPs assigned from this Public IP Prefix. string
nodeTaints Taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. string[]
orchestratorVersion Version of orchestrator specified when creating the managed cluster. string
osDiskSizeGB OS Disk Size in GB to be used to specify the disk size for every machine in this master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. int

Constraints:
Min value = 0
Max value = 2048
osDiskType OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. 'Ephemeral'
'Managed'
osSKU OsSKU to be used to specify os sku. Choose from Ubuntu(default) and CBLMariner for Linux OSType. Not applicable to Windows OSType. 'CBLMariner'
'Ubuntu'
osType OsType to be used to specify os type. Choose from Linux and Windows. Default to Linux. 'Linux'
'Windows'
podSubnetID Pod SubnetID specifies the VNet's subnet identifier for pods. string
proximityPlacementGroupID The ID for Proximity Placement Group. string
scaleSetEvictionPolicy ScaleSetEvictionPolicy to be used to specify eviction policy for Spot virtual machine scale set. Default to Delete. 'Deallocate'
'Delete'
scaleSetPriority ScaleSetPriority to be used to specify virtual machine scale set priority. Default to regular. 'Regular'
'Spot'
spotMaxPrice SpotMaxPrice to be used to specify the maximum price you are willing to pay in US Dollars. Possible values are any decimal value greater than zero or -1 which indicates default price to be up-to on-demand. int
tags Agent pool tags to be persisted on the agent pool virtual machine scale set. ManagedClusterAgentPoolProfilePropertiesTags
type AgentPoolType represents types of an agent pool 'AvailabilitySet'
'VirtualMachineScaleSets'
upgradeSettings Settings for upgrading the agentpool AgentPoolUpgradeSettings
vmSize Size of agent VMs. string
vnetSubnetID VNet SubnetID specifies the VNet's subnet identifier for nodes and maybe pods string

ManagedClusterAgentPoolProfilePropertiesNodeLabels

Name Description Value

ManagedClusterAgentPoolProfilePropertiesTags

Name Description Value

ManagedClusterAPIServerAccessProfile

Name Description Value
authorizedIPRanges Authorized IP Ranges to kubernetes API server. string[]
enablePrivateCluster Whether to create the cluster as a private cluster or not. bool
privateDNSZone Private dns zone mode for private cluster. string

ManagedClusterAutoUpgradeProfile

Name Description Value
upgradeChannel upgrade channel for auto upgrade. 'node-image'
'none'
'patch'
'rapid'
'stable'

ManagedClusterHttpProxyConfig

Name Description Value
httpProxy HTTP proxy server endpoint to use. string
httpsProxy HTTPS proxy server endpoint to use. string
noProxy Endpoints that should not go through proxy. string[]
trustedCa Alternative CA cert to use for connecting to proxy servers. string

ManagedClusterIdentity

Name Description Value
type The type of identity used for the managed cluster. Type 'SystemAssigned' will use an implicitly created identity in master components and an auto-created user assigned identity in MC_ resource group in agent nodes. Type 'None' will not use MSI for the managed cluster, service principal will be used instead. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the managed cluster. This identity will be used in control plane and only one user assigned identity is allowed. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedClusterIdentityUserAssignedIdentities

ManagedClusterIdentityUserAssignedIdentities

Name Description Value

ManagedClusterLoadBalancerProfile

Name Description Value
allocatedOutboundPorts Desired number of allocated SNAT ports per VM. Allowed values must be in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. int

Constraints:
Min value = 0
Max value = 64000
effectiveOutboundIPs The effective outbound IP resources of the cluster load balancer. ResourceReference[]
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values must be in the range of 4 to 120 (inclusive). The default value is 30 minutes. int

Constraints:
Min value = 4
Max value = 120
managedOutboundIPs Desired managed outbound IPs for the cluster load balancer. ManagedClusterLoadBalancerProfileManagedOutboundIPs
outboundIPPrefixes Desired outbound IP Prefix resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPPrefixes
outboundIPs Desired outbound IP resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPs

ManagedClusterLoadBalancerProfileManagedOutboundIPs

Name Description Value
count Desired number of outbound IP created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. int

Constraints:
Min value = 1
Max value = 100

ManagedClusterLoadBalancerProfileOutboundIPPrefixes

Name Description Value
publicIPPrefixes A list of public IP prefix resources. ResourceReference[]

ManagedClusterLoadBalancerProfileOutboundIPs

Name Description Value
publicIPs A list of public IP resources. ResourceReference[]

ManagedClusterPodIdentity

Name Description Value
bindingSelector Binding selector to use for the AzureIdentityBinding resource. string
identity Information of the user assigned identity. UserAssignedIdentity (required)
name Name of the pod identity. string (required)
namespace Namespace of the pod identity. string (required)

ManagedClusterPodIdentityException

Name Description Value
name Name of the pod identity exception. string (required)
namespace Namespace of the pod identity exception. string (required)
podLabels Pod labels to match. ManagedClusterPodIdentityExceptionPodLabels (required)

ManagedClusterPodIdentityExceptionPodLabels

Name Description Value

ManagedClusterPodIdentityProfile

Name Description Value
allowNetworkPluginKubenet Customer consent for enabling AAD pod identity addon in cluster using Kubenet network plugin. bool
enabled Whether the pod identity addon is enabled. bool
userAssignedIdentities User assigned pod identity settings. ManagedClusterPodIdentity[]
userAssignedIdentityExceptions User assigned pod identity exception settings. ManagedClusterPodIdentityException[]

ManagedClusterProperties

Name Description Value
aadProfile Profile of Azure Active Directory configuration. ManagedClusterAADProfile
addonProfiles Profile of managed cluster add-on. ManagedClusterPropertiesAddonProfiles
agentPoolProfiles Properties of the agent pool. ManagedClusterAgentPoolProfile[]
apiServerAccessProfile Access profile for managed cluster API server. ManagedClusterAPIServerAccessProfile
autoScalerProfile Parameters to be applied to the cluster-autoscaler when enabled ManagedClusterPropertiesAutoScalerProfile
autoUpgradeProfile Profile of auto upgrade configuration. ManagedClusterAutoUpgradeProfile
disableLocalAccounts If set to true, getting static credential will be disabled for this cluster. Expected to only be used for AAD clusters. bool
diskEncryptionSetID ResourceId of the disk encryption set to use for enabling encryption at rest. string
dnsPrefix DNS prefix specified when creating the managed cluster. string
enablePodSecurityPolicy (DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy. bool
enableRBAC Whether to enable Kubernetes Role-Based Access Control. bool
fqdnSubdomain FQDN subdomain specified when creating private cluster with custom private dns zone. string
httpProxyConfig Configurations for provisioning the cluster with HTTP proxy servers. ManagedClusterHttpProxyConfig
identityProfile Identities associated with the cluster. ManagedClusterPropertiesIdentityProfile
kubernetesVersion Version of Kubernetes specified when creating the managed cluster. string
linuxProfile Profile for Linux VMs in the container service cluster. ContainerServiceLinuxProfile
networkProfile Profile of network configuration. ContainerServiceNetworkProfile
nodeResourceGroup Name of the resource group containing agent pool nodes. string
podIdentityProfile Profile of managed cluster pod identity. ManagedClusterPodIdentityProfile
privateLinkResources Private link resources associated with the cluster. PrivateLinkResource[]
servicePrincipalProfile Information about a service principal identity for the cluster to use for manipulating Azure APIs. ManagedClusterServicePrincipalProfile
windowsProfile Profile for Windows VMs in the container service cluster. ManagedClusterWindowsProfile

ManagedClusterPropertiesAddonProfiles

Name Description Value

ManagedClusterPropertiesAutoScalerProfile

Name Description Value
balance-similar-node-groups string
expander 'least-waste'
'most-pods'
'priority'
'random'
max-empty-bulk-delete string
max-graceful-termination-sec string
max-node-provision-time string
max-total-unready-percentage string
new-pod-scale-up-delay string
ok-total-unready-count string
scale-down-delay-after-add string
scale-down-delay-after-delete string
scale-down-delay-after-failure string
scale-down-unneeded-time string
scale-down-unready-time string
scale-down-utilization-threshold string
scan-interval string
skip-nodes-with-local-storage string
skip-nodes-with-system-pods string

ManagedClusterPropertiesIdentityProfile

Name Description Value

ManagedClusterServicePrincipalProfile

Name Description Value
clientId The ID for the service principal. string (required)
secret The secret password associated with the service principal in plain text. string

ManagedClusterSKU

Name Description Value
name Name of a managed cluster SKU. 'Basic'
tier Tier of a managed cluster SKU. 'Free'
'Paid'

ManagedClusterWindowsProfile

Name Description Value
adminPassword Specifies the password of the administrator account.

Minimum-length: 8 characters

Max-length: 123 characters

Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])

Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
string
adminUsername Specifies the name of the administrator account.

restriction: Cannot end in "."

Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".

Minimum-length: 1 character

Max-length: 20 characters
string (required)
enableCSIProxy Whether to enable CSI proxy. bool
licenseType The licenseType to use for Windows VMs. Windows_Server is used to enable Azure Hybrid User Benefits for Windows VMs. 'None'
'Windows_Server'

Microsoft.ContainerService/managedClusters

Name Description Value
apiVersion The api version '2021-03-01'
extendedLocation The extended location of the Virtual Machine. ExtendedLocation
identity The identity of the managed cluster, if configured. ManagedClusterIdentity
location Resource location string (required)
name The resource name string

Constraints:
Min length = 1
Max length = 1
Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$ (required)
properties Properties of a managed cluster. ManagedClusterProperties
sku The managed cluster SKU. ManagedClusterSKU
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.ContainerService/managedClusters'

PrivateLinkResource

Name Description Value
groupId The group ID of the resource. string
id The ID of the private link resource. string
name The name of the private link resource. string
requiredMembers RequiredMembers of the resource string[]
type The resource type. string

ResourceReference

Name Description Value
id The fully qualified Azure resource id. string

ResourceTags

Name Description Value

SysctlConfig

Name Description Value
fsAioMaxNr Sysctl setting fs.aio-max-nr. int
fsFileMax Sysctl setting fs.file-max. int
fsInotifyMaxUserWatches Sysctl setting fs.inotify.max_user_watches. int
fsNrOpen Sysctl setting fs.nr_open. int
kernelThreadsMax Sysctl setting kernel.threads-max. int
netCoreNetdevMaxBacklog Sysctl setting net.core.netdev_max_backlog. int
netCoreOptmemMax Sysctl setting net.core.optmem_max. int
netCoreRmemDefault Sysctl setting net.core.rmem_default. int
netCoreRmemMax Sysctl setting net.core.rmem_max. int
netCoreSomaxconn Sysctl setting net.core.somaxconn. int
netCoreWmemDefault Sysctl setting net.core.wmem_default. int
netCoreWmemMax Sysctl setting net.core.wmem_max. int
netIpv4IpLocalPortRange Sysctl setting net.ipv4.ip_local_port_range. string
netIpv4NeighDefaultGcThresh1 Sysctl setting net.ipv4.neigh.default.gc_thresh1. int
netIpv4NeighDefaultGcThresh2 Sysctl setting net.ipv4.neigh.default.gc_thresh2. int
netIpv4NeighDefaultGcThresh3 Sysctl setting net.ipv4.neigh.default.gc_thresh3. int
netIpv4TcpFinTimeout Sysctl setting net.ipv4.tcp_fin_timeout. int
netIpv4TcpkeepaliveIntvl Sysctl setting net.ipv4.tcp_keepalive_intvl. int
netIpv4TcpKeepaliveProbes Sysctl setting net.ipv4.tcp_keepalive_probes. int
netIpv4TcpKeepaliveTime Sysctl setting net.ipv4.tcp_keepalive_time. int
netIpv4TcpMaxSynBacklog Sysctl setting net.ipv4.tcp_max_syn_backlog. int
netIpv4TcpMaxTwBuckets Sysctl setting net.ipv4.tcp_max_tw_buckets. int
netIpv4TcpTwReuse Sysctl setting net.ipv4.tcp_tw_reuse. bool
netNetfilterNfConntrackBuckets Sysctl setting net.netfilter.nf_conntrack_buckets. int
netNetfilterNfConntrackMax Sysctl setting net.netfilter.nf_conntrack_max. int
vmMaxMapCount Sysctl setting vm.max_map_count. int
vmSwappiness Sysctl setting vm.swappiness. int
vmVfsCachePressure Sysctl setting vm.vfs_cache_pressure. int

UserAssignedIdentity

Name Description Value
clientId The client id of the user assigned identity. string
objectId The object id of the user assigned identity. string
resourceId The resource id of the user assigned identity. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Azure Container Service (AKS)

Deploy to Azure
Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts
Azure Container Service (AKS)

Deploy to Azure
Deploy a managed cluster with Azure Container Service (AKS)
Azure Container Service (AKS) with Helm

Deploy to Azure
Deploy a managed cluster with Azure Container Service (AKS) with Helm
Azure Kubernetes Service (AKS)

Deploy to Azure
Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS)
Azure Machine Learning end-to-end secure setup

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
CI/CD using Jenkins on Azure Container Service (AKS)

Deploy to Azure
Containers make it very easy for you to continuously build and deploy your applications. By orchestrating deployment of those containers using Kubernetes in Azure Container Service, you can achieve replicable, manageable clusters of containers. By setting up a continuous build to produce your container images and orchestration, you can increase the speed and reliability of your deployment.
Create a Private AKS Cluster

Deploy to Azure
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Create AKS with Prometheus and Grafana with privae link

Deploy to Azure
This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard
Deploy a managed Kubernetes Cluster (AKS)

Deploy to Azure
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy a managed Kubernetes Cluster with AAD (AKS)

Deploy to Azure
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network and Azure AD Integeration. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy an AKS cluster for Azure ML

Deploy to Azure
This template allows you to deploy an entreprise compliant AKS cluster which can be attached to Azure ML
min.io Azure Gateway

Deploy to Azure
Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage

Terraform (AzAPI provider) resource definition

The managedClusters resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerService/managedClusters resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.ContainerService/managedClusters@2021-03-01"
  name = "string"
  identity = {
    type = "string"
    userAssignedIdentities = {
      {customized property} = {
      }
    }
  }
  location = "string"
  sku = {
    name = "string"
    tier = "string"
  }
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    extendedLocation = {
      name = "string"
      type = "string"
    }
    properties = {
      aadProfile = {
        adminGroupObjectIDs = [
          "string"
        ]
        clientAppID = "string"
        enableAzureRBAC = bool
        managed = bool
        serverAppID = "string"
        serverAppSecret = "string"
        tenantID = "string"
      }
      addonProfiles = {
        {customized property} = {
          config = {
            {customized property} = "string"
          }
          enabled = bool
        }
      }
      agentPoolProfiles = [
        {
          availabilityZones = [
            "string"
          ]
          count = int
          enableAutoScaling = bool
          enableEncryptionAtHost = bool
          enableFIPS = bool
          enableNodePublicIP = bool
          gpuInstanceProfile = "string"
          kubeletConfig = {
            allowedUnsafeSysctls = [
              "string"
            ]
            containerLogMaxFiles = int
            containerLogMaxSizeMB = int
            cpuCfsQuota = bool
            cpuCfsQuotaPeriod = "string"
            cpuManagerPolicy = "string"
            failSwapOn = bool
            imageGcHighThreshold = int
            imageGcLowThreshold = int
            podMaxPids = int
            topologyManagerPolicy = "string"
          }
          kubeletDiskType = "string"
          linuxOSConfig = {
            swapFileSizeMB = int
            sysctls = {
              fsAioMaxNr = int
              fsFileMax = int
              fsInotifyMaxUserWatches = int
              fsNrOpen = int
              kernelThreadsMax = int
              netCoreNetdevMaxBacklog = int
              netCoreOptmemMax = int
              netCoreRmemDefault = int
              netCoreRmemMax = int
              netCoreSomaxconn = int
              netCoreWmemDefault = int
              netCoreWmemMax = int
              netIpv4IpLocalPortRange = "string"
              netIpv4NeighDefaultGcThresh1 = int
              netIpv4NeighDefaultGcThresh2 = int
              netIpv4NeighDefaultGcThresh3 = int
              netIpv4TcpFinTimeout = int
              netIpv4TcpkeepaliveIntvl = int
              netIpv4TcpKeepaliveProbes = int
              netIpv4TcpKeepaliveTime = int
              netIpv4TcpMaxSynBacklog = int
              netIpv4TcpMaxTwBuckets = int
              netIpv4TcpTwReuse = bool
              netNetfilterNfConntrackBuckets = int
              netNetfilterNfConntrackMax = int
              vmMaxMapCount = int
              vmSwappiness = int
              vmVfsCachePressure = int
            }
            transparentHugePageDefrag = "string"
            transparentHugePageEnabled = "string"
          }
          maxCount = int
          maxPods = int
          minCount = int
          mode = "string"
          name = "string"
          nodeLabels = {
            {customized property} = "string"
          }
          nodePublicIPPrefixID = "string"
          nodeTaints = [
            "string"
          ]
          orchestratorVersion = "string"
          osDiskSizeGB = int
          osDiskType = "string"
          osSKU = "string"
          osType = "string"
          podSubnetID = "string"
          proximityPlacementGroupID = "string"
          scaleSetEvictionPolicy = "string"
          scaleSetPriority = "string"
          spotMaxPrice = int
          tags = {
            {customized property} = "string"
          }
          type = "string"
          upgradeSettings = {
            maxSurge = "string"
          }
          vmSize = "string"
          vnetSubnetID = "string"
        }
      ]
      apiServerAccessProfile = {
        authorizedIPRanges = [
          "string"
        ]
        enablePrivateCluster = bool
        privateDNSZone = "string"
      }
      autoScalerProfile = {
        balance-similar-node-groups = "string"
        expander = "string"
        max-empty-bulk-delete = "string"
        max-graceful-termination-sec = "string"
        max-node-provision-time = "string"
        max-total-unready-percentage = "string"
        new-pod-scale-up-delay = "string"
        ok-total-unready-count = "string"
        scale-down-delay-after-add = "string"
        scale-down-delay-after-delete = "string"
        scale-down-delay-after-failure = "string"
        scale-down-unneeded-time = "string"
        scale-down-unready-time = "string"
        scale-down-utilization-threshold = "string"
        scan-interval = "string"
        skip-nodes-with-local-storage = "string"
        skip-nodes-with-system-pods = "string"
      }
      autoUpgradeProfile = {
        upgradeChannel = "string"
      }
      disableLocalAccounts = bool
      diskEncryptionSetID = "string"
      dnsPrefix = "string"
      enablePodSecurityPolicy = bool
      enableRBAC = bool
      fqdnSubdomain = "string"
      httpProxyConfig = {
        httpProxy = "string"
        httpsProxy = "string"
        noProxy = [
          "string"
        ]
        trustedCa = "string"
      }
      identityProfile = {
        {customized property} = {
          clientId = "string"
          objectId = "string"
          resourceId = "string"
        }
      }
      kubernetesVersion = "string"
      linuxProfile = {
        adminUsername = "string"
        ssh = {
          publicKeys = [
            {
              keyData = "string"
            }
          ]
        }
      }
      networkProfile = {
        dnsServiceIP = "string"
        dockerBridgeCidr = "string"
        loadBalancerProfile = {
          allocatedOutboundPorts = int
          effectiveOutboundIPs = [
            {
              id = "string"
            }
          ]
          idleTimeoutInMinutes = int
          managedOutboundIPs = {
            count = int
          }
          outboundIPPrefixes = {
            publicIPPrefixes = [
              {
                id = "string"
              }
            ]
          }
          outboundIPs = {
            publicIPs = [
              {
                id = "string"
              }
            ]
          }
        }
        loadBalancerSku = "string"
        networkMode = "string"
        networkPlugin = "string"
        networkPolicy = "string"
        outboundType = "string"
        podCidr = "string"
        serviceCidr = "string"
      }
      nodeResourceGroup = "string"
      podIdentityProfile = {
        allowNetworkPluginKubenet = bool
        enabled = bool
        userAssignedIdentities = [
          {
            bindingSelector = "string"
            identity = {
              clientId = "string"
              objectId = "string"
              resourceId = "string"
            }
            name = "string"
            namespace = "string"
          }
        ]
        userAssignedIdentityExceptions = [
          {
            name = "string"
            namespace = "string"
            podLabels = {
              {customized property} = "string"
            }
          }
        ]
      }
      privateLinkResources = [
        {
          groupId = "string"
          id = "string"
          name = "string"
          requiredMembers = [
            "string"
          ]
          type = "string"
        }
      ]
      servicePrincipalProfile = {
        clientId = "string"
        secret = "string"
      }
      windowsProfile = {
        adminPassword = "string"
        adminUsername = "string"
        enableCSIProxy = bool
        licenseType = "string"
      }
    }
  })
}

Property values

AgentPoolUpgradeSettings

Name Description Value
maxSurge Count or percentage of additional nodes to be added during upgrade. If empty uses AKS default string

Components1Umhcm8SchemasManagedclusteridentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

ComponentsQit0EtSchemasManagedclusterpropertiesPropertiesIdentityprofileAdditionalproperties

Name Description Value
clientId The client id of the user assigned identity. string
objectId The object id of the user assigned identity. string
resourceId The resource id of the user assigned identity. string

ContainerServiceLinuxProfile

Name Description Value
adminUsername The administrator username to use for Linux VMs. string

Constraints:
Pattern = ^[A-Za-z][-A-Za-z0-9_]*$ (required)
ssh SSH configuration for Linux-based VMs running on Azure. ContainerServiceSshConfiguration (required)

ContainerServiceNetworkProfile

Name Description Value
dnsServiceIP An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. string

Constraints:
Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
dockerBridgeCidr A CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
loadBalancerProfile Profile of the cluster load balancer. ManagedClusterLoadBalancerProfile
loadBalancerSku The load balancer sku for the managed cluster. 'basic'
'standard'
networkMode Network mode used for building Kubernetes network. 'bridge'
'transparent'
networkPlugin Network plugin used for building Kubernetes network. 'azure'
'kubenet'
networkPolicy Network policy used for building Kubernetes network. 'azure'
'calico'
outboundType The outbound (egress) routing method. 'loadBalancer'
'userDefinedRouting'
podCidr A CIDR notation IP range from which to assign pod IPs when kubenet is used. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
serviceCidr A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$

ContainerServiceSshConfiguration

Name Description Value
publicKeys The list of SSH public keys used to authenticate with Linux-based VMs. Only expect one key specified. ContainerServiceSshPublicKey[] (required)

ContainerServiceSshPublicKey

Name Description Value
keyData Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. string (required)

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

KubeletConfig

Name Description Value
allowedUnsafeSysctls Allowlist of unsafe sysctls or unsafe sysctl patterns (ending in *). string[]
containerLogMaxFiles The maximum number of container log files that can be present for a container. The number must be ≥ 2. int

Constraints:
Min value = 2
containerLogMaxSizeMB The maximum size (e.g. 10Mi) of container log file before it is rotated. int
cpuCfsQuota Enable CPU CFS quota enforcement for containers that specify CPU limits. bool
cpuCfsQuotaPeriod Sets CPU CFS quota period value. string
cpuManagerPolicy CPU Manager policy to use. string
failSwapOn If set to true it will make the Kubelet fail to start if swap is enabled on the node. bool
imageGcHighThreshold The percent of disk usage after which image garbage collection is always run. int
imageGcLowThreshold The percent of disk usage before which image garbage collection is never run. int
podMaxPids The maximum number of processes per pod. int
topologyManagerPolicy Topology Manager policy to use. string

LinuxOSConfig

Name Description Value
swapFileSizeMB SwapFileSizeMB specifies size in MB of a swap file will be created on each node. int
sysctls Sysctl settings for Linux agent nodes. SysctlConfig
transparentHugePageDefrag Transparent Huge Page defrag configuration. string
transparentHugePageEnabled Transparent Huge Page enabled configuration. string

ManagedClusterAADProfile

Name Description Value
adminGroupObjectIDs AAD group object IDs that will have admin role of the cluster. string[]
clientAppID The client AAD application ID. string
enableAzureRBAC Whether to enable Azure RBAC for Kubernetes authorization. bool
managed Whether to enable managed AAD. bool
serverAppID The server AAD application ID. string
serverAppSecret The server AAD application secret. string
tenantID The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. string

ManagedClusterAddonProfile

Name Description Value
config Key-value pairs for configuring an add-on. ManagedClusterAddonProfileConfig
enabled Whether the add-on is enabled or not. bool (required)

ManagedClusterAddonProfileConfig

Name Description Value

ManagedClusterAgentPoolProfile

Name Description Value
availabilityZones Availability zones for nodes. Must use VirtualMachineScaleSets AgentPoolType. string[]
count Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 100 (inclusive) for user pools and in the range of 1 to 100 (inclusive) for system pools. The default value is 1. int
enableAutoScaling Whether to enable auto-scaler bool
enableEncryptionAtHost Whether to enable EncryptionAtHost bool
enableFIPS Whether to use FIPS enabled OS bool
enableNodePublicIP Enable public IP for nodes bool
gpuInstanceProfile GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. Supported values are MIG1g, MIG2g, MIG3g, MIG4g and MIG7g. 'MIG1g'
'MIG2g'
'MIG3g'
'MIG4g'
'MIG7g'
kubeletConfig KubeletConfig specifies the configuration of kubelet on agent nodes. KubeletConfig
kubeletDiskType KubeletDiskType determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. Currently allows one value, OS, resulting in Kubelet using the OS disk for data. 'OS'
'Temporary'
linuxOSConfig LinuxOSConfig specifies the OS configuration of linux agent nodes. LinuxOSConfig
maxCount Maximum number of nodes for auto-scaling int
maxPods Maximum number of pods that can run on a node. int
minCount Minimum number of nodes for auto-scaling int
mode AgentPoolMode represents mode of an agent pool 'System'
'User'
name Unique name of the agent pool profile in the context of the subscription and resource group. string

Constraints:
Pattern = ^[a-z][a-z0-9]{0,11}$ (required)
nodeLabels Agent pool node labels to be persisted across all nodes in agent pool. ManagedClusterAgentPoolProfilePropertiesNodeLabels
nodePublicIPPrefixID Public IP Prefix ID. VM nodes use IPs assigned from this Public IP Prefix. string
nodeTaints Taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. string[]
orchestratorVersion Version of orchestrator specified when creating the managed cluster. string
osDiskSizeGB OS Disk Size in GB to be used to specify the disk size for every machine in this master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. int

Constraints:
Min value = 0
Max value = 2048
osDiskType OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. 'Ephemeral'
'Managed'
osSKU OsSKU to be used to specify os sku. Choose from Ubuntu(default) and CBLMariner for Linux OSType. Not applicable to Windows OSType. 'CBLMariner'
'Ubuntu'
osType OsType to be used to specify os type. Choose from Linux and Windows. Default to Linux. 'Linux'
'Windows'
podSubnetID Pod SubnetID specifies the VNet's subnet identifier for pods. string
proximityPlacementGroupID The ID for Proximity Placement Group. string
scaleSetEvictionPolicy ScaleSetEvictionPolicy to be used to specify eviction policy for Spot virtual machine scale set. Default to Delete. 'Deallocate'
'Delete'
scaleSetPriority ScaleSetPriority to be used to specify virtual machine scale set priority. Default to regular. 'Regular'
'Spot'
spotMaxPrice SpotMaxPrice to be used to specify the maximum price you are willing to pay in US Dollars. Possible values are any decimal value greater than zero or -1 which indicates default price to be up-to on-demand. int
tags Agent pool tags to be persisted on the agent pool virtual machine scale set. ManagedClusterAgentPoolProfilePropertiesTags
type AgentPoolType represents types of an agent pool 'AvailabilitySet'
'VirtualMachineScaleSets'
upgradeSettings Settings for upgrading the agentpool AgentPoolUpgradeSettings
vmSize Size of agent VMs. string
vnetSubnetID VNet SubnetID specifies the VNet's subnet identifier for nodes and maybe pods string

ManagedClusterAgentPoolProfilePropertiesNodeLabels

Name Description Value

ManagedClusterAgentPoolProfilePropertiesTags

Name Description Value

ManagedClusterAPIServerAccessProfile

Name Description Value
authorizedIPRanges Authorized IP Ranges to kubernetes API server. string[]
enablePrivateCluster Whether to create the cluster as a private cluster or not. bool
privateDNSZone Private dns zone mode for private cluster. string

ManagedClusterAutoUpgradeProfile

Name Description Value
upgradeChannel upgrade channel for auto upgrade. 'node-image'
'none'
'patch'
'rapid'
'stable'

ManagedClusterHttpProxyConfig

Name Description Value
httpProxy HTTP proxy server endpoint to use. string
httpsProxy HTTPS proxy server endpoint to use. string
noProxy Endpoints that should not go through proxy. string[]
trustedCa Alternative CA cert to use for connecting to proxy servers. string

ManagedClusterIdentity

Name Description Value
type The type of identity used for the managed cluster. Type 'SystemAssigned' will use an implicitly created identity in master components and an auto-created user assigned identity in MC_ resource group in agent nodes. Type 'None' will not use MSI for the managed cluster, service principal will be used instead. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the managed cluster. This identity will be used in control plane and only one user assigned identity is allowed. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedClusterIdentityUserAssignedIdentities

ManagedClusterIdentityUserAssignedIdentities

Name Description Value

ManagedClusterLoadBalancerProfile

Name Description Value
allocatedOutboundPorts Desired number of allocated SNAT ports per VM. Allowed values must be in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. int

Constraints:
Min value = 0
Max value = 64000
effectiveOutboundIPs The effective outbound IP resources of the cluster load balancer. ResourceReference[]
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values must be in the range of 4 to 120 (inclusive). The default value is 30 minutes. int

Constraints:
Min value = 4
Max value = 120
managedOutboundIPs Desired managed outbound IPs for the cluster load balancer. ManagedClusterLoadBalancerProfileManagedOutboundIPs
outboundIPPrefixes Desired outbound IP Prefix resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPPrefixes
outboundIPs Desired outbound IP resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPs

ManagedClusterLoadBalancerProfileManagedOutboundIPs

Name Description Value
count Desired number of outbound IP created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. int

Constraints:
Min value = 1
Max value = 100

ManagedClusterLoadBalancerProfileOutboundIPPrefixes

Name Description Value
publicIPPrefixes A list of public IP prefix resources. ResourceReference[]

ManagedClusterLoadBalancerProfileOutboundIPs

Name Description Value
publicIPs A list of public IP resources. ResourceReference[]

ManagedClusterPodIdentity

Name Description Value
bindingSelector Binding selector to use for the AzureIdentityBinding resource. string
identity Information of the user assigned identity. UserAssignedIdentity (required)
name Name of the pod identity. string (required)
namespace Namespace of the pod identity. string (required)

ManagedClusterPodIdentityException

Name Description Value
name Name of the pod identity exception. string (required)
namespace Namespace of the pod identity exception. string (required)
podLabels Pod labels to match. ManagedClusterPodIdentityExceptionPodLabels (required)

ManagedClusterPodIdentityExceptionPodLabels

Name Description Value

ManagedClusterPodIdentityProfile

Name Description Value
allowNetworkPluginKubenet Customer consent for enabling AAD pod identity addon in cluster using Kubenet network plugin. bool
enabled Whether the pod identity addon is enabled. bool
userAssignedIdentities User assigned pod identity settings. ManagedClusterPodIdentity[]
userAssignedIdentityExceptions User assigned pod identity exception settings. ManagedClusterPodIdentityException[]

ManagedClusterProperties

Name Description Value
aadProfile Profile of Azure Active Directory configuration. ManagedClusterAADProfile
addonProfiles Profile of managed cluster add-on. ManagedClusterPropertiesAddonProfiles
agentPoolProfiles Properties of the agent pool. ManagedClusterAgentPoolProfile[]
apiServerAccessProfile Access profile for managed cluster API server. ManagedClusterAPIServerAccessProfile
autoScalerProfile Parameters to be applied to the cluster-autoscaler when enabled ManagedClusterPropertiesAutoScalerProfile
autoUpgradeProfile Profile of auto upgrade configuration. ManagedClusterAutoUpgradeProfile
disableLocalAccounts If set to true, getting static credential will be disabled for this cluster. Expected to only be used for AAD clusters. bool
diskEncryptionSetID ResourceId of the disk encryption set to use for enabling encryption at rest. string
dnsPrefix DNS prefix specified when creating the managed cluster. string
enablePodSecurityPolicy (DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy. bool
enableRBAC Whether to enable Kubernetes Role-Based Access Control. bool
fqdnSubdomain FQDN subdomain specified when creating private cluster with custom private dns zone. string
httpProxyConfig Configurations for provisioning the cluster with HTTP proxy servers. ManagedClusterHttpProxyConfig
identityProfile Identities associated with the cluster. ManagedClusterPropertiesIdentityProfile
kubernetesVersion Version of Kubernetes specified when creating the managed cluster. string
linuxProfile Profile for Linux VMs in the container service cluster. ContainerServiceLinuxProfile
networkProfile Profile of network configuration. ContainerServiceNetworkProfile
nodeResourceGroup Name of the resource group containing agent pool nodes. string
podIdentityProfile Profile of managed cluster pod identity. ManagedClusterPodIdentityProfile
privateLinkResources Private link resources associated with the cluster. PrivateLinkResource[]
servicePrincipalProfile Information about a service principal identity for the cluster to use for manipulating Azure APIs. ManagedClusterServicePrincipalProfile
windowsProfile Profile for Windows VMs in the container service cluster. ManagedClusterWindowsProfile

ManagedClusterPropertiesAddonProfiles

Name Description Value

ManagedClusterPropertiesAutoScalerProfile

Name Description Value
balance-similar-node-groups string
expander 'least-waste'
'most-pods'
'priority'
'random'
max-empty-bulk-delete string
max-graceful-termination-sec string
max-node-provision-time string
max-total-unready-percentage string
new-pod-scale-up-delay string
ok-total-unready-count string
scale-down-delay-after-add string
scale-down-delay-after-delete string
scale-down-delay-after-failure string
scale-down-unneeded-time string
scale-down-unready-time string
scale-down-utilization-threshold string
scan-interval string
skip-nodes-with-local-storage string
skip-nodes-with-system-pods string

ManagedClusterPropertiesIdentityProfile

Name Description Value

ManagedClusterServicePrincipalProfile

Name Description Value
clientId The ID for the service principal. string (required)
secret The secret password associated with the service principal in plain text. string

ManagedClusterSKU

Name Description Value
name Name of a managed cluster SKU. 'Basic'
tier Tier of a managed cluster SKU. 'Free'
'Paid'

ManagedClusterWindowsProfile

Name Description Value
adminPassword Specifies the password of the administrator account.

Minimum-length: 8 characters

Max-length: 123 characters

Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])

Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
string
adminUsername Specifies the name of the administrator account.

restriction: Cannot end in "."

Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".

Minimum-length: 1 character

Max-length: 20 characters
string (required)
enableCSIProxy Whether to enable CSI proxy. bool
licenseType The licenseType to use for Windows VMs. Windows_Server is used to enable Azure Hybrid User Benefits for Windows VMs. 'None'
'Windows_Server'

Microsoft.ContainerService/managedClusters

Name Description Value
extendedLocation The extended location of the Virtual Machine. ExtendedLocation
identity The identity of the managed cluster, if configured. ManagedClusterIdentity
location Resource location string (required)
name The resource name string

Constraints:
Min length = 1
Max length = 1
Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$ (required)
properties Properties of a managed cluster. ManagedClusterProperties
sku The managed cluster SKU. ManagedClusterSKU
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.ContainerService/managedClusters@2021-03-01"

PrivateLinkResource

Name Description Value
groupId The group ID of the resource. string
id The ID of the private link resource. string
name The name of the private link resource. string
requiredMembers RequiredMembers of the resource string[]
type The resource type. string

ResourceReference

Name Description Value
id The fully qualified Azure resource id. string

ResourceTags

Name Description Value

SysctlConfig

Name Description Value
fsAioMaxNr Sysctl setting fs.aio-max-nr. int
fsFileMax Sysctl setting fs.file-max. int
fsInotifyMaxUserWatches Sysctl setting fs.inotify.max_user_watches. int
fsNrOpen Sysctl setting fs.nr_open. int
kernelThreadsMax Sysctl setting kernel.threads-max. int
netCoreNetdevMaxBacklog Sysctl setting net.core.netdev_max_backlog. int
netCoreOptmemMax Sysctl setting net.core.optmem_max. int
netCoreRmemDefault Sysctl setting net.core.rmem_default. int
netCoreRmemMax Sysctl setting net.core.rmem_max. int
netCoreSomaxconn Sysctl setting net.core.somaxconn. int
netCoreWmemDefault Sysctl setting net.core.wmem_default. int
netCoreWmemMax Sysctl setting net.core.wmem_max. int
netIpv4IpLocalPortRange Sysctl setting net.ipv4.ip_local_port_range. string
netIpv4NeighDefaultGcThresh1 Sysctl setting net.ipv4.neigh.default.gc_thresh1. int
netIpv4NeighDefaultGcThresh2 Sysctl setting net.ipv4.neigh.default.gc_thresh2. int
netIpv4NeighDefaultGcThresh3 Sysctl setting net.ipv4.neigh.default.gc_thresh3. int
netIpv4TcpFinTimeout Sysctl setting net.ipv4.tcp_fin_timeout. int
netIpv4TcpkeepaliveIntvl Sysctl setting net.ipv4.tcp_keepalive_intvl. int
netIpv4TcpKeepaliveProbes Sysctl setting net.ipv4.tcp_keepalive_probes. int
netIpv4TcpKeepaliveTime Sysctl setting net.ipv4.tcp_keepalive_time. int
netIpv4TcpMaxSynBacklog Sysctl setting net.ipv4.tcp_max_syn_backlog. int
netIpv4TcpMaxTwBuckets Sysctl setting net.ipv4.tcp_max_tw_buckets. int
netIpv4TcpTwReuse Sysctl setting net.ipv4.tcp_tw_reuse. bool
netNetfilterNfConntrackBuckets Sysctl setting net.netfilter.nf_conntrack_buckets. int
netNetfilterNfConntrackMax Sysctl setting net.netfilter.nf_conntrack_max. int
vmMaxMapCount Sysctl setting vm.max_map_count. int
vmSwappiness Sysctl setting vm.swappiness. int
vmVfsCachePressure Sysctl setting vm.vfs_cache_pressure. int

UserAssignedIdentity

Name Description Value
clientId The client id of the user assigned identity. string
objectId The object id of the user assigned identity. string
resourceId The resource id of the user assigned identity. string