Microsoft.ContainerService managedClusters 2024-09-02-preview
- Latest
- 2024-09-02-preview
- 2024-09-01
- 2024-08-01
- 2024-07-02-preview
- 2024-07-01
- 2024-06-02-preview
- 2024-05-01
- 2024-04-02-preview
- 2024-03-02-preview
- 2024-02-01
- 2024-01-02-preview
- 2024-01-01
- 2023-11-02-preview
- 2023-11-01
- 2023-10-02-preview
- 2023-10-01
- 2023-09-02-preview
- 2023-09-01
- 2023-08-02-preview
- 2023-08-01
- 2023-07-02-preview
- 2023-07-01
- 2023-06-02-preview
- 2023-06-01
- 2023-05-02-preview
- 2023-05-01
- 2023-04-02-preview
- 2023-04-01
- 2023-03-02-preview
- 2023-03-01
- 2023-02-02-preview
- 2023-02-01
- 2023-01-02-preview
- 2023-01-01
- 2022-11-02-preview
- 2022-11-01
- 2022-10-02-preview
- 2022-09-01
- 2022-08-03-preview
- 2022-08-02-preview
- 2022-07-01
- 2022-06-01
- 2022-05-02-preview
- 2022-04-02-preview
- 2022-04-01
- 2022-03-02-preview
- 2022-03-01
- 2022-02-02-preview
- 2022-02-01
- 2022-01-02-preview
- 2022-01-01
- 2021-11-01-preview
- 2021-10-01
- 2021-09-01
- 2021-08-01
- 2021-07-01
- 2021-05-01
- 2021-03-01
- 2021-02-01
- 2020-12-01
- 2020-11-01
- 2020-09-01
- 2020-07-01
- 2020-06-01
- 2020-04-01
- 2020-03-01
- 2020-02-01
- 2020-01-01
- 2019-11-01
- 2019-10-01
- 2019-08-01
- 2019-06-01
- 2019-04-01
- 2019-02-01
- 2018-08-01-preview
- 2018-03-31
- 2017-08-31
Remarks
For information about available add-ons, see Add-ons, extensions, and other integrations with Azure Kubernetes Service.
Bicep resource definition
The managedClusters resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.ContainerService/managedClusters@2024-09-02-preview' = {
extendedLocation: {
name: 'string'
type: 'string'
}
identity: {
delegatedResources: {
{customized property}: {
location: 'string'
referralResource: 'string'
resourceId: 'string'
tenantId: 'string'
}
}
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
kind: 'string'
location: 'string'
name: 'string'
properties: {
aadProfile: {
adminGroupObjectIDs: [
'string'
]
clientAppID: 'string'
enableAzureRBAC: bool
managed: bool
serverAppID: 'string'
serverAppSecret: 'string'
tenantID: 'string'
}
addonProfiles: {
{customized property}: {
config: {
{customized property}: 'string'
}
enabled: bool
}
}
agentPoolProfiles: [
{
artifactStreamingProfile: {
enabled: bool
}
availabilityZones: [
'string'
]
capacityReservationGroupID: 'string'
count: int
creationData: {
sourceResourceId: 'string'
}
enableAutoScaling: bool
enableCustomCATrust: bool
enableEncryptionAtHost: bool
enableFIPS: bool
enableNodePublicIP: bool
enableUltraSSD: bool
gatewayProfile: {
publicIPPrefixSize: int
}
gpuInstanceProfile: 'string'
gpuProfile: {
driverType: 'string'
installGPUDriver: bool
}
hostGroupID: 'string'
kubeletConfig: {
allowedUnsafeSysctls: [
'string'
]
containerLogMaxFiles: int
containerLogMaxSizeMB: int
cpuCfsQuota: bool
cpuCfsQuotaPeriod: 'string'
cpuManagerPolicy: 'string'
failSwapOn: bool
imageGcHighThreshold: int
imageGcLowThreshold: int
podMaxPids: int
seccompDefault: 'string'
topologyManagerPolicy: 'string'
}
kubeletDiskType: 'string'
linuxOSConfig: {
swapFileSizeMB: int
sysctls: {
fsAioMaxNr: int
fsFileMax: int
fsInotifyMaxUserWatches: int
fsNrOpen: int
kernelThreadsMax: int
netCoreNetdevMaxBacklog: int
netCoreOptmemMax: int
netCoreRmemDefault: int
netCoreRmemMax: int
netCoreSomaxconn: int
netCoreWmemDefault: int
netCoreWmemMax: int
netIpv4IpLocalPortRange: 'string'
netIpv4NeighDefaultGcThresh1: int
netIpv4NeighDefaultGcThresh2: int
netIpv4NeighDefaultGcThresh3: int
netIpv4TcpFinTimeout: int
netIpv4TcpkeepaliveIntvl: int
netIpv4TcpKeepaliveProbes: int
netIpv4TcpKeepaliveTime: int
netIpv4TcpMaxSynBacklog: int
netIpv4TcpMaxTwBuckets: int
netIpv4TcpTwReuse: bool
netNetfilterNfConntrackBuckets: int
netNetfilterNfConntrackMax: int
vmMaxMapCount: int
vmSwappiness: int
vmVfsCachePressure: int
}
transparentHugePageDefrag: 'string'
transparentHugePageEnabled: 'string'
}
maxCount: int
maxPods: int
messageOfTheDay: 'string'
minCount: int
mode: 'string'
name: 'string'
networkProfile: {
allowedHostPorts: [
{
portEnd: int
portStart: int
protocol: 'string'
}
]
applicationSecurityGroups: [
'string'
]
nodePublicIPTags: [
{
ipTagType: 'string'
tag: 'string'
}
]
}
nodeInitializationTaints: [
'string'
]
nodeLabels: {
{customized property}: 'string'
}
nodePublicIPPrefixID: 'string'
nodeTaints: [
'string'
]
orchestratorVersion: 'string'
osDiskSizeGB: int
osDiskType: 'string'
osSKU: 'string'
osType: 'string'
podIPAllocationMode: 'string'
podSubnetID: 'string'
powerState: {
code: 'string'
}
proximityPlacementGroupID: 'string'
scaleDownMode: 'string'
scaleSetEvictionPolicy: 'string'
scaleSetPriority: 'string'
securityProfile: {
enableSecureBoot: bool
enableVTPM: bool
sshAccess: 'string'
}
spotMaxPrice: int
tags: {
{customized property}: 'string'
}
type: 'string'
upgradeSettings: {
drainTimeoutInMinutes: int
maxSurge: 'string'
maxUnavailable: 'string'
nodeSoakDurationInMinutes: int
undrainableNodeBehavior: 'string'
}
virtualMachineNodesStatus: [
{
count: int
size: 'string'
}
]
virtualMachinesProfile: {
scale: {
autoscale: [
{
maxCount: int
minCount: int
sizes: [
'string'
]
}
]
manual: [
{
count: int
sizes: [
'string'
]
}
]
}
}
vmSize: 'string'
vnetSubnetID: 'string'
windowsProfile: {
disableOutboundNat: bool
}
workloadRuntime: 'string'
}
]
aiToolchainOperatorProfile: {
enabled: bool
}
apiServerAccessProfile: {
authorizedIPRanges: [
'string'
]
disableRunCommand: bool
enablePrivateCluster: bool
enablePrivateClusterPublicFQDN: bool
enableVnetIntegration: bool
privateDNSZone: 'string'
subnetId: 'string'
}
autoScalerProfile: {
balance-similar-node-groups: 'string'
daemonset-eviction-for-empty-nodes: bool
daemonset-eviction-for-occupied-nodes: bool
expander: 'string'
ignore-daemonsets-utilization: bool
max-empty-bulk-delete: 'string'
max-graceful-termination-sec: 'string'
max-node-provision-time: 'string'
max-total-unready-percentage: 'string'
new-pod-scale-up-delay: 'string'
ok-total-unready-count: 'string'
scale-down-delay-after-add: 'string'
scale-down-delay-after-delete: 'string'
scale-down-delay-after-failure: 'string'
scale-down-unneeded-time: 'string'
scale-down-unready-time: 'string'
scale-down-utilization-threshold: 'string'
scan-interval: 'string'
skip-nodes-with-local-storage: 'string'
skip-nodes-with-system-pods: 'string'
}
autoUpgradeProfile: {
nodeOSUpgradeChannel: 'string'
upgradeChannel: 'string'
}
azureMonitorProfile: {
appMonitoring: {
autoInstrumentation: {
enabled: bool
}
openTelemetryLogs: {
enabled: bool
port: int
}
openTelemetryMetrics: {
enabled: bool
port: int
}
}
containerInsights: {
disableCustomMetrics: bool
disablePrometheusMetricsScraping: bool
enabled: bool
logAnalyticsWorkspaceResourceId: 'string'
syslogPort: int
}
metrics: {
enabled: bool
kubeStateMetrics: {
metricAnnotationsAllowList: 'string'
metricLabelsAllowlist: 'string'
}
}
}
bootstrapProfile: {
artifactSource: 'string'
containerRegistryId: 'string'
}
creationData: {
sourceResourceId: 'string'
}
disableLocalAccounts: bool
diskEncryptionSetID: 'string'
dnsPrefix: 'string'
enableNamespaceResources: bool
enablePodSecurityPolicy: bool
enableRBAC: bool
fqdnSubdomain: 'string'
httpProxyConfig: {
httpProxy: 'string'
httpsProxy: 'string'
noProxy: [
'string'
]
trustedCa: 'string'
}
identityProfile: {
{customized property}: {
clientId: 'string'
objectId: 'string'
resourceId: 'string'
}
}
ingressProfile: {
webAppRouting: {
dnsZoneResourceIds: [
'string'
]
enabled: bool
nginx: {
defaultIngressControllerType: 'string'
}
}
}
kubernetesVersion: 'string'
linuxProfile: {
adminUsername: 'string'
ssh: {
publicKeys: [
{
keyData: 'string'
}
]
}
}
metricsProfile: {
costAnalysis: {
enabled: bool
}
}
networkProfile: {
advancedNetworking: {
enabled: bool
observability: {
enabled: bool
}
security: {
enabled: bool
}
}
dnsServiceIP: 'string'
ipFamilies: [
'string'
]
kubeProxyConfig: {
enabled: bool
ipvsConfig: {
scheduler: 'string'
tcpFinTimeoutSeconds: int
tcpTimeoutSeconds: int
udpTimeoutSeconds: int
}
mode: 'string'
}
loadBalancerProfile: {
allocatedOutboundPorts: int
backendPoolType: 'string'
clusterServiceLoadBalancerHealthProbeMode: 'string'
effectiveOutboundIPs: [
{
id: 'string'
}
]
enableMultipleStandardLoadBalancers: bool
idleTimeoutInMinutes: int
managedOutboundIPs: {
count: int
countIPv6: int
}
outboundIPPrefixes: {
publicIPPrefixes: [
{
id: 'string'
}
]
}
outboundIPs: {
publicIPs: [
{
id: 'string'
}
]
}
}
loadBalancerSku: 'string'
natGatewayProfile: {
effectiveOutboundIPs: [
{
id: 'string'
}
]
idleTimeoutInMinutes: int
managedOutboundIPProfile: {
count: int
}
}
networkDataplane: 'string'
networkMode: 'string'
networkPlugin: 'string'
networkPluginMode: 'string'
networkPolicy: 'string'
outboundType: 'string'
podCidr: 'string'
podCidrs: [
'string'
]
podLinkLocalAccess: 'string'
serviceCidr: 'string'
serviceCidrs: [
'string'
]
staticEgressGatewayProfile: {
enabled: bool
}
}
nodeProvisioningProfile: {
mode: 'string'
}
nodeResourceGroup: 'string'
nodeResourceGroupProfile: {
restrictionLevel: 'string'
}
oidcIssuerProfile: {
enabled: bool
}
podIdentityProfile: {
allowNetworkPluginKubenet: bool
enabled: bool
userAssignedIdentities: [
{
bindingSelector: 'string'
identity: {
clientId: 'string'
objectId: 'string'
resourceId: 'string'
}
name: 'string'
namespace: 'string'
}
]
userAssignedIdentityExceptions: [
{
name: 'string'
namespace: 'string'
podLabels: {
{customized property}: 'string'
}
}
]
}
privateLinkResources: [
{
groupId: 'string'
id: 'string'
name: 'string'
requiredMembers: [
'string'
]
type: 'string'
}
]
publicNetworkAccess: 'string'
safeguardsProfile: {
excludedNamespaces: [
'string'
]
level: 'string'
version: 'string'
}
securityProfile: {
azureKeyVaultKms: {
enabled: bool
keyId: 'string'
keyVaultNetworkAccess: 'string'
keyVaultResourceId: 'string'
}
customCATrustCertificates: [
any(Azure.Bicep.Types.Concrete.AnyType)
]
defender: {
logAnalyticsWorkspaceResourceId: 'string'
securityMonitoring: {
enabled: bool
}
}
imageCleaner: {
enabled: bool
intervalHours: int
}
imageIntegrity: {
enabled: bool
}
nodeRestriction: {
enabled: bool
}
workloadIdentity: {
enabled: bool
}
}
serviceMeshProfile: {
istio: {
certificateAuthority: {
plugin: {
certChainObjectName: 'string'
certObjectName: 'string'
keyObjectName: 'string'
keyVaultId: 'string'
rootCertObjectName: 'string'
}
}
components: {
egressGateways: [
{
enabled: bool
}
]
ingressGateways: [
{
enabled: bool
mode: 'string'
}
]
}
revisions: [
'string'
]
}
mode: 'string'
}
servicePrincipalProfile: {
clientId: 'string'
secret: 'string'
}
storageProfile: {
blobCSIDriver: {
enabled: bool
}
diskCSIDriver: {
enabled: bool
version: 'string'
}
fileCSIDriver: {
enabled: bool
}
snapshotController: {
enabled: bool
}
}
supportPlan: 'string'
upgradeSettings: {
overrideSettings: {
forceUpgrade: bool
until: 'string'
}
}
windowsProfile: {
adminPassword: 'string'
adminUsername: 'string'
enableCSIProxy: bool
gmsaProfile: {
dnsServer: 'string'
enabled: bool
rootDomainName: 'string'
}
licenseType: 'string'
}
workloadAutoScalerProfile: {
keda: {
enabled: bool
}
verticalPodAutoscaler: {
addonAutoscaling: 'string'
enabled: bool
}
}
}
sku: {
name: 'string'
tier: 'string'
}
tags: {
{customized property}: 'string'
}
}
Property values
AdvancedNetworking
Name | Description | Value |
---|---|---|
enabled | Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false. | bool |
observability | Observability profile to enable advanced network metrics and flow logs with historical contexts. | AdvancedNetworkingObservability |
security | Security profile to enable security features on cilium based cluster. | AdvancedNetworkingSecurity |
AdvancedNetworkingObservability
Name | Description | Value |
---|---|---|
enabled | Indicates the enablement of Advanced Networking observability functionalities on clusters. | bool |
AdvancedNetworkingSecurity
Name | Description | Value |
---|---|---|
enabled | This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false. | bool |
AgentPoolArtifactStreamingProfile
Name | Description | Value |
---|---|---|
enabled | Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR. If not specified, the default is false. | bool |
AgentPoolGatewayProfile
Name | Description | Value |
---|---|---|
publicIPPrefixSize | The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide public egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with one IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure public IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8 nodes/IPs, /28 = 16 nodes/IPs). The default value is 31. | int Constraints: Min value = 28 Max value = 31 |
AgentPoolGPUProfile
Name | Description | Value |
---|---|---|
driverType | Specify the type of GPU driver to install when creating Windows agent pools. If not provided, AKS selects the driver based on system compatibility. This cannot be changed once the AgentPool has been created. This cannot be set on Linux AgentPools. For Linux AgentPools, the driver is selected based on system compatibility. | 'CUDA' 'GRID' |
installGPUDriver | The default value is true when the vmSize of the agent pool contains a GPU, false otherwise. GPU Driver Installation can only be set true when VM has an associated GPU resource. Setting this field to false prevents automatic GPU driver installation. In that case, in order for the GPU to be usable, the user must perform GPU driver installation themselves. | bool |
AgentPoolNetworkProfile
Name | Description | Value |
---|---|---|
allowedHostPorts | The port ranges that are allowed to access. The specified ranges are allowed to overlap. | PortRange[] |
applicationSecurityGroups | The IDs of the application security groups which agent pool will associate when created. | string[] |
nodePublicIPTags | IPTags of instance-level public IPs. | IPTag[] |
AgentPoolSecurityProfile
Name | Description | Value |
---|---|---|
enableSecureBoot | Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. | bool |
enableVTPM | vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. | bool |
sshAccess | SSH access method of an agent pool. | 'Disabled' 'LocalUser' |
AgentPoolUpgradeSettings
Name | Description | Value |
---|---|---|
drainTimeoutInMinutes | The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes. | int Constraints: Min value = 1 Max value = 1440 |
maxSurge | This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster | string |
maxUnavailable | This can either be set to an integer (e.g. '1') or a percentage (e.g. '5%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 0. For more information, including best practices, see: /azure/aks/upgrade-cluster | string |
nodeSoakDurationInMinutes | The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes. | int Constraints: Min value = 0 Max value = 30 |
undrainableNodeBehavior | Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes. | 'Cordon' 'Schedule' |
AgentPoolWindowsProfile
Name | Description | Value |
---|---|---|
disableOutboundNat | The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled. | bool |
AutoScaleProfile
Name | Description | Value |
---|---|---|
maxCount | The maximum number of nodes of the specified sizes. | int |
minCount | The minimum number of nodes of the specified sizes. | int |
sizes | The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when auto scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size. | string[] |
AzureKeyVaultKms
Name | Description | Value |
---|---|---|
enabled | Whether to enable Azure Key Vault key management service. The default is false. | bool |
keyId | Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. | string |
keyVaultNetworkAccess | Network access of key vault. The possible values are Public and Private . Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public . |
'Private' 'Public' |
keyVaultResourceId | Resource ID of key vault. When keyVaultNetworkAccess is Private , this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public , leave the field empty. |
string |
ClusterUpgradeSettings
Name | Description | Value |
---|---|---|
overrideSettings | Settings for overrides. | UpgradeOverrideSettings |
ContainerServiceLinuxProfile
Name | Description | Value |
---|---|---|
adminUsername | The administrator username to use for Linux VMs. | string Constraints: Pattern = ^[A-Za-z][-A-Za-z0-9_]*$ (required) |
ssh | The SSH configuration for Linux-based VMs running on Azure. | ContainerServiceSshConfiguration (required) |
ContainerServiceNetworkProfile
Name | Description | Value |
---|---|---|
advancedNetworking | Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. | AdvancedNetworking |
dnsServiceIP | An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | string Constraints: Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ |
ipFamilies | IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. | String array containing any of: 'IPv4' 'IPv6' |
kubeProxyConfig | Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy defaulting behavior. See https://v<version>.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ where <version> is represented by a <major version>-<minor version> string. Kubernetes version 1.23 would be '1-23'. | ContainerServiceNetworkProfileKubeProxyConfig |
loadBalancerProfile | Profile of the cluster load balancer. | ManagedClusterLoadBalancerProfile |
loadBalancerSku | The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. | 'basic' 'standard' |
natGatewayProfile | Profile of the cluster NAT gateway. | ManagedClusterNATGatewayProfile |
networkDataplane | Network dataplane used in the Kubernetes cluster. | 'azure' 'cilium' |
networkMode | This cannot be specified if networkPlugin is anything other than 'azure'. | 'bridge' 'transparent' |
networkPlugin | Network plugin used for building the Kubernetes network. | 'azure' 'kubenet' 'none' |
networkPluginMode | Network plugin mode used for building the Kubernetes network. | 'overlay' |
networkPolicy | Network policy used for building the Kubernetes network. | 'azure' 'calico' 'cilium' 'none' |
outboundType | This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. | 'loadBalancer' 'managedNATGateway' 'none' 'userAssignedNATGateway' 'userDefinedRouting' |
podCidr | A CIDR notation IP range from which to assign pod IPs when kubenet is used. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ |
podCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. | string[] |
podLinkLocalAccess | Defines access to special link local addresses (Azure Instance Metadata Service, aka IMDS) for pods with hostNetwork=false. if not specified, the default is 'IMDS'. | 'IMDS' 'None' |
serviceCidr | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ |
serviceCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. | string[] |
staticEgressGatewayProfile | The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway. | ManagedClusterStaticEgressGatewayProfile |
ContainerServiceNetworkProfileKubeProxyConfig
Name | Description | Value |
---|---|---|
enabled | Whether to enable on kube-proxy on the cluster (if no 'kubeProxyConfig' exists, kube-proxy is enabled in AKS by default without these customizations). | bool |
ipvsConfig | Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'. | ContainerServiceNetworkProfileKubeProxyConfigIpvsConfig |
mode | Specify which proxy mode to use ('IPTABLES' or 'IPVS') | 'IPTABLES' 'IPVS' |
ContainerServiceNetworkProfileKubeProxyConfigIpvsConfig
Name | Description | Value |
---|---|---|
scheduler | IPVS scheduler, for more information please see http://www.linuxvirtualserver.org/docs/scheduling.html. | 'LeastConnection' 'RoundRobin' |
tcpFinTimeoutSeconds | The timeout value used for IPVS TCP sessions after receiving a FIN in seconds. Must be a positive integer value. | int |
tcpTimeoutSeconds | The timeout value used for idle IPVS TCP sessions in seconds. Must be a positive integer value. | int |
udpTimeoutSeconds | The timeout value used for IPVS UDP packets in seconds. Must be a positive integer value. | int |
ContainerServiceSshConfiguration
Name | Description | Value |
---|---|---|
publicKeys | The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. | ContainerServiceSshPublicKey[] (required) |
ContainerServiceSshPublicKey
Name | Description | Value |
---|---|---|
keyData | Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. | string (required) |
CreationData
Name | Description | Value |
---|---|---|
sourceResourceId | This is the ARM ID of the source object to be used to create the target object. | string |
DelegatedResource
Name | Description | Value |
---|---|---|
location | The source resource location - internal use only. | string |
referralResource | The delegation id of the referral delegation (optional) - internal use only. | string |
resourceId | The ARM resource id of the delegated resource - internal use only. | string |
tenantId | The tenant id of the delegated resource - internal use only. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
DelegatedResources
Name | Description | Value |
---|
ExtendedLocation
Name | Description | Value |
---|---|---|
name | The name of the extended location. | string |
type | The type of the extended location. | 'EdgeZone' |
IPTag
Name | Description | Value |
---|---|---|
ipTagType | The IP tag type. Example: RoutingPreference. | string |
tag | The value of the IP tag associated with the public IP. Example: Internet. | string |
IstioCertificateAuthority
Name | Description | Value |
---|---|---|
plugin | Plugin certificates information for Service Mesh. | IstioPluginCertificateAuthority |
IstioComponents
Name | Description | Value |
---|---|---|
egressGateways | Istio egress gateways. | IstioEgressGateway[] |
ingressGateways | Istio ingress gateways. | IstioIngressGateway[] |
IstioEgressGateway
Name | Description | Value |
---|---|---|
enabled | Whether to enable the egress gateway. | bool (required) |
IstioIngressGateway
Name | Description | Value |
---|---|---|
enabled | Whether to enable the ingress gateway. | bool (required) |
mode | Mode of an ingress gateway. | 'External' 'Internal' (required) |
IstioPluginCertificateAuthority
Name | Description | Value |
---|---|---|
certChainObjectName | Certificate chain object name in Azure Key Vault. | string |
certObjectName | Intermediate certificate object name in Azure Key Vault. | string |
keyObjectName | Intermediate certificate private key object name in Azure Key Vault. | string |
keyVaultId | The resource ID of the Key Vault. | string |
rootCertObjectName | Root certificate object name in Azure Key Vault. | string |
IstioServiceMesh
Name | Description | Value |
---|---|---|
certificateAuthority | Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca | IstioCertificateAuthority |
components | Istio components configuration. | IstioComponents |
revisions | The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: /azure/aks/istio-upgrade | string[] |
KubeletConfig
Name | Description | Value |
---|---|---|
allowedUnsafeSysctls | Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in * ). |
string[] |
containerLogMaxFiles | The maximum number of container log files that can be present for a container. The number must be ≥ 2. | int Constraints: Min value = 2 |
containerLogMaxSizeMB | The maximum size (e.g. 10Mi) of container log file before it is rotated. | int |
cpuCfsQuota | The default is true. | bool |
cpuCfsQuotaPeriod | The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. | string |
cpuManagerPolicy | The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. | string |
failSwapOn | If set to true it will make the Kubelet fail to start if swap is enabled on the node. | bool |
imageGcHighThreshold | To disable image garbage collection, set to 100. The default is 85% | int |
imageGcLowThreshold | This cannot be set higher than imageGcHighThreshold. The default is 80% | int |
podMaxPids | The maximum number of processes per pod. | int |
seccompDefault | Specifies the default seccomp profile applied to all workloads. If not specified, 'Unconfined' will be used by default. | 'RuntimeDefault' 'Unconfined' |
topologyManagerPolicy | For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. | string |
LinuxOSConfig
Name | Description | Value |
---|---|---|
swapFileSizeMB | The size in MB of a swap file that will be created on each node. | int |
sysctls | Sysctl settings for Linux agent nodes. | SysctlConfig |
transparentHugePageDefrag | Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. | string |
transparentHugePageEnabled | Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. | string |
ManagedClusterAADProfile
Name | Description | Value |
---|---|---|
adminGroupObjectIDs | The list of AAD group object IDs that will have admin role of the cluster. | string[] |
clientAppID | (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. | string |
enableAzureRBAC | Whether to enable Azure RBAC for Kubernetes authorization. | bool |
managed | Whether to enable managed AAD. | bool |
serverAppID | (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. | string |
serverAppSecret | (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy. | string |
tenantID | The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. | string |
ManagedClusterAddonProfile
Name | Description | Value |
---|---|---|
config | Key-value pairs for configuring an add-on. | ManagedClusterAddonProfileConfig |
enabled | Whether the add-on is enabled or not. | bool (required) |
ManagedClusterAddonProfileConfig
Name | Description | Value |
---|
ManagedClusterAgentPoolProfile
Name | Description | Value |
---|---|---|
artifactStreamingProfile | Configuration for using artifact streaming on AKS. | AgentPoolArtifactStreamingProfile |
availabilityZones | The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. | string[] |
capacityReservationGroupID | AKS will associate the specified agent pool with the Capacity Reservation Group. | string |
count | Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. | int |
creationData | CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. | CreationData |
enableAutoScaling | Whether to enable auto-scaler | bool |
enableCustomCATrust | When set to true, AKS adds a label to the node indicating that the feature is enabled and deploys a daemonset along with host services to sync custom certificate authorities from user-provided list of base64 encoded certificates into node trust stores. Defaults to false. | bool |
enableEncryptionAtHost | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption | bool |
enableFIPS | See Add a FIPS-enabled node pool for more details. | bool |
enableNodePublicIP | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. | bool |
enableUltraSSD | Whether to enable UltraSSD | bool |
gatewayProfile | Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is not Gateway. | AgentPoolGatewayProfile |
gpuInstanceProfile | GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. | 'MIG1g' 'MIG2g' 'MIG3g' 'MIG4g' 'MIG7g' |
gpuProfile | The GPU settings of an agent pool. | AgentPoolGPUProfile |
hostGroupID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts. | string |
kubeletConfig | The Kubelet configuration on the agent pool nodes. | KubeletConfig |
kubeletDiskType | Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. | 'OS' 'Temporary' |
linuxOSConfig | The OS configuration of Linux agent nodes. | LinuxOSConfig |
maxCount | The maximum number of nodes for auto-scaling | int |
maxPods | The maximum number of pods that can run on a node. | int |
messageOfTheDay | A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). | string |
minCount | The minimum number of nodes for auto-scaling | int |
mode | A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools | 'Gateway' 'System' 'User' |
name | Windows agent pool names must be 6 characters or less. | string Constraints: Pattern = ^[a-z][a-z0-9]{0,11}$ (required) |
networkProfile | Network-related settings of an agent pool. | AgentPoolNetworkProfile |
nodeInitializationTaints | These taints will not be reconciled by AKS and can be removed with a kubectl call. This field can be modified after node pool is created, but nodes will not be recreated with new taints until another operation that requires recreation (e.g. node image upgrade) happens. These taints allow for required configuration to run before the node is ready to accept workloads, for example 'key1=value1:NoSchedule' that then can be removed with kubectl taint nodes node1 key1=value1:NoSchedule- |
string[] |
nodeLabels | The node labels to be persisted across all nodes in agent pool. | ManagedClusterAgentPoolProfilePropertiesNodeLabels |
nodePublicIPPrefixID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} | string |
nodeTaints | The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | string[] |
orchestratorVersion | Both patch version <major.minor.patch> and <major.minor> are supported. When <major.minor> is specified, the latest supported patch version is chosen automatically. Updating the agent pool with the same <major.minor> once it has been created will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. | string |
osDiskSizeGB | OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | int Constraints: Min value = 0 Max value = 2048 |
osDiskType | The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. | 'Ephemeral' 'Managed' |
osSKU | Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. | 'AzureLinux' 'CBLMariner' 'Mariner' 'Ubuntu' 'Windows2019' 'Windows2022' 'WindowsAnnual' |
osType | The operating system type. The default is Linux. | 'Linux' 'Windows' |
podIPAllocationMode | The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'. | 'DynamicIndividual' 'StaticBlock' |
podSubnetID | If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string |
powerState | When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded | PowerState |
proximityPlacementGroupID | The ID for Proximity Placement Group. | string |
scaleDownMode | This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. | 'Deallocate' 'Delete' |
scaleSetEvictionPolicy | This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. | 'Deallocate' 'Delete' |
scaleSetPriority | The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. | 'Regular' 'Spot' |
securityProfile | The security settings of an agent pool. | AgentPoolSecurityProfile |
spotMaxPrice | Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing | int |
tags | The tags to be persisted on the agent pool virtual machine scale set. | ManagedClusterAgentPoolProfilePropertiesTags |
type | The type of Agent Pool. | 'AvailabilitySet' 'VirtualMachines' 'VirtualMachineScaleSets' |
upgradeSettings | Settings for upgrading the agentpool | AgentPoolUpgradeSettings |
virtualMachineNodesStatus | The status of nodes in a VirtualMachines agent pool. | VirtualMachineNodes[] |
virtualMachinesProfile | Specifications on VirtualMachines agent pool. | VirtualMachinesProfile |
vmSize | VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions | string |
vnetSubnetID | If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string |
windowsProfile | The Windows agent pool's specific profile. | AgentPoolWindowsProfile |
workloadRuntime | Determines the type of workload a node can run. | 'KataMshvVmIsolation' 'OCIContainer' 'WasmWasi' |
ManagedClusterAgentPoolProfilePropertiesNodeLabels
Name | Description | Value |
---|
ManagedClusterAgentPoolProfilePropertiesTags
Name | Description | Value |
---|
ManagedClusterAIToolchainOperatorProfile
Name | Description | Value |
---|---|---|
enabled | Indicates if AI toolchain operator enabled or not. | bool |
ManagedClusterAPIServerAccessProfile
Name | Description | Value |
---|---|---|
authorizedIPRanges | IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges. | string[] |
disableRunCommand | Whether to disable run command for the cluster or not. | bool |
enablePrivateCluster | For more details, see Creating a private AKS cluster. | bool |
enablePrivateClusterPublicFQDN | Whether to create additional public FQDN for private cluster or not. | bool |
enableVnetIntegration | Whether to enable apiserver vnet integration for the cluster or not. | bool |
privateDNSZone | The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'. | string |
subnetId | It is required when: 1. creating a new cluster with BYO Vnet; 2. updating an existing cluster to enable apiserver vnet integration. | string |
ManagedClusterAutoUpgradeProfile
Name | Description | Value |
---|---|---|
nodeOSUpgradeChannel | The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA. | 'NodeImage' 'None' 'SecurityPatch' 'Unmanaged' |
upgradeChannel | For more information see setting the AKS cluster auto-upgrade channel. | 'node-image' 'none' 'patch' 'rapid' 'stable' |
ManagedClusterAzureMonitorProfile
Name | Description | Value |
---|---|---|
appMonitoring | Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics and traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoring |
containerInsights | Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout & stderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview. | ManagedClusterAzureMonitorProfileContainerInsights |
metrics | Metrics profile for the prometheus service addon | ManagedClusterAzureMonitorProfileMetrics |
ManagedClusterAzureMonitorProfileAppMonitoring
Name | Description | Value |
---|---|---|
autoInstrumentation | Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook to auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the application. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoringAutoInstrumentation |
openTelemetryLogs | Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and Traces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryLogs |
openTelemetryMetrics | Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Metrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryMetrics |
ManagedClusterAzureMonitorProfileAppMonitoringAutoInstrumentation
Name | Description | Value |
---|---|---|
enabled | Indicates if Application Monitoring Auto Instrumentation is enabled or not. | bool |
ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryLogs
Name | Description | Value |
---|---|---|
enabled | Indicates if Application Monitoring Open Telemetry Logs and traces is enabled or not. | bool |
port | The Open Telemetry host port for Open Telemetry logs and traces. If not specified, the default port is 28331. | int |
ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryMetrics
Name | Description | Value |
---|---|---|
enabled | Indicates if Application Monitoring Open Telemetry Metrics is enabled or not. | bool |
port | The Open Telemetry host port for Open Telemetry metrics. If not specified, the default port is 28333. | int |
ManagedClusterAzureMonitorProfileContainerInsights
Name | Description | Value |
---|---|---|
disableCustomMetrics | Indicates whether custom metrics collection has to be disabled or not. If not specified the default is false. No custom metrics will be emitted if this field is false but the container insights enabled field is false | bool |
disablePrometheusMetricsScraping | Indicates whether prometheus metrics scraping is disabled or not. If not specified the default is false. No prometheus metrics will be emitted if this field is false but the container insights enabled field is false | bool |
enabled | Indicates if Azure Monitor Container Insights Logs Addon is enabled or not. | bool |
logAnalyticsWorkspaceResourceId | Fully Qualified ARM Resource Id of Azure Log Analytics Workspace for storing Azure Monitor Container Insights Logs. | string |
syslogPort | The syslog host port. If not specified, the default port is 28330. | int |
ManagedClusterAzureMonitorProfileKubeStateMetrics
Name | Description | Value |
---|---|---|
metricAnnotationsAllowList | Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric. | string |
metricLabelsAllowlist | Comma-separated list of Kubernetes annotations keys that will be used in the resource's labels metric. | string |
ManagedClusterAzureMonitorProfileMetrics
Name | Description | Value |
---|---|---|
enabled | Whether to enable the Prometheus collector | bool (required) |
kubeStateMetrics | Kube State Metrics for prometheus addon profile for the container service cluster | ManagedClusterAzureMonitorProfileKubeStateMetrics |
ManagedClusterBootstrapProfile
Name | Description | Value |
---|---|---|
artifactSource | The source where the artifacts are downloaded from. | 'Cache' 'Direct' |
containerRegistryId | The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy. | string |
ManagedClusterCostAnalysis
Name | Description | Value |
---|---|---|
enabled | The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis. | bool |
ManagedClusterHttpProxyConfig
Name | Description | Value |
---|---|---|
httpProxy | The HTTP proxy server endpoint to use. | string |
httpsProxy | The HTTPS proxy server endpoint to use. | string |
noProxy | The endpoints that should not go through proxy. | string[] |
trustedCa | Alternative CA cert to use for connecting to proxy servers. | string |
ManagedClusterIdentity
Name | Description | Value |
---|---|---|
delegatedResources | The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only. | DelegatedResources |
type | For more information see use managed identities in AKS. | 'None' 'SystemAssigned' 'UserAssigned' |
userAssignedIdentities | The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedClusterIdentityUserAssignedIdentities |
ManagedClusterIdentityUserAssignedIdentities
Name | Description | Value |
---|
ManagedClusterIngressProfile
Name | Description | Value |
---|---|---|
webAppRouting | Web App Routing settings for the ingress profile. | ManagedClusterIngressProfileWebAppRouting |
ManagedClusterIngressProfileNginx
Name | Description | Value |
---|---|---|
defaultIngressControllerType | Ingress type for the default NginxIngressController custom resource | 'AnnotationControlled' 'External' 'Internal' 'None' |
ManagedClusterIngressProfileWebAppRouting
Name | Description | Value |
---|---|---|
dnsZoneResourceIds | Resource IDs of the DNS zones to be associated with the Web App Routing add-on. Used only when Web App Routing is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group. | string[] |
enabled | Whether to enable Web App Routing. | bool |
nginx | Configuration for the default NginxIngressController. See more at /azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller. | ManagedClusterIngressProfileNginx |
ManagedClusterLoadBalancerProfile
Name | Description | Value |
---|---|---|
allocatedOutboundPorts | The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. | int Constraints: Min value = 0 Max value = 64000 |
backendPoolType | The type of the managed inbound Load Balancer BackendPool. | 'NodeIP' 'NodeIPConfiguration' |
clusterServiceLoadBalancerHealthProbeMode | The health probing behavior for External Traffic Policy Cluster services. | 'ServiceNodePort' 'Shared' |
effectiveOutboundIPs | The effective outbound IP resources of the cluster load balancer. | ResourceReference[] |
enableMultipleStandardLoadBalancers | Enable multiple standard load balancers per AKS cluster or not. | bool |
idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. | int Constraints: Min value = 4 Max value = 120 |
managedOutboundIPs | Desired managed outbound IPs for the cluster load balancer. | ManagedClusterLoadBalancerProfileManagedOutboundIPs |
outboundIPPrefixes | Desired outbound IP Prefix resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPPrefixes |
outboundIPs | Desired outbound IP resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPs |
ManagedClusterLoadBalancerProfileManagedOutboundIPs
Name | Description | Value |
---|---|---|
count | The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 100 |
countIPv6 | The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. | int Constraints: Min value = 0 Max value = 100 |
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
Name | Description | Value |
---|---|---|
publicIPPrefixes | A list of public IP prefix resources. | ResourceReference[] |
ManagedClusterLoadBalancerProfileOutboundIPs
Name | Description | Value |
---|---|---|
publicIPs | A list of public IP resources. | ResourceReference[] |
ManagedClusterManagedOutboundIPProfile
Name | Description | Value |
---|---|---|
count | The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 16 |
ManagedClusterMetricsProfile
Name | Description | Value |
---|---|---|
costAnalysis | The cost analysis configuration for the cluster | ManagedClusterCostAnalysis |
ManagedClusterNATGatewayProfile
Name | Description | Value |
---|---|---|
effectiveOutboundIPs | The effective outbound IP resources of the cluster NAT gateway. | ResourceReference[] |
idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. | int Constraints: Min value = 4 Max value = 120 |
managedOutboundIPProfile | Profile of the managed outbound IP resources of the cluster NAT gateway. | ManagedClusterManagedOutboundIPProfile |
ManagedClusterNodeProvisioningProfile
Name | Description | Value |
---|---|---|
mode | Once the mode it set to Auto, it cannot be changed back to Manual. | 'Auto' 'Manual' |
ManagedClusterNodeResourceGroupProfile
Name | Description | Value |
---|---|---|
restrictionLevel | The restriction level applied to the cluster's node resource group | 'ReadOnly' 'Unrestricted' |
ManagedClusterOidcIssuerProfile
Name | Description | Value |
---|---|---|
enabled | Whether the OIDC issuer is enabled. | bool |
ManagedClusterPodIdentity
Name | Description | Value |
---|---|---|
bindingSelector | The binding selector to use for the AzureIdentityBinding resource. | string |
identity | The user assigned identity details. | UserAssignedIdentity (required) |
name | The name of the pod identity. | string (required) |
namespace | The namespace of the pod identity. | string (required) |
ManagedClusterPodIdentityException
Name | Description | Value |
---|---|---|
name | The name of the pod identity exception. | string (required) |
namespace | The namespace of the pod identity exception. | string (required) |
podLabels | The pod labels to match. | ManagedClusterPodIdentityExceptionPodLabels (required) |
ManagedClusterPodIdentityExceptionPodLabels
Name | Description | Value |
---|
ManagedClusterPodIdentityProfile
Name | Description | Value |
---|---|---|
allowNetworkPluginKubenet | Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information. | bool |
enabled | Whether the pod identity addon is enabled. | bool |
userAssignedIdentities | The pod identities to use in the cluster. | ManagedClusterPodIdentity[] |
userAssignedIdentityExceptions | The pod identity exceptions to allow. | ManagedClusterPodIdentityException[] |
ManagedClusterProperties
Name | Description | Value |
---|---|---|
aadProfile | The Azure Active Directory configuration. | ManagedClusterAADProfile |
addonProfiles | The profile of managed cluster add-on. | ManagedClusterPropertiesAddonProfiles |
agentPoolProfiles | The agent pool properties. | ManagedClusterAgentPoolProfile[] |
aiToolchainOperatorProfile | AI toolchain operator settings that apply to the whole cluster. | ManagedClusterAIToolchainOperatorProfile |
apiServerAccessProfile | The access profile for managed cluster API server. | ManagedClusterAPIServerAccessProfile |
autoScalerProfile | Parameters to be applied to the cluster-autoscaler when enabled | ManagedClusterPropertiesAutoScalerProfile |
autoUpgradeProfile | The auto upgrade configuration. | ManagedClusterAutoUpgradeProfile |
azureMonitorProfile | Prometheus addon profile for the container service cluster | ManagedClusterAzureMonitorProfile |
bootstrapProfile | Profile of the cluster bootstrap configuration. | ManagedClusterBootstrapProfile |
creationData | CreationData to be used to specify the source Snapshot ID if the cluster will be created/upgraded using a snapshot. | CreationData |
disableLocalAccounts | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts. | bool |
diskEncryptionSetID | This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' | string |
dnsPrefix | This cannot be updated once the Managed Cluster has been created. | string |
enableNamespaceResources | The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See https://aka.ms/NamespaceARMResource for more details on Namespace as a ARM Resource. | bool |
enablePodSecurityPolicy | (DEPRECATED) Whether to enable Kubernetes pod security policy (preview). PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Learn more at https://aka.ms/k8s/psp and https://aka.ms/aks/psp. | bool |
enableRBAC | Whether to enable Kubernetes Role-Based Access Control. | bool |
fqdnSubdomain | This cannot be updated once the Managed Cluster has been created. | string |
httpProxyConfig | Configurations for provisioning the cluster with HTTP proxy servers. | ManagedClusterHttpProxyConfig |
identityProfile | The user identity associated with the managed cluster. This identity will be used by the kubelet. Only one user assigned identity is allowed. The only accepted key is "kubeletidentity", with value of "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}". | ManagedClusterPropertiesIdentityProfile |
ingressProfile | Ingress profile for the managed cluster. | ManagedClusterIngressProfile |
kubernetesVersion | When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details. | string |
linuxProfile | The profile for Linux VMs in the Managed Cluster. | ContainerServiceLinuxProfile |
metricsProfile | Optional cluster metrics configuration. | ManagedClusterMetricsProfile |
networkProfile | The network configuration profile. | ContainerServiceNetworkProfile |
nodeProvisioningProfile | Node provisioning settings that apply to the whole cluster. | ManagedClusterNodeProvisioningProfile |
nodeResourceGroup | The name of the resource group containing agent pool nodes. | string |
nodeResourceGroupProfile | The node resource group configuration profile. | ManagedClusterNodeResourceGroupProfile |
oidcIssuerProfile | The OIDC issuer profile of the Managed Cluster. | ManagedClusterOidcIssuerProfile |
podIdentityProfile | See use AAD pod identity for more details on AAD pod identity integration. | ManagedClusterPodIdentityProfile |
privateLinkResources | Private link resources associated with the cluster. | PrivateLinkResource[] |
publicNetworkAccess | Allow or deny public network access for AKS | 'Disabled' 'Enabled' 'SecuredByPerimeter' |
safeguardsProfile | The Safeguards profile holds all the safeguards information for a given cluster | SafeguardsProfile |
securityProfile | Security profile for the managed cluster. | ManagedClusterSecurityProfile |
serviceMeshProfile | Service mesh profile for a managed cluster. | ServiceMeshProfile |
servicePrincipalProfile | Information about a service principal identity for the cluster to use for manipulating Azure APIs. | ManagedClusterServicePrincipalProfile |
storageProfile | Storage profile for the managed cluster. | ManagedClusterStorageProfile |
supportPlan | The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'. | 'AKSLongTermSupport' 'KubernetesOfficial' |
upgradeSettings | Settings for upgrading a cluster. | ClusterUpgradeSettings |
windowsProfile | The profile for Windows VMs in the Managed Cluster. | ManagedClusterWindowsProfile |
workloadAutoScalerProfile | Workload Auto-scaler profile for the managed cluster. | ManagedClusterWorkloadAutoScalerProfile |
ManagedClusterPropertiesAddonProfiles
Name | Description | Value |
---|
ManagedClusterPropertiesAutoScalerProfile
Name | Description | Value |
---|---|---|
balance-similar-node-groups | Valid values are 'true' and 'false' | string |
daemonset-eviction-for-empty-nodes | If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. | bool |
daemonset-eviction-for-occupied-nodes | If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. | bool |
expander | Available values are: 'least-waste', 'most-pods', 'priority', 'random'. | 'least-waste' 'most-pods' 'priority' 'random' |
ignore-daemonsets-utilization | If set to true, the resources used by daemonset will be taken into account when making scaling down decisions. | bool |
max-empty-bulk-delete | The default is 10. | string |
max-graceful-termination-sec | The default is 600. | string |
max-node-provision-time | The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
max-total-unready-percentage | The default is 45. The maximum is 100 and the minimum is 0. | string |
new-pod-scale-up-delay | For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). | string |
ok-total-unready-count | This must be an integer. The default is 3. | string |
scale-down-delay-after-add | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-delay-after-delete | The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-delay-after-failure | The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-unneeded-time | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-unready-time | The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-utilization-threshold | The default is '0.5'. | string |
scan-interval | The default is '10'. Values must be an integer number of seconds. | string |
skip-nodes-with-local-storage | The default is true. | string |
skip-nodes-with-system-pods | The default is true. | string |
ManagedClusterPropertiesIdentityProfile
Name | Description | Value |
---|
ManagedClusterSecurityProfile
Name | Description | Value |
---|---|---|
azureKeyVaultKms | Azure Key Vault key management service settings for the security profile. | AzureKeyVaultKms |
customCATrustCertificates | A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the Custom CA Trust feature enabled. For more information see Custom CA Trust Certificates | any[] |
defender | Microsoft Defender settings for the security profile. | ManagedClusterSecurityProfileDefender |
imageCleaner | Image Cleaner settings for the security profile. | ManagedClusterSecurityProfileImageCleaner |
imageIntegrity | Image integrity is a feature that works with Azure Policy to verify image integrity by signature. This will not have any effect unless Azure Policy is applied to enforce image signatures. See https://aka.ms/aks/image-integrity for how to use this feature via policy. | ManagedClusterSecurityProfileImageIntegrity |
nodeRestriction | Node Restriction settings for the security profile. | ManagedClusterSecurityProfileNodeRestriction |
workloadIdentity | Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details. | ManagedClusterSecurityProfileWorkloadIdentity |
ManagedClusterSecurityProfileDefender
Name | Description | Value |
---|---|---|
logAnalyticsWorkspaceResourceId | Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty. | string |
securityMonitoring | Microsoft Defender threat detection for Cloud settings for the security profile. | ManagedClusterSecurityProfileDefenderSecurityMonitoring |
ManagedClusterSecurityProfileDefenderSecurityMonitoring
Name | Description | Value |
---|---|---|
enabled | Whether to enable Defender threat detection | bool |
ManagedClusterSecurityProfileImageCleaner
Name | Description | Value |
---|---|---|
enabled | Whether to enable Image Cleaner on AKS cluster. | bool |
intervalHours | Image Cleaner scanning interval in hours. | int |
ManagedClusterSecurityProfileImageIntegrity
Name | Description | Value |
---|---|---|
enabled | Whether to enable image integrity. The default value is false. | bool |
ManagedClusterSecurityProfileNodeRestriction
Name | Description | Value |
---|---|---|
enabled | Whether to enable Node Restriction | bool |
ManagedClusterSecurityProfileWorkloadIdentity
Name | Description | Value |
---|---|---|
enabled | Whether to enable workload identity. | bool |
ManagedClusterServicePrincipalProfile
Name | Description | Value |
---|---|---|
clientId | The ID for the service principal. | string (required) |
secret | The secret password associated with the service principal in plain text. | string |
ManagedClusterSKU
Name | Description | Value |
---|---|---|
name | The name of a managed cluster SKU. | 'Automatic' 'Base' |
tier | If not specified, the default is 'Free'. See AKS Pricing Tier for more details. | 'Free' 'Premium' 'Standard' |
ManagedClusterStaticEgressGatewayProfile
Name | Description | Value |
---|---|---|
enabled | Indicates if Static Egress Gateway addon is enabled or not. | bool |
ManagedClusterStorageProfile
Name | Description | Value |
---|---|---|
blobCSIDriver | AzureBlob CSI Driver settings for the storage profile. | ManagedClusterStorageProfileBlobCSIDriver |
diskCSIDriver | AzureDisk CSI Driver settings for the storage profile. | ManagedClusterStorageProfileDiskCSIDriver |
fileCSIDriver | AzureFile CSI Driver settings for the storage profile. | ManagedClusterStorageProfileFileCSIDriver |
snapshotController | Snapshot Controller settings for the storage profile. | ManagedClusterStorageProfileSnapshotController |
ManagedClusterStorageProfileBlobCSIDriver
Name | Description | Value |
---|---|---|
enabled | Whether to enable AzureBlob CSI Driver. The default value is false. | bool |
ManagedClusterStorageProfileDiskCSIDriver
Name | Description | Value |
---|---|---|
enabled | Whether to enable AzureDisk CSI Driver. The default value is true. | bool |
version | The version of AzureDisk CSI Driver. The default value is v1. | string |
ManagedClusterStorageProfileFileCSIDriver
Name | Description | Value |
---|---|---|
enabled | Whether to enable AzureFile CSI Driver. The default value is true. | bool |
ManagedClusterStorageProfileSnapshotController
Name | Description | Value |
---|---|---|
enabled | Whether to enable Snapshot Controller. The default value is true. | bool |
ManagedClusterWindowsProfile
Name | Description | Value |
---|---|---|
adminPassword | Specifies the password of the administrator account. Minimum-length: 8 characters Max-length: 123 characters Complexity requirements: 3 out of 4 conditions below need to be fulfilled Has lower characters Has upper characters Has a digit Has a special character (Regex match [\W_]) Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" |
string |
adminUsername | Specifies the name of the administrator account. Restriction: Cannot end in "." Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". Minimum-length: 1 character Max-length: 20 characters |
string (required) |
enableCSIProxy | For more details on CSI proxy, see the CSI proxy GitHub repo. | bool |
gmsaProfile | The Windows gMSA Profile in the Managed Cluster. | WindowsGmsaProfile |
licenseType | The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. | 'None' 'Windows_Server' |
ManagedClusterWorkloadAutoScalerProfile
Name | Description | Value |
---|---|---|
keda | KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. | ManagedClusterWorkloadAutoScalerProfileKeda |
verticalPodAutoscaler | ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler |
ManagedClusterWorkloadAutoScalerProfileKeda
Name | Description | Value |
---|---|---|
enabled | Whether to enable KEDA. | bool (required) |
ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler
Name | Description | Value |
---|---|---|
addonAutoscaling | Whether VPA add-on is enabled and configured to scale AKS-managed add-ons. | 'Disabled' 'Enabled' |
enabled | Whether to enable VPA add-on in cluster. Default value is false. | bool (required) |
ManagedServiceIdentityUserAssignedIdentitiesValue
Name | Description | Value |
---|
ManualScaleProfile
Name | Description | Value |
---|---|---|
count | Number of nodes. | int |
sizes | The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size. | string[] |
Microsoft.ContainerService/managedClusters
Name | Description | Value |
---|---|---|
extendedLocation | The extended location of the Virtual Machine. | ExtendedLocation |
identity | The identity of the managed cluster, if configured. | ManagedClusterIdentity |
kind | This is primarily used to expose different UI experiences in the portal for different kinds | string |
location | The geo-location where the resource lives | string (required) |
name | The resource name | string Constraints: Min length = 1 Max length = 1 Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$ (required) |
properties | Properties of a managed cluster. | ManagedClusterProperties |
sku | The managed cluster SKU. | ManagedClusterSKU |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
PortRange
Name | Description | Value |
---|---|---|
portEnd | The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart. | int Constraints: Min value = 1 Max value = 65535 |
portStart | The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd. | int Constraints: Min value = 1 Max value = 65535 |
protocol | The network protocol of the port. | 'TCP' 'UDP' |
PowerState
Name | Description | Value |
---|---|---|
code | Tells whether the cluster is Running or Stopped | 'Running' 'Stopped' |
PrivateLinkResource
Name | Description | Value |
---|---|---|
groupId | The group ID of the resource. | string |
id | The ID of the private link resource. | string |
name | The name of the private link resource. | string |
requiredMembers | The RequiredMembers of the resource | string[] |
type | The resource type. | string |
ResourceReference
Name | Description | Value |
---|---|---|
id | The fully qualified Azure resource id. | string |
SafeguardsProfile
Name | Description | Value |
---|---|---|
excludedNamespaces | List of namespaces excluded from Safeguards checks | string[] |
level | The Safeguards level to be used. By default, Safeguards is enabled for all namespaces except those that AKS excludes via systemExcludedNamespaces | 'Enforcement' 'Off' 'Warning' (required) |
version | The version of constraints to use | string |
ScaleProfile
Name | Description | Value |
---|---|---|
autoscale | Specifications on how to auto-scale the VirtualMachines agent pool within a predefined size range. Currently, at most one AutoScaleProfile is allowed. | AutoScaleProfile[] |
manual | Specifications on how to scale the VirtualMachines agent pool to a fixed size. | ManualScaleProfile[] |
ServiceMeshProfile
Name | Description | Value |
---|---|---|
istio | Istio service mesh configuration. | IstioServiceMesh |
mode | Mode of the service mesh. | 'Disabled' 'Istio' (required) |
SysctlConfig
Name | Description | Value |
---|---|---|
fsAioMaxNr | Sysctl setting fs.aio-max-nr. | int |
fsFileMax | Sysctl setting fs.file-max. | int |
fsInotifyMaxUserWatches | Sysctl setting fs.inotify.max_user_watches. | int |
fsNrOpen | Sysctl setting fs.nr_open. | int |
kernelThreadsMax | Sysctl setting kernel.threads-max. | int |
netCoreNetdevMaxBacklog | Sysctl setting net.core.netdev_max_backlog. | int |
netCoreOptmemMax | Sysctl setting net.core.optmem_max. | int |
netCoreRmemDefault | Sysctl setting net.core.rmem_default. | int |
netCoreRmemMax | Sysctl setting net.core.rmem_max. | int |
netCoreSomaxconn | Sysctl setting net.core.somaxconn. | int |
netCoreWmemDefault | Sysctl setting net.core.wmem_default. | int |
netCoreWmemMax | Sysctl setting net.core.wmem_max. | int |
netIpv4IpLocalPortRange | Sysctl setting net.ipv4.ip_local_port_range. | string |
netIpv4NeighDefaultGcThresh1 | Sysctl setting net.ipv4.neigh.default.gc_thresh1. | int |
netIpv4NeighDefaultGcThresh2 | Sysctl setting net.ipv4.neigh.default.gc_thresh2. | int |
netIpv4NeighDefaultGcThresh3 | Sysctl setting net.ipv4.neigh.default.gc_thresh3. | int |
netIpv4TcpFinTimeout | Sysctl setting net.ipv4.tcp_fin_timeout. | int |
netIpv4TcpkeepaliveIntvl | Sysctl setting net.ipv4.tcp_keepalive_intvl. | int Constraints: Min value = 10 Max value = 90 |
netIpv4TcpKeepaliveProbes | Sysctl setting net.ipv4.tcp_keepalive_probes. | int |
netIpv4TcpKeepaliveTime | Sysctl setting net.ipv4.tcp_keepalive_time. | int |
netIpv4TcpMaxSynBacklog | Sysctl setting net.ipv4.tcp_max_syn_backlog. | int |
netIpv4TcpMaxTwBuckets | Sysctl setting net.ipv4.tcp_max_tw_buckets. | int |
netIpv4TcpTwReuse | Sysctl setting net.ipv4.tcp_tw_reuse. | bool |
netNetfilterNfConntrackBuckets | Sysctl setting net.netfilter.nf_conntrack_buckets. | int Constraints: Min value = 65536 Max value = 524288 |
netNetfilterNfConntrackMax | Sysctl setting net.netfilter.nf_conntrack_max. | int Constraints: Min value = 131072 Max value = 2097152 |
vmMaxMapCount | Sysctl setting vm.max_map_count. | int |
vmSwappiness | Sysctl setting vm.swappiness. | int |
vmVfsCachePressure | Sysctl setting vm.vfs_cache_pressure. | int |
TrackedResourceTags
Name | Description | Value |
---|
UpgradeOverrideSettings
Name | Description | Value |
---|---|---|
forceUpgrade | Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution. | bool |
until | Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the until expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect. |
string |
UserAssignedIdentity
Name | Description | Value |
---|---|---|
clientId | The client ID of the user assigned identity. | string |
objectId | The object ID of the user assigned identity. | string |
resourceId | The resource ID of the user assigned identity. | string |
VirtualMachineNodes
Name | Description | Value |
---|---|---|
count | Number of nodes. | int |
size | The VM size of the agents used to host this group of nodes. | string |
VirtualMachinesProfile
Name | Description | Value |
---|---|---|
scale | Specifications on how to scale a VirtualMachines agent pool. | ScaleProfile |
WindowsGmsaProfile
Name | Description | Value |
---|---|---|
dnsServer | Specifies the DNS server for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. |
string |
enabled | Specifies whether to enable Windows gMSA in the managed cluster. | bool |
rootDomainName | Specifies the root domain name for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. |
string |
Quickstart samples
The following quickstart samples deploy this resource type.
Bicep File | Description |
---|---|
AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Azure Container Service (AKS) | Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts |
Azure Container Service (AKS) | Deploy a managed cluster with Azure Container Service (AKS) |
Azure Container Service (AKS) with Helm | Deploy a managed cluster with Azure Container Service (AKS) with Helm |
Azure Kubernetes Service (AKS) | Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS) |
Azure Machine Learning end-to-end secure setup | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning end-to-end secure setup (legacy) | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Create a Private AKS Cluster | This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. |
Create AKS with Prometheus and Grafana with privae link | This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard |
ARM template resource definition
The managedClusters resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following JSON to your template.
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2024-09-02-preview",
"name": "string",
"extendedLocation": {
"name": "string",
"type": "string"
},
"identity": {
"delegatedResources": {
"{customized property}": {
"location": "string",
"referralResource": "string",
"resourceId": "string",
"tenantId": "string"
}
},
"type": "string",
"userAssignedIdentities": {
"{customized property}": {
}
}
},
"kind": "string",
"location": "string",
"properties": {
"aadProfile": {
"adminGroupObjectIDs": [ "string" ],
"clientAppID": "string",
"enableAzureRBAC": "bool",
"managed": "bool",
"serverAppID": "string",
"serverAppSecret": "string",
"tenantID": "string"
},
"addonProfiles": {
"{customized property}": {
"config": {
"{customized property}": "string"
},
"enabled": "bool"
}
},
"agentPoolProfiles": [
{
"artifactStreamingProfile": {
"enabled": "bool"
},
"availabilityZones": [ "string" ],
"capacityReservationGroupID": "string",
"count": "int",
"creationData": {
"sourceResourceId": "string"
},
"enableAutoScaling": "bool",
"enableCustomCATrust": "bool",
"enableEncryptionAtHost": "bool",
"enableFIPS": "bool",
"enableNodePublicIP": "bool",
"enableUltraSSD": "bool",
"gatewayProfile": {
"publicIPPrefixSize": "int"
},
"gpuInstanceProfile": "string",
"gpuProfile": {
"driverType": "string",
"installGPUDriver": "bool"
},
"hostGroupID": "string",
"kubeletConfig": {
"allowedUnsafeSysctls": [ "string" ],
"containerLogMaxFiles": "int",
"containerLogMaxSizeMB": "int",
"cpuCfsQuota": "bool",
"cpuCfsQuotaPeriod": "string",
"cpuManagerPolicy": "string",
"failSwapOn": "bool",
"imageGcHighThreshold": "int",
"imageGcLowThreshold": "int",
"podMaxPids": "int",
"seccompDefault": "string",
"topologyManagerPolicy": "string"
},
"kubeletDiskType": "string",
"linuxOSConfig": {
"swapFileSizeMB": "int",
"sysctls": {
"fsAioMaxNr": "int",
"fsFileMax": "int",
"fsInotifyMaxUserWatches": "int",
"fsNrOpen": "int",
"kernelThreadsMax": "int",
"netCoreNetdevMaxBacklog": "int",
"netCoreOptmemMax": "int",
"netCoreRmemDefault": "int",
"netCoreRmemMax": "int",
"netCoreSomaxconn": "int",
"netCoreWmemDefault": "int",
"netCoreWmemMax": "int",
"netIpv4IpLocalPortRange": "string",
"netIpv4NeighDefaultGcThresh1": "int",
"netIpv4NeighDefaultGcThresh2": "int",
"netIpv4NeighDefaultGcThresh3": "int",
"netIpv4TcpFinTimeout": "int",
"netIpv4TcpkeepaliveIntvl": "int",
"netIpv4TcpKeepaliveProbes": "int",
"netIpv4TcpKeepaliveTime": "int",
"netIpv4TcpMaxSynBacklog": "int",
"netIpv4TcpMaxTwBuckets": "int",
"netIpv4TcpTwReuse": "bool",
"netNetfilterNfConntrackBuckets": "int",
"netNetfilterNfConntrackMax": "int",
"vmMaxMapCount": "int",
"vmSwappiness": "int",
"vmVfsCachePressure": "int"
},
"transparentHugePageDefrag": "string",
"transparentHugePageEnabled": "string"
},
"maxCount": "int",
"maxPods": "int",
"messageOfTheDay": "string",
"minCount": "int",
"mode": "string",
"name": "string",
"networkProfile": {
"allowedHostPorts": [
{
"portEnd": "int",
"portStart": "int",
"protocol": "string"
}
],
"applicationSecurityGroups": [ "string" ],
"nodePublicIPTags": [
{
"ipTagType": "string",
"tag": "string"
}
]
},
"nodeInitializationTaints": [ "string" ],
"nodeLabels": {
"{customized property}": "string"
},
"nodePublicIPPrefixID": "string",
"nodeTaints": [ "string" ],
"orchestratorVersion": "string",
"osDiskSizeGB": "int",
"osDiskType": "string",
"osSKU": "string",
"osType": "string",
"podIPAllocationMode": "string",
"podSubnetID": "string",
"powerState": {
"code": "string"
},
"proximityPlacementGroupID": "string",
"scaleDownMode": "string",
"scaleSetEvictionPolicy": "string",
"scaleSetPriority": "string",
"securityProfile": {
"enableSecureBoot": "bool",
"enableVTPM": "bool",
"sshAccess": "string"
},
"spotMaxPrice": "int",
"tags": {
"{customized property}": "string"
},
"type": "string",
"upgradeSettings": {
"drainTimeoutInMinutes": "int",
"maxSurge": "string",
"maxUnavailable": "string",
"nodeSoakDurationInMinutes": "int",
"undrainableNodeBehavior": "string"
},
"virtualMachineNodesStatus": [
{
"count": "int",
"size": "string"
}
],
"virtualMachinesProfile": {
"scale": {
"autoscale": [
{
"maxCount": "int",
"minCount": "int",
"sizes": [ "string" ]
}
],
"manual": [
{
"count": "int",
"sizes": [ "string" ]
}
]
}
},
"vmSize": "string",
"vnetSubnetID": "string",
"windowsProfile": {
"disableOutboundNat": "bool"
},
"workloadRuntime": "string"
}
],
"aiToolchainOperatorProfile": {
"enabled": "bool"
},
"apiServerAccessProfile": {
"authorizedIPRanges": [ "string" ],
"disableRunCommand": "bool",
"enablePrivateCluster": "bool",
"enablePrivateClusterPublicFQDN": "bool",
"enableVnetIntegration": "bool",
"privateDNSZone": "string",
"subnetId": "string"
},
"autoScalerProfile": {
"balance-similar-node-groups": "string",
"daemonset-eviction-for-empty-nodes": "bool",
"daemonset-eviction-for-occupied-nodes": "bool",
"expander": "string",
"ignore-daemonsets-utilization": "bool",
"max-empty-bulk-delete": "string",
"max-graceful-termination-sec": "string",
"max-node-provision-time": "string",
"max-total-unready-percentage": "string",
"new-pod-scale-up-delay": "string",
"ok-total-unready-count": "string",
"scale-down-delay-after-add": "string",
"scale-down-delay-after-delete": "string",
"scale-down-delay-after-failure": "string",
"scale-down-unneeded-time": "string",
"scale-down-unready-time": "string",
"scale-down-utilization-threshold": "string",
"scan-interval": "string",
"skip-nodes-with-local-storage": "string",
"skip-nodes-with-system-pods": "string"
},
"autoUpgradeProfile": {
"nodeOSUpgradeChannel": "string",
"upgradeChannel": "string"
},
"azureMonitorProfile": {
"appMonitoring": {
"autoInstrumentation": {
"enabled": "bool"
},
"openTelemetryLogs": {
"enabled": "bool",
"port": "int"
},
"openTelemetryMetrics": {
"enabled": "bool",
"port": "int"
}
},
"containerInsights": {
"disableCustomMetrics": "bool",
"disablePrometheusMetricsScraping": "bool",
"enabled": "bool",
"logAnalyticsWorkspaceResourceId": "string",
"syslogPort": "int"
},
"metrics": {
"enabled": "bool",
"kubeStateMetrics": {
"metricAnnotationsAllowList": "string",
"metricLabelsAllowlist": "string"
}
}
},
"bootstrapProfile": {
"artifactSource": "string",
"containerRegistryId": "string"
},
"creationData": {
"sourceResourceId": "string"
},
"disableLocalAccounts": "bool",
"diskEncryptionSetID": "string",
"dnsPrefix": "string",
"enableNamespaceResources": "bool",
"enablePodSecurityPolicy": "bool",
"enableRBAC": "bool",
"fqdnSubdomain": "string",
"httpProxyConfig": {
"httpProxy": "string",
"httpsProxy": "string",
"noProxy": [ "string" ],
"trustedCa": "string"
},
"identityProfile": {
"{customized property}": {
"clientId": "string",
"objectId": "string",
"resourceId": "string"
}
},
"ingressProfile": {
"webAppRouting": {
"dnsZoneResourceIds": [ "string" ],
"enabled": "bool",
"nginx": {
"defaultIngressControllerType": "string"
}
}
},
"kubernetesVersion": "string",
"linuxProfile": {
"adminUsername": "string",
"ssh": {
"publicKeys": [
{
"keyData": "string"
}
]
}
},
"metricsProfile": {
"costAnalysis": {
"enabled": "bool"
}
},
"networkProfile": {
"advancedNetworking": {
"enabled": "bool",
"observability": {
"enabled": "bool"
},
"security": {
"enabled": "bool"
}
},
"dnsServiceIP": "string",
"ipFamilies": [ "string" ],
"kubeProxyConfig": {
"enabled": "bool",
"ipvsConfig": {
"scheduler": "string",
"tcpFinTimeoutSeconds": "int",
"tcpTimeoutSeconds": "int",
"udpTimeoutSeconds": "int"
},
"mode": "string"
},
"loadBalancerProfile": {
"allocatedOutboundPorts": "int",
"backendPoolType": "string",
"clusterServiceLoadBalancerHealthProbeMode": "string",
"effectiveOutboundIPs": [
{
"id": "string"
}
],
"enableMultipleStandardLoadBalancers": "bool",
"idleTimeoutInMinutes": "int",
"managedOutboundIPs": {
"count": "int",
"countIPv6": "int"
},
"outboundIPPrefixes": {
"publicIPPrefixes": [
{
"id": "string"
}
]
},
"outboundIPs": {
"publicIPs": [
{
"id": "string"
}
]
}
},
"loadBalancerSku": "string",
"natGatewayProfile": {
"effectiveOutboundIPs": [
{
"id": "string"
}
],
"idleTimeoutInMinutes": "int",
"managedOutboundIPProfile": {
"count": "int"
}
},
"networkDataplane": "string",
"networkMode": "string",
"networkPlugin": "string",
"networkPluginMode": "string",
"networkPolicy": "string",
"outboundType": "string",
"podCidr": "string",
"podCidrs": [ "string" ],
"podLinkLocalAccess": "string",
"serviceCidr": "string",
"serviceCidrs": [ "string" ],
"staticEgressGatewayProfile": {
"enabled": "bool"
}
},
"nodeProvisioningProfile": {
"mode": "string"
},
"nodeResourceGroup": "string",
"nodeResourceGroupProfile": {
"restrictionLevel": "string"
},
"oidcIssuerProfile": {
"enabled": "bool"
},
"podIdentityProfile": {
"allowNetworkPluginKubenet": "bool",
"enabled": "bool",
"userAssignedIdentities": [
{
"bindingSelector": "string",
"identity": {
"clientId": "string",
"objectId": "string",
"resourceId": "string"
},
"name": "string",
"namespace": "string"
}
],
"userAssignedIdentityExceptions": [
{
"name": "string",
"namespace": "string",
"podLabels": {
"{customized property}": "string"
}
}
]
},
"privateLinkResources": [
{
"groupId": "string",
"id": "string",
"name": "string",
"requiredMembers": [ "string" ],
"type": "string"
}
],
"publicNetworkAccess": "string",
"safeguardsProfile": {
"excludedNamespaces": [ "string" ],
"level": "string",
"version": "string"
},
"securityProfile": {
"azureKeyVaultKms": {
"enabled": "bool",
"keyId": "string",
"keyVaultNetworkAccess": "string",
"keyVaultResourceId": "string"
},
"customCATrustCertificates": [ {} ],
"defender": {
"logAnalyticsWorkspaceResourceId": "string",
"securityMonitoring": {
"enabled": "bool"
}
},
"imageCleaner": {
"enabled": "bool",
"intervalHours": "int"
},
"imageIntegrity": {
"enabled": "bool"
},
"nodeRestriction": {
"enabled": "bool"
},
"workloadIdentity": {
"enabled": "bool"
}
},
"serviceMeshProfile": {
"istio": {
"certificateAuthority": {
"plugin": {
"certChainObjectName": "string",
"certObjectName": "string",
"keyObjectName": "string",
"keyVaultId": "string",
"rootCertObjectName": "string"
}
},
"components": {
"egressGateways": [
{
"enabled": "bool"
}
],
"ingressGateways": [
{
"enabled": "bool",
"mode": "string"
}
]
},
"revisions": [ "string" ]
},
"mode": "string"
},
"servicePrincipalProfile": {
"clientId": "string",
"secret": "string"
},
"storageProfile": {
"blobCSIDriver": {
"enabled": "bool"
},
"diskCSIDriver": {
"enabled": "bool",
"version": "string"
},
"fileCSIDriver": {
"enabled": "bool"
},
"snapshotController": {
"enabled": "bool"
}
},
"supportPlan": "string",
"upgradeSettings": {
"overrideSettings": {
"forceUpgrade": "bool",
"until": "string"
}
},
"windowsProfile": {
"adminPassword": "string",
"adminUsername": "string",
"enableCSIProxy": "bool",
"gmsaProfile": {
"dnsServer": "string",
"enabled": "bool",
"rootDomainName": "string"
},
"licenseType": "string"
},
"workloadAutoScalerProfile": {
"keda": {
"enabled": "bool"
},
"verticalPodAutoscaler": {
"addonAutoscaling": "string",
"enabled": "bool"
}
}
},
"sku": {
"name": "string",
"tier": "string"
},
"tags": {
"{customized property}": "string"
}
}
Property values
AdvancedNetworking
Name | Description | Value |
---|---|---|
enabled | Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false. | bool |
observability | Observability profile to enable advanced network metrics and flow logs with historical contexts. | AdvancedNetworkingObservability |
security | Security profile to enable security features on cilium based cluster. | AdvancedNetworkingSecurity |
AdvancedNetworkingObservability
Name | Description | Value |
---|---|---|
enabled | Indicates the enablement of Advanced Networking observability functionalities on clusters. | bool |
AdvancedNetworkingSecurity
Name | Description | Value |
---|---|---|
enabled | This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false. | bool |
AgentPoolArtifactStreamingProfile
Name | Description | Value |
---|---|---|
enabled | Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR. If not specified, the default is false. | bool |
AgentPoolGatewayProfile
Name | Description | Value |
---|---|---|
publicIPPrefixSize | The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide public egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with one IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure public IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8 nodes/IPs, /28 = 16 nodes/IPs). The default value is 31. | int Constraints: Min value = 28 Max value = 31 |
AgentPoolGPUProfile
Name | Description | Value |
---|---|---|
driverType | Specify the type of GPU driver to install when creating Windows agent pools. If not provided, AKS selects the driver based on system compatibility. This cannot be changed once the AgentPool has been created. This cannot be set on Linux AgentPools. For Linux AgentPools, the driver is selected based on system compatibility. | 'CUDA' 'GRID' |
installGPUDriver | The default value is true when the vmSize of the agent pool contains a GPU, false otherwise. GPU Driver Installation can only be set true when VM has an associated GPU resource. Setting this field to false prevents automatic GPU driver installation. In that case, in order for the GPU to be usable, the user must perform GPU driver installation themselves. | bool |
AgentPoolNetworkProfile
Name | Description | Value |
---|---|---|
allowedHostPorts | The port ranges that are allowed to access. The specified ranges are allowed to overlap. | PortRange[] |
applicationSecurityGroups | The IDs of the application security groups which agent pool will associate when created. | string[] |
nodePublicIPTags | IPTags of instance-level public IPs. | IPTag[] |
AgentPoolSecurityProfile
Name | Description | Value |
---|---|---|
enableSecureBoot | Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. | bool |
enableVTPM | vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. | bool |
sshAccess | SSH access method of an agent pool. | 'Disabled' 'LocalUser' |
AgentPoolUpgradeSettings
Name | Description | Value |
---|---|---|
drainTimeoutInMinutes | The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes. | int Constraints: Min value = 1 Max value = 1440 |
maxSurge | This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster | string |
maxUnavailable | This can either be set to an integer (e.g. '1') or a percentage (e.g. '5%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 0. For more information, including best practices, see: /azure/aks/upgrade-cluster | string |
nodeSoakDurationInMinutes | The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes. | int Constraints: Min value = 0 Max value = 30 |
undrainableNodeBehavior | Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes. | 'Cordon' 'Schedule' |
AgentPoolWindowsProfile
Name | Description | Value |
---|---|---|
disableOutboundNat | The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled. | bool |
AutoScaleProfile
Name | Description | Value |
---|---|---|
maxCount | The maximum number of nodes of the specified sizes. | int |
minCount | The minimum number of nodes of the specified sizes. | int |
sizes | The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when auto scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size. | string[] |
AzureKeyVaultKms
Name | Description | Value |
---|---|---|
enabled | Whether to enable Azure Key Vault key management service. The default is false. | bool |
keyId | Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. | string |
keyVaultNetworkAccess | Network access of key vault. The possible values are Public and Private . Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public . |
'Private' 'Public' |
keyVaultResourceId | Resource ID of key vault. When keyVaultNetworkAccess is Private , this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public , leave the field empty. |
string |
ClusterUpgradeSettings
Name | Description | Value |
---|---|---|
overrideSettings | Settings for overrides. | UpgradeOverrideSettings |
ContainerServiceLinuxProfile
Name | Description | Value |
---|---|---|
adminUsername | The administrator username to use for Linux VMs. | string Constraints: Pattern = ^[A-Za-z][-A-Za-z0-9_]*$ (required) |
ssh | The SSH configuration for Linux-based VMs running on Azure. | ContainerServiceSshConfiguration (required) |
ContainerServiceNetworkProfile
Name | Description | Value |
---|---|---|
advancedNetworking | Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. | AdvancedNetworking |
dnsServiceIP | An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | string Constraints: Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ |
ipFamilies | IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. | String array containing any of: 'IPv4' 'IPv6' |
kubeProxyConfig | Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy defaulting behavior. See https://v<version>.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ where <version> is represented by a <major version>-<minor version> string. Kubernetes version 1.23 would be '1-23'. | ContainerServiceNetworkProfileKubeProxyConfig |
loadBalancerProfile | Profile of the cluster load balancer. | ManagedClusterLoadBalancerProfile |
loadBalancerSku | The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. | 'basic' 'standard' |
natGatewayProfile | Profile of the cluster NAT gateway. | ManagedClusterNATGatewayProfile |
networkDataplane | Network dataplane used in the Kubernetes cluster. | 'azure' 'cilium' |
networkMode | This cannot be specified if networkPlugin is anything other than 'azure'. | 'bridge' 'transparent' |
networkPlugin | Network plugin used for building the Kubernetes network. | 'azure' 'kubenet' 'none' |
networkPluginMode | Network plugin mode used for building the Kubernetes network. | 'overlay' |
networkPolicy | Network policy used for building the Kubernetes network. | 'azure' 'calico' 'cilium' 'none' |
outboundType | This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. | 'loadBalancer' 'managedNATGateway' 'none' 'userAssignedNATGateway' 'userDefinedRouting' |
podCidr | A CIDR notation IP range from which to assign pod IPs when kubenet is used. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ |
podCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. | string[] |
podLinkLocalAccess | Defines access to special link local addresses (Azure Instance Metadata Service, aka IMDS) for pods with hostNetwork=false. if not specified, the default is 'IMDS'. | 'IMDS' 'None' |
serviceCidr | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ |
serviceCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. | string[] |
staticEgressGatewayProfile | The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway. | ManagedClusterStaticEgressGatewayProfile |
ContainerServiceNetworkProfileKubeProxyConfig
Name | Description | Value |
---|---|---|
enabled | Whether to enable on kube-proxy on the cluster (if no 'kubeProxyConfig' exists, kube-proxy is enabled in AKS by default without these customizations). | bool |
ipvsConfig | Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'. | ContainerServiceNetworkProfileKubeProxyConfigIpvsConfig |
mode | Specify which proxy mode to use ('IPTABLES' or 'IPVS') | 'IPTABLES' 'IPVS' |
ContainerServiceNetworkProfileKubeProxyConfigIpvsConfig
Name | Description | Value |
---|---|---|
scheduler | IPVS scheduler, for more information please see http://www.linuxvirtualserver.org/docs/scheduling.html. | 'LeastConnection' 'RoundRobin' |
tcpFinTimeoutSeconds | The timeout value used for IPVS TCP sessions after receiving a FIN in seconds. Must be a positive integer value. | int |
tcpTimeoutSeconds | The timeout value used for idle IPVS TCP sessions in seconds. Must be a positive integer value. | int |
udpTimeoutSeconds | The timeout value used for IPVS UDP packets in seconds. Must be a positive integer value. | int |
ContainerServiceSshConfiguration
Name | Description | Value |
---|---|---|
publicKeys | The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. | ContainerServiceSshPublicKey[] (required) |
ContainerServiceSshPublicKey
Name | Description | Value |
---|---|---|
keyData | Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. | string (required) |
CreationData
Name | Description | Value |
---|---|---|
sourceResourceId | This is the ARM ID of the source object to be used to create the target object. | string |
DelegatedResource
Name | Description | Value |
---|---|---|
location | The source resource location - internal use only. | string |
referralResource | The delegation id of the referral delegation (optional) - internal use only. | string |
resourceId | The ARM resource id of the delegated resource - internal use only. | string |
tenantId | The tenant id of the delegated resource - internal use only. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
DelegatedResources
Name | Description | Value |
---|
ExtendedLocation
Name | Description | Value |
---|---|---|
name | The name of the extended location. | string |
type | The type of the extended location. | 'EdgeZone' |
IPTag
Name | Description | Value |
---|---|---|
ipTagType | The IP tag type. Example: RoutingPreference. | string |
tag | The value of the IP tag associated with the public IP. Example: Internet. | string |
IstioCertificateAuthority
Name | Description | Value |
---|---|---|
plugin | Plugin certificates information for Service Mesh. | IstioPluginCertificateAuthority |
IstioComponents
Name | Description | Value |
---|---|---|
egressGateways | Istio egress gateways. | IstioEgressGateway[] |
ingressGateways | Istio ingress gateways. | IstioIngressGateway[] |
IstioEgressGateway
Name | Description | Value |
---|---|---|
enabled | Whether to enable the egress gateway. | bool (required) |
IstioIngressGateway
Name | Description | Value |
---|---|---|
enabled | Whether to enable the ingress gateway. | bool (required) |
mode | Mode of an ingress gateway. | 'External' 'Internal' (required) |
IstioPluginCertificateAuthority
Name | Description | Value |
---|---|---|
certChainObjectName | Certificate chain object name in Azure Key Vault. | string |
certObjectName | Intermediate certificate object name in Azure Key Vault. | string |
keyObjectName | Intermediate certificate private key object name in Azure Key Vault. | string |
keyVaultId | The resource ID of the Key Vault. | string |
rootCertObjectName | Root certificate object name in Azure Key Vault. | string |
IstioServiceMesh
Name | Description | Value |
---|---|---|
certificateAuthority | Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca | IstioCertificateAuthority |
components | Istio components configuration. | IstioComponents |
revisions | The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: /azure/aks/istio-upgrade | string[] |
KubeletConfig
Name | Description | Value |
---|---|---|
allowedUnsafeSysctls | Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in * ). |
string[] |
containerLogMaxFiles | The maximum number of container log files that can be present for a container. The number must be ≥ 2. | int Constraints: Min value = 2 |
containerLogMaxSizeMB | The maximum size (e.g. 10Mi) of container log file before it is rotated. | int |
cpuCfsQuota | The default is true. | bool |
cpuCfsQuotaPeriod | The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. | string |
cpuManagerPolicy | The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. | string |
failSwapOn | If set to true it will make the Kubelet fail to start if swap is enabled on the node. | bool |
imageGcHighThreshold | To disable image garbage collection, set to 100. The default is 85% | int |
imageGcLowThreshold | This cannot be set higher than imageGcHighThreshold. The default is 80% | int |
podMaxPids | The maximum number of processes per pod. | int |
seccompDefault | Specifies the default seccomp profile applied to all workloads. If not specified, 'Unconfined' will be used by default. | 'RuntimeDefault' 'Unconfined' |
topologyManagerPolicy | For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. | string |
LinuxOSConfig
Name | Description | Value |
---|---|---|
swapFileSizeMB | The size in MB of a swap file that will be created on each node. | int |
sysctls | Sysctl settings for Linux agent nodes. | SysctlConfig |
transparentHugePageDefrag | Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. | string |
transparentHugePageEnabled | Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. | string |
ManagedClusterAADProfile
Name | Description | Value |
---|---|---|
adminGroupObjectIDs | The list of AAD group object IDs that will have admin role of the cluster. | string[] |
clientAppID | (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. | string |
enableAzureRBAC | Whether to enable Azure RBAC for Kubernetes authorization. | bool |
managed | Whether to enable managed AAD. | bool |
serverAppID | (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. | string |
serverAppSecret | (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy. | string |
tenantID | The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. | string |
ManagedClusterAddonProfile
Name | Description | Value |
---|---|---|
config | Key-value pairs for configuring an add-on. | ManagedClusterAddonProfileConfig |
enabled | Whether the add-on is enabled or not. | bool (required) |
ManagedClusterAddonProfileConfig
Name | Description | Value |
---|
ManagedClusterAgentPoolProfile
Name | Description | Value |
---|---|---|
artifactStreamingProfile | Configuration for using artifact streaming on AKS. | AgentPoolArtifactStreamingProfile |
availabilityZones | The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. | string[] |
capacityReservationGroupID | AKS will associate the specified agent pool with the Capacity Reservation Group. | string |
count | Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. | int |
creationData | CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. | CreationData |
enableAutoScaling | Whether to enable auto-scaler | bool |
enableCustomCATrust | When set to true, AKS adds a label to the node indicating that the feature is enabled and deploys a daemonset along with host services to sync custom certificate authorities from user-provided list of base64 encoded certificates into node trust stores. Defaults to false. | bool |
enableEncryptionAtHost | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption | bool |
enableFIPS | See Add a FIPS-enabled node pool for more details. | bool |
enableNodePublicIP | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. | bool |
enableUltraSSD | Whether to enable UltraSSD | bool |
gatewayProfile | Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is not Gateway. | AgentPoolGatewayProfile |
gpuInstanceProfile | GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. | 'MIG1g' 'MIG2g' 'MIG3g' 'MIG4g' 'MIG7g' |
gpuProfile | The GPU settings of an agent pool. | AgentPoolGPUProfile |
hostGroupID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts. | string |
kubeletConfig | The Kubelet configuration on the agent pool nodes. | KubeletConfig |
kubeletDiskType | Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. | 'OS' 'Temporary' |
linuxOSConfig | The OS configuration of Linux agent nodes. | LinuxOSConfig |
maxCount | The maximum number of nodes for auto-scaling | int |
maxPods | The maximum number of pods that can run on a node. | int |
messageOfTheDay | A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). | string |
minCount | The minimum number of nodes for auto-scaling | int |
mode | A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools | 'Gateway' 'System' 'User' |
name | Windows agent pool names must be 6 characters or less. | string Constraints: Pattern = ^[a-z][a-z0-9]{0,11}$ (required) |
networkProfile | Network-related settings of an agent pool. | AgentPoolNetworkProfile |
nodeInitializationTaints | These taints will not be reconciled by AKS and can be removed with a kubectl call. This field can be modified after node pool is created, but nodes will not be recreated with new taints until another operation that requires recreation (e.g. node image upgrade) happens. These taints allow for required configuration to run before the node is ready to accept workloads, for example 'key1=value1:NoSchedule' that then can be removed with kubectl taint nodes node1 key1=value1:NoSchedule- |
string[] |
nodeLabels | The node labels to be persisted across all nodes in agent pool. | ManagedClusterAgentPoolProfilePropertiesNodeLabels |
nodePublicIPPrefixID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} | string |
nodeTaints | The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | string[] |
orchestratorVersion | Both patch version <major.minor.patch> and <major.minor> are supported. When <major.minor> is specified, the latest supported patch version is chosen automatically. Updating the agent pool with the same <major.minor> once it has been created will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. | string |
osDiskSizeGB | OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | int Constraints: Min value = 0 Max value = 2048 |
osDiskType | The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. | 'Ephemeral' 'Managed' |
osSKU | Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. | 'AzureLinux' 'CBLMariner' 'Mariner' 'Ubuntu' 'Windows2019' 'Windows2022' 'WindowsAnnual' |
osType | The operating system type. The default is Linux. | 'Linux' 'Windows' |
podIPAllocationMode | The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'. | 'DynamicIndividual' 'StaticBlock' |
podSubnetID | If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string |
powerState | When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded | PowerState |
proximityPlacementGroupID | The ID for Proximity Placement Group. | string |
scaleDownMode | This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. | 'Deallocate' 'Delete' |
scaleSetEvictionPolicy | This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. | 'Deallocate' 'Delete' |
scaleSetPriority | The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. | 'Regular' 'Spot' |
securityProfile | The security settings of an agent pool. | AgentPoolSecurityProfile |
spotMaxPrice | Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing | int |
tags | The tags to be persisted on the agent pool virtual machine scale set. | ManagedClusterAgentPoolProfilePropertiesTags |
type | The type of Agent Pool. | 'AvailabilitySet' 'VirtualMachines' 'VirtualMachineScaleSets' |
upgradeSettings | Settings for upgrading the agentpool | AgentPoolUpgradeSettings |
virtualMachineNodesStatus | The status of nodes in a VirtualMachines agent pool. | VirtualMachineNodes[] |
virtualMachinesProfile | Specifications on VirtualMachines agent pool. | VirtualMachinesProfile |
vmSize | VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions | string |
vnetSubnetID | If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string |
windowsProfile | The Windows agent pool's specific profile. | AgentPoolWindowsProfile |
workloadRuntime | Determines the type of workload a node can run. | 'KataMshvVmIsolation' 'OCIContainer' 'WasmWasi' |
ManagedClusterAgentPoolProfilePropertiesNodeLabels
Name | Description | Value |
---|
ManagedClusterAgentPoolProfilePropertiesTags
Name | Description | Value |
---|
ManagedClusterAIToolchainOperatorProfile
Name | Description | Value |
---|---|---|
enabled | Indicates if AI toolchain operator enabled or not. | bool |
ManagedClusterAPIServerAccessProfile
Name | Description | Value |
---|---|---|
authorizedIPRanges | IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges. | string[] |
disableRunCommand | Whether to disable run command for the cluster or not. | bool |
enablePrivateCluster | For more details, see Creating a private AKS cluster. | bool |
enablePrivateClusterPublicFQDN | Whether to create additional public FQDN for private cluster or not. | bool |
enableVnetIntegration | Whether to enable apiserver vnet integration for the cluster or not. | bool |
privateDNSZone | The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'. | string |
subnetId | It is required when: 1. creating a new cluster with BYO Vnet; 2. updating an existing cluster to enable apiserver vnet integration. | string |
ManagedClusterAutoUpgradeProfile
Name | Description | Value |
---|---|---|
nodeOSUpgradeChannel | The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA. | 'NodeImage' 'None' 'SecurityPatch' 'Unmanaged' |
upgradeChannel | For more information see setting the AKS cluster auto-upgrade channel. | 'node-image' 'none' 'patch' 'rapid' 'stable' |
ManagedClusterAzureMonitorProfile
Name | Description | Value |
---|---|---|
appMonitoring | Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics and traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoring |
containerInsights | Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout & stderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview. | ManagedClusterAzureMonitorProfileContainerInsights |
metrics | Metrics profile for the prometheus service addon | ManagedClusterAzureMonitorProfileMetrics |
ManagedClusterAzureMonitorProfileAppMonitoring
Name | Description | Value |
---|---|---|
autoInstrumentation | Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook to auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the application. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoringAutoInstrumentation |
openTelemetryLogs | Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and Traces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryLogs |
openTelemetryMetrics | Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Metrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryMetrics |
ManagedClusterAzureMonitorProfileAppMonitoringAutoInstrumentation
Name | Description | Value |
---|---|---|
enabled | Indicates if Application Monitoring Auto Instrumentation is enabled or not. | bool |
ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryLogs
Name | Description | Value |
---|---|---|
enabled | Indicates if Application Monitoring Open Telemetry Logs and traces is enabled or not. | bool |
port | The Open Telemetry host port for Open Telemetry logs and traces. If not specified, the default port is 28331. | int |
ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryMetrics
Name | Description | Value |
---|---|---|
enabled | Indicates if Application Monitoring Open Telemetry Metrics is enabled or not. | bool |
port | The Open Telemetry host port for Open Telemetry metrics. If not specified, the default port is 28333. | int |
ManagedClusterAzureMonitorProfileContainerInsights
Name | Description | Value |
---|---|---|
disableCustomMetrics | Indicates whether custom metrics collection has to be disabled or not. If not specified the default is false. No custom metrics will be emitted if this field is false but the container insights enabled field is false | bool |
disablePrometheusMetricsScraping | Indicates whether prometheus metrics scraping is disabled or not. If not specified the default is false. No prometheus metrics will be emitted if this field is false but the container insights enabled field is false | bool |
enabled | Indicates if Azure Monitor Container Insights Logs Addon is enabled or not. | bool |
logAnalyticsWorkspaceResourceId | Fully Qualified ARM Resource Id of Azure Log Analytics Workspace for storing Azure Monitor Container Insights Logs. | string |
syslogPort | The syslog host port. If not specified, the default port is 28330. | int |
ManagedClusterAzureMonitorProfileKubeStateMetrics
Name | Description | Value |
---|---|---|
metricAnnotationsAllowList | Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric. | string |
metricLabelsAllowlist | Comma-separated list of Kubernetes annotations keys that will be used in the resource's labels metric. | string |
ManagedClusterAzureMonitorProfileMetrics
Name | Description | Value |
---|---|---|
enabled | Whether to enable the Prometheus collector | bool (required) |
kubeStateMetrics | Kube State Metrics for prometheus addon profile for the container service cluster | ManagedClusterAzureMonitorProfileKubeStateMetrics |
ManagedClusterBootstrapProfile
Name | Description | Value |
---|---|---|
artifactSource | The source where the artifacts are downloaded from. | 'Cache' 'Direct' |
containerRegistryId | The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy. | string |
ManagedClusterCostAnalysis
Name | Description | Value |
---|---|---|
enabled | The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis. | bool |
ManagedClusterHttpProxyConfig
Name | Description | Value |
---|---|---|
httpProxy | The HTTP proxy server endpoint to use. | string |
httpsProxy | The HTTPS proxy server endpoint to use. | string |
noProxy | The endpoints that should not go through proxy. | string[] |
trustedCa | Alternative CA cert to use for connecting to proxy servers. | string |
ManagedClusterIdentity
Name | Description | Value |
---|---|---|
delegatedResources | The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only. | DelegatedResources |
type | For more information see use managed identities in AKS. | 'None' 'SystemAssigned' 'UserAssigned' |
userAssignedIdentities | The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedClusterIdentityUserAssignedIdentities |
ManagedClusterIdentityUserAssignedIdentities
Name | Description | Value |
---|
ManagedClusterIngressProfile
Name | Description | Value |
---|---|---|
webAppRouting | Web App Routing settings for the ingress profile. | ManagedClusterIngressProfileWebAppRouting |
ManagedClusterIngressProfileNginx
Name | Description | Value |
---|---|---|
defaultIngressControllerType | Ingress type for the default NginxIngressController custom resource | 'AnnotationControlled' 'External' 'Internal' 'None' |
ManagedClusterIngressProfileWebAppRouting
Name | Description | Value |
---|---|---|
dnsZoneResourceIds | Resource IDs of the DNS zones to be associated with the Web App Routing add-on. Used only when Web App Routing is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group. | string[] |
enabled | Whether to enable Web App Routing. | bool |
nginx | Configuration for the default NginxIngressController. See more at /azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller. | ManagedClusterIngressProfileNginx |
ManagedClusterLoadBalancerProfile
Name | Description | Value |
---|---|---|
allocatedOutboundPorts | The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. | int Constraints: Min value = 0 Max value = 64000 |
backendPoolType | The type of the managed inbound Load Balancer BackendPool. | 'NodeIP' 'NodeIPConfiguration' |
clusterServiceLoadBalancerHealthProbeMode | The health probing behavior for External Traffic Policy Cluster services. | 'ServiceNodePort' 'Shared' |
effectiveOutboundIPs | The effective outbound IP resources of the cluster load balancer. | ResourceReference[] |
enableMultipleStandardLoadBalancers | Enable multiple standard load balancers per AKS cluster or not. | bool |
idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. | int Constraints: Min value = 4 Max value = 120 |
managedOutboundIPs | Desired managed outbound IPs for the cluster load balancer. | ManagedClusterLoadBalancerProfileManagedOutboundIPs |
outboundIPPrefixes | Desired outbound IP Prefix resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPPrefixes |
outboundIPs | Desired outbound IP resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPs |
ManagedClusterLoadBalancerProfileManagedOutboundIPs
Name | Description | Value |
---|---|---|
count | The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 100 |
countIPv6 | The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. | int Constraints: Min value = 0 Max value = 100 |
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
Name | Description | Value |
---|---|---|
publicIPPrefixes | A list of public IP prefix resources. | ResourceReference[] |
ManagedClusterLoadBalancerProfileOutboundIPs
Name | Description | Value |
---|---|---|
publicIPs | A list of public IP resources. | ResourceReference[] |
ManagedClusterManagedOutboundIPProfile
Name | Description | Value |
---|---|---|
count | The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 16 |
ManagedClusterMetricsProfile
Name | Description | Value |
---|---|---|
costAnalysis | The cost analysis configuration for the cluster | ManagedClusterCostAnalysis |
ManagedClusterNATGatewayProfile
Name | Description | Value |
---|---|---|
effectiveOutboundIPs | The effective outbound IP resources of the cluster NAT gateway. | ResourceReference[] |
idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. | int Constraints: Min value = 4 Max value = 120 |
managedOutboundIPProfile | Profile of the managed outbound IP resources of the cluster NAT gateway. | ManagedClusterManagedOutboundIPProfile |
ManagedClusterNodeProvisioningProfile
Name | Description | Value |
---|---|---|
mode | Once the mode it set to Auto, it cannot be changed back to Manual. | 'Auto' 'Manual' |
ManagedClusterNodeResourceGroupProfile
Name | Description | Value |
---|---|---|
restrictionLevel | The restriction level applied to the cluster's node resource group | 'ReadOnly' 'Unrestricted' |
ManagedClusterOidcIssuerProfile
Name | Description | Value |
---|---|---|
enabled | Whether the OIDC issuer is enabled. | bool |
ManagedClusterPodIdentity
Name | Description | Value |
---|---|---|
bindingSelector | The binding selector to use for the AzureIdentityBinding resource. | string |
identity | The user assigned identity details. | UserAssignedIdentity (required) |
name | The name of the pod identity. | string (required) |
namespace | The namespace of the pod identity. | string (required) |
ManagedClusterPodIdentityException
Name | Description | Value |
---|---|---|
name | The name of the pod identity exception. | string (required) |
namespace | The namespace of the pod identity exception. | string (required) |
podLabels | The pod labels to match. | ManagedClusterPodIdentityExceptionPodLabels (required) |
ManagedClusterPodIdentityExceptionPodLabels
Name | Description | Value |
---|
ManagedClusterPodIdentityProfile
Name | Description | Value |
---|---|---|
allowNetworkPluginKubenet | Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information. | bool |
enabled | Whether the pod identity addon is enabled. | bool |
userAssignedIdentities | The pod identities to use in the cluster. | ManagedClusterPodIdentity[] |
userAssignedIdentityExceptions | The pod identity exceptions to allow. | ManagedClusterPodIdentityException[] |
ManagedClusterProperties
Name | Description | Value |
---|---|---|
aadProfile | The Azure Active Directory configuration. | ManagedClusterAADProfile |
addonProfiles | The profile of managed cluster add-on. | ManagedClusterPropertiesAddonProfiles |
agentPoolProfiles | The agent pool properties. | ManagedClusterAgentPoolProfile[] |
aiToolchainOperatorProfile | AI toolchain operator settings that apply to the whole cluster. | ManagedClusterAIToolchainOperatorProfile |
apiServerAccessProfile | The access profile for managed cluster API server. | ManagedClusterAPIServerAccessProfile |
autoScalerProfile | Parameters to be applied to the cluster-autoscaler when enabled | ManagedClusterPropertiesAutoScalerProfile |
autoUpgradeProfile | The auto upgrade configuration. | ManagedClusterAutoUpgradeProfile |
azureMonitorProfile | Prometheus addon profile for the container service cluster | ManagedClusterAzureMonitorProfile |
bootstrapProfile | Profile of the cluster bootstrap configuration. | ManagedClusterBootstrapProfile |
creationData | CreationData to be used to specify the source Snapshot ID if the cluster will be created/upgraded using a snapshot. | CreationData |
disableLocalAccounts | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts. | bool |
diskEncryptionSetID | This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' | string |
dnsPrefix | This cannot be updated once the Managed Cluster has been created. | string |
enableNamespaceResources | The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See https://aka.ms/NamespaceARMResource for more details on Namespace as a ARM Resource. | bool |
enablePodSecurityPolicy | (DEPRECATED) Whether to enable Kubernetes pod security policy (preview). PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Learn more at https://aka.ms/k8s/psp and https://aka.ms/aks/psp. | bool |
enableRBAC | Whether to enable Kubernetes Role-Based Access Control. | bool |
fqdnSubdomain | This cannot be updated once the Managed Cluster has been created. | string |
httpProxyConfig | Configurations for provisioning the cluster with HTTP proxy servers. | ManagedClusterHttpProxyConfig |
identityProfile | The user identity associated with the managed cluster. This identity will be used by the kubelet. Only one user assigned identity is allowed. The only accepted key is "kubeletidentity", with value of "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}". | ManagedClusterPropertiesIdentityProfile |
ingressProfile | Ingress profile for the managed cluster. | ManagedClusterIngressProfile |
kubernetesVersion | When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details. | string |
linuxProfile | The profile for Linux VMs in the Managed Cluster. | ContainerServiceLinuxProfile |
metricsProfile | Optional cluster metrics configuration. | ManagedClusterMetricsProfile |
networkProfile | The network configuration profile. | ContainerServiceNetworkProfile |
nodeProvisioningProfile | Node provisioning settings that apply to the whole cluster. | ManagedClusterNodeProvisioningProfile |
nodeResourceGroup | The name of the resource group containing agent pool nodes. | string |
nodeResourceGroupProfile | The node resource group configuration profile. | ManagedClusterNodeResourceGroupProfile |
oidcIssuerProfile | The OIDC issuer profile of the Managed Cluster. | ManagedClusterOidcIssuerProfile |
podIdentityProfile | See use AAD pod identity for more details on AAD pod identity integration. | ManagedClusterPodIdentityProfile |
privateLinkResources | Private link resources associated with the cluster. | PrivateLinkResource[] |
publicNetworkAccess | Allow or deny public network access for AKS | 'Disabled' 'Enabled' 'SecuredByPerimeter' |
safeguardsProfile | The Safeguards profile holds all the safeguards information for a given cluster | SafeguardsProfile |
securityProfile | Security profile for the managed cluster. | ManagedClusterSecurityProfile |
serviceMeshProfile | Service mesh profile for a managed cluster. | ServiceMeshProfile |
servicePrincipalProfile | Information about a service principal identity for the cluster to use for manipulating Azure APIs. | ManagedClusterServicePrincipalProfile |
storageProfile | Storage profile for the managed cluster. | ManagedClusterStorageProfile |
supportPlan | The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'. | 'AKSLongTermSupport' 'KubernetesOfficial' |
upgradeSettings | Settings for upgrading a cluster. | ClusterUpgradeSettings |
windowsProfile | The profile for Windows VMs in the Managed Cluster. | ManagedClusterWindowsProfile |
workloadAutoScalerProfile | Workload Auto-scaler profile for the managed cluster. | ManagedClusterWorkloadAutoScalerProfile |
ManagedClusterPropertiesAddonProfiles
Name | Description | Value |
---|
ManagedClusterPropertiesAutoScalerProfile
Name | Description | Value |
---|---|---|
balance-similar-node-groups | Valid values are 'true' and 'false' | string |
daemonset-eviction-for-empty-nodes | If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. | bool |
daemonset-eviction-for-occupied-nodes | If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. | bool |
expander | Available values are: 'least-waste', 'most-pods', 'priority', 'random'. | 'least-waste' 'most-pods' 'priority' 'random' |
ignore-daemonsets-utilization | If set to true, the resources used by daemonset will be taken into account when making scaling down decisions. | bool |
max-empty-bulk-delete | The default is 10. | string |
max-graceful-termination-sec | The default is 600. | string |
max-node-provision-time | The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
max-total-unready-percentage | The default is 45. The maximum is 100 and the minimum is 0. | string |
new-pod-scale-up-delay | For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). | string |
ok-total-unready-count | This must be an integer. The default is 3. | string |
scale-down-delay-after-add | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-delay-after-delete | The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-delay-after-failure | The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-unneeded-time | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-unready-time | The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-utilization-threshold | The default is '0.5'. | string |
scan-interval | The default is '10'. Values must be an integer number of seconds. | string |
skip-nodes-with-local-storage | The default is true. | string |
skip-nodes-with-system-pods | The default is true. | string |
ManagedClusterPropertiesIdentityProfile
Name | Description | Value |
---|
ManagedClusterSecurityProfile
Name | Description | Value |
---|---|---|
azureKeyVaultKms | Azure Key Vault key management service settings for the security profile. | AzureKeyVaultKms |
customCATrustCertificates | A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the Custom CA Trust feature enabled. For more information see Custom CA Trust Certificates | any[] |
defender | Microsoft Defender settings for the security profile. | ManagedClusterSecurityProfileDefender |
imageCleaner | Image Cleaner settings for the security profile. | ManagedClusterSecurityProfileImageCleaner |
imageIntegrity | Image integrity is a feature that works with Azure Policy to verify image integrity by signature. This will not have any effect unless Azure Policy is applied to enforce image signatures. See https://aka.ms/aks/image-integrity for how to use this feature via policy. | ManagedClusterSecurityProfileImageIntegrity |
nodeRestriction | Node Restriction settings for the security profile. | ManagedClusterSecurityProfileNodeRestriction |
workloadIdentity | Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details. | ManagedClusterSecurityProfileWorkloadIdentity |
ManagedClusterSecurityProfileDefender
Name | Description | Value |
---|---|---|
logAnalyticsWorkspaceResourceId | Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty. | string |
securityMonitoring | Microsoft Defender threat detection for Cloud settings for the security profile. | ManagedClusterSecurityProfileDefenderSecurityMonitoring |
ManagedClusterSecurityProfileDefenderSecurityMonitoring
Name | Description | Value |
---|---|---|
enabled | Whether to enable Defender threat detection | bool |
ManagedClusterSecurityProfileImageCleaner
Name | Description | Value |
---|---|---|
enabled | Whether to enable Image Cleaner on AKS cluster. | bool |
intervalHours | Image Cleaner scanning interval in hours. | int |
ManagedClusterSecurityProfileImageIntegrity
Name | Description | Value |
---|---|---|
enabled | Whether to enable image integrity. The default value is false. | bool |
ManagedClusterSecurityProfileNodeRestriction
Name | Description | Value |
---|---|---|
enabled | Whether to enable Node Restriction | bool |
ManagedClusterSecurityProfileWorkloadIdentity
Name | Description | Value |
---|---|---|
enabled | Whether to enable workload identity. | bool |
ManagedClusterServicePrincipalProfile
Name | Description | Value |
---|---|---|
clientId | The ID for the service principal. | string (required) |
secret | The secret password associated with the service principal in plain text. | string |
ManagedClusterSKU
Name | Description | Value |
---|---|---|
name | The name of a managed cluster SKU. | 'Automatic' 'Base' |
tier | If not specified, the default is 'Free'. See AKS Pricing Tier for more details. | 'Free' 'Premium' 'Standard' |
ManagedClusterStaticEgressGatewayProfile
Name | Description | Value |
---|---|---|
enabled | Indicates if Static Egress Gateway addon is enabled or not. | bool |
ManagedClusterStorageProfile
Name | Description | Value |
---|---|---|
blobCSIDriver | AzureBlob CSI Driver settings for the storage profile. | ManagedClusterStorageProfileBlobCSIDriver |
diskCSIDriver | AzureDisk CSI Driver settings for the storage profile. | ManagedClusterStorageProfileDiskCSIDriver |
fileCSIDriver | AzureFile CSI Driver settings for the storage profile. | ManagedClusterStorageProfileFileCSIDriver |
snapshotController | Snapshot Controller settings for the storage profile. | ManagedClusterStorageProfileSnapshotController |
ManagedClusterStorageProfileBlobCSIDriver
Name | Description | Value |
---|---|---|
enabled | Whether to enable AzureBlob CSI Driver. The default value is false. | bool |
ManagedClusterStorageProfileDiskCSIDriver
Name | Description | Value |
---|---|---|
enabled | Whether to enable AzureDisk CSI Driver. The default value is true. | bool |
version | The version of AzureDisk CSI Driver. The default value is v1. | string |
ManagedClusterStorageProfileFileCSIDriver
Name | Description | Value |
---|---|---|
enabled | Whether to enable AzureFile CSI Driver. The default value is true. | bool |
ManagedClusterStorageProfileSnapshotController
Name | Description | Value |
---|---|---|
enabled | Whether to enable Snapshot Controller. The default value is true. | bool |
ManagedClusterWindowsProfile
Name | Description | Value |
---|---|---|
adminPassword | Specifies the password of the administrator account. Minimum-length: 8 characters Max-length: 123 characters Complexity requirements: 3 out of 4 conditions below need to be fulfilled Has lower characters Has upper characters Has a digit Has a special character (Regex match [\W_]) Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" |
string |
adminUsername | Specifies the name of the administrator account. Restriction: Cannot end in "." Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". Minimum-length: 1 character Max-length: 20 characters |
string (required) |
enableCSIProxy | For more details on CSI proxy, see the CSI proxy GitHub repo. | bool |
gmsaProfile | The Windows gMSA Profile in the Managed Cluster. | WindowsGmsaProfile |
licenseType | The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. | 'None' 'Windows_Server' |
ManagedClusterWorkloadAutoScalerProfile
Name | Description | Value |
---|---|---|
keda | KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. | ManagedClusterWorkloadAutoScalerProfileKeda |
verticalPodAutoscaler | ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler |
ManagedClusterWorkloadAutoScalerProfileKeda
Name | Description | Value |
---|---|---|
enabled | Whether to enable KEDA. | bool (required) |
ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler
Name | Description | Value |
---|---|---|
addonAutoscaling | Whether VPA add-on is enabled and configured to scale AKS-managed add-ons. | 'Disabled' 'Enabled' |
enabled | Whether to enable VPA add-on in cluster. Default value is false. | bool (required) |
ManagedServiceIdentityUserAssignedIdentitiesValue
Name | Description | Value |
---|
ManualScaleProfile
Name | Description | Value |
---|---|---|
count | Number of nodes. | int |
sizes | The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size. | string[] |
Microsoft.ContainerService/managedClusters
Name | Description | Value |
---|---|---|
apiVersion | The api version | '2024-09-02-preview' |
extendedLocation | The extended location of the Virtual Machine. | ExtendedLocation |
identity | The identity of the managed cluster, if configured. | ManagedClusterIdentity |
kind | This is primarily used to expose different UI experiences in the portal for different kinds | string |
location | The geo-location where the resource lives | string (required) |
name | The resource name | string Constraints: Min length = 1 Max length = 1 Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$ (required) |
properties | Properties of a managed cluster. | ManagedClusterProperties |
sku | The managed cluster SKU. | ManagedClusterSKU |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
type | The resource type | 'Microsoft.ContainerService/managedClusters' |
PortRange
Name | Description | Value |
---|---|---|
portEnd | The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart. | int Constraints: Min value = 1 Max value = 65535 |
portStart | The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd. | int Constraints: Min value = 1 Max value = 65535 |
protocol | The network protocol of the port. | 'TCP' 'UDP' |
PowerState
Name | Description | Value |
---|---|---|
code | Tells whether the cluster is Running or Stopped | 'Running' 'Stopped' |
PrivateLinkResource
Name | Description | Value |
---|---|---|
groupId | The group ID of the resource. | string |
id | The ID of the private link resource. | string |
name | The name of the private link resource. | string |
requiredMembers | The RequiredMembers of the resource | string[] |
type | The resource type. | string |
ResourceReference
Name | Description | Value |
---|---|---|
id | The fully qualified Azure resource id. | string |
SafeguardsProfile
Name | Description | Value |
---|---|---|
excludedNamespaces | List of namespaces excluded from Safeguards checks | string[] |
level | The Safeguards level to be used. By default, Safeguards is enabled for all namespaces except those that AKS excludes via systemExcludedNamespaces | 'Enforcement' 'Off' 'Warning' (required) |
version | The version of constraints to use | string |
ScaleProfile
Name | Description | Value |
---|---|---|
autoscale | Specifications on how to auto-scale the VirtualMachines agent pool within a predefined size range. Currently, at most one AutoScaleProfile is allowed. | AutoScaleProfile[] |
manual | Specifications on how to scale the VirtualMachines agent pool to a fixed size. | ManualScaleProfile[] |
ServiceMeshProfile
Name | Description | Value |
---|---|---|
istio | Istio service mesh configuration. | IstioServiceMesh |
mode | Mode of the service mesh. | 'Disabled' 'Istio' (required) |
SysctlConfig
Name | Description | Value |
---|---|---|
fsAioMaxNr | Sysctl setting fs.aio-max-nr. | int |
fsFileMax | Sysctl setting fs.file-max. | int |
fsInotifyMaxUserWatches | Sysctl setting fs.inotify.max_user_watches. | int |
fsNrOpen | Sysctl setting fs.nr_open. | int |
kernelThreadsMax | Sysctl setting kernel.threads-max. | int |
netCoreNetdevMaxBacklog | Sysctl setting net.core.netdev_max_backlog. | int |
netCoreOptmemMax | Sysctl setting net.core.optmem_max. | int |
netCoreRmemDefault | Sysctl setting net.core.rmem_default. | int |
netCoreRmemMax | Sysctl setting net.core.rmem_max. | int |
netCoreSomaxconn | Sysctl setting net.core.somaxconn. | int |
netCoreWmemDefault | Sysctl setting net.core.wmem_default. | int |
netCoreWmemMax | Sysctl setting net.core.wmem_max. | int |
netIpv4IpLocalPortRange | Sysctl setting net.ipv4.ip_local_port_range. | string |
netIpv4NeighDefaultGcThresh1 | Sysctl setting net.ipv4.neigh.default.gc_thresh1. | int |
netIpv4NeighDefaultGcThresh2 | Sysctl setting net.ipv4.neigh.default.gc_thresh2. | int |
netIpv4NeighDefaultGcThresh3 | Sysctl setting net.ipv4.neigh.default.gc_thresh3. | int |
netIpv4TcpFinTimeout | Sysctl setting net.ipv4.tcp_fin_timeout. | int |
netIpv4TcpkeepaliveIntvl | Sysctl setting net.ipv4.tcp_keepalive_intvl. | int Constraints: Min value = 10 Max value = 90 |
netIpv4TcpKeepaliveProbes | Sysctl setting net.ipv4.tcp_keepalive_probes. | int |
netIpv4TcpKeepaliveTime | Sysctl setting net.ipv4.tcp_keepalive_time. | int |
netIpv4TcpMaxSynBacklog | Sysctl setting net.ipv4.tcp_max_syn_backlog. | int |
netIpv4TcpMaxTwBuckets | Sysctl setting net.ipv4.tcp_max_tw_buckets. | int |
netIpv4TcpTwReuse | Sysctl setting net.ipv4.tcp_tw_reuse. | bool |
netNetfilterNfConntrackBuckets | Sysctl setting net.netfilter.nf_conntrack_buckets. | int Constraints: Min value = 65536 Max value = 524288 |
netNetfilterNfConntrackMax | Sysctl setting net.netfilter.nf_conntrack_max. | int Constraints: Min value = 131072 Max value = 2097152 |
vmMaxMapCount | Sysctl setting vm.max_map_count. | int |
vmSwappiness | Sysctl setting vm.swappiness. | int |
vmVfsCachePressure | Sysctl setting vm.vfs_cache_pressure. | int |
TrackedResourceTags
Name | Description | Value |
---|
UpgradeOverrideSettings
Name | Description | Value |
---|---|---|
forceUpgrade | Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution. | bool |
until | Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the until expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect. |
string |
UserAssignedIdentity
Name | Description | Value |
---|---|---|
clientId | The client ID of the user assigned identity. | string |
objectId | The object ID of the user assigned identity. | string |
resourceId | The resource ID of the user assigned identity. | string |
VirtualMachineNodes
Name | Description | Value |
---|---|---|
count | Number of nodes. | int |
size | The VM size of the agents used to host this group of nodes. | string |
VirtualMachinesProfile
Name | Description | Value |
---|---|---|
scale | Specifications on how to scale a VirtualMachines agent pool. | ScaleProfile |
WindowsGmsaProfile
Name | Description | Value |
---|---|---|
dnsServer | Specifies the DNS server for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. |
string |
enabled | Specifies whether to enable Windows gMSA in the managed cluster. | bool |
rootDomainName | Specifies the root domain name for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. |
string |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Azure Container Service (AKS) |
Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts |
Azure Container Service (AKS) |
Deploy a managed cluster with Azure Container Service (AKS) |
Azure Container Service (AKS) with Helm |
Deploy a managed cluster with Azure Container Service (AKS) with Helm |
Azure Kubernetes Service (AKS) |
Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS) |
Azure Machine Learning end-to-end secure setup |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning end-to-end secure setup (legacy) |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
CI/CD using Jenkins on Azure Container Service (AKS) |
Containers make it very easy for you to continuously build and deploy your applications. By orchestrating deployment of those containers using Kubernetes in Azure Container Service, you can achieve replicable, manageable clusters of containers. By setting up a continuous build to produce your container images and orchestration, you can increase the speed and reliability of your deployment. |
Create a Private AKS Cluster |
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. |
Create a Private AKS Cluster with a Public DNS Zone |
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. |
Create AKS with Prometheus and Grafana with privae link |
This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard |
Deploy a managed Kubernetes Cluster (AKS) |
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster. |
Deploy a managed Kubernetes Cluster with AAD (AKS) |
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network and Azure AD Integeration. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster. |
Deploy an AKS cluster for Azure ML |
This template allows you to deploy an entreprise compliant AKS cluster which can be attached to Azure ML |
min.io Azure Gateway |
Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage |
Terraform (AzAPI provider) resource definition
The managedClusters resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.ContainerService/managedClusters@2024-09-02-preview"
name = "string"
identity = {
delegatedResources = {
{customized property} = {
location = "string"
referralResource = "string"
resourceId = "string"
tenantId = "string"
}
}
type = "string"
userAssignedIdentities = {
{customized property} = {
}
}
}
kind = "string"
location = "string"
sku = {
name = "string"
tier = "string"
}
tags = {
{customized property} = "string"
}
body = jsonencode({
extendedLocation = {
name = "string"
type = "string"
}
properties = {
aadProfile = {
adminGroupObjectIDs = [
"string"
]
clientAppID = "string"
enableAzureRBAC = bool
managed = bool
serverAppID = "string"
serverAppSecret = "string"
tenantID = "string"
}
addonProfiles = {
{customized property} = {
config = {
{customized property} = "string"
}
enabled = bool
}
}
agentPoolProfiles = [
{
artifactStreamingProfile = {
enabled = bool
}
availabilityZones = [
"string"
]
capacityReservationGroupID = "string"
count = int
creationData = {
sourceResourceId = "string"
}
enableAutoScaling = bool
enableCustomCATrust = bool
enableEncryptionAtHost = bool
enableFIPS = bool
enableNodePublicIP = bool
enableUltraSSD = bool
gatewayProfile = {
publicIPPrefixSize = int
}
gpuInstanceProfile = "string"
gpuProfile = {
driverType = "string"
installGPUDriver = bool
}
hostGroupID = "string"
kubeletConfig = {
allowedUnsafeSysctls = [
"string"
]
containerLogMaxFiles = int
containerLogMaxSizeMB = int
cpuCfsQuota = bool
cpuCfsQuotaPeriod = "string"
cpuManagerPolicy = "string"
failSwapOn = bool
imageGcHighThreshold = int
imageGcLowThreshold = int
podMaxPids = int
seccompDefault = "string"
topologyManagerPolicy = "string"
}
kubeletDiskType = "string"
linuxOSConfig = {
swapFileSizeMB = int
sysctls = {
fsAioMaxNr = int
fsFileMax = int
fsInotifyMaxUserWatches = int
fsNrOpen = int
kernelThreadsMax = int
netCoreNetdevMaxBacklog = int
netCoreOptmemMax = int
netCoreRmemDefault = int
netCoreRmemMax = int
netCoreSomaxconn = int
netCoreWmemDefault = int
netCoreWmemMax = int
netIpv4IpLocalPortRange = "string"
netIpv4NeighDefaultGcThresh1 = int
netIpv4NeighDefaultGcThresh2 = int
netIpv4NeighDefaultGcThresh3 = int
netIpv4TcpFinTimeout = int
netIpv4TcpkeepaliveIntvl = int
netIpv4TcpKeepaliveProbes = int
netIpv4TcpKeepaliveTime = int
netIpv4TcpMaxSynBacklog = int
netIpv4TcpMaxTwBuckets = int
netIpv4TcpTwReuse = bool
netNetfilterNfConntrackBuckets = int
netNetfilterNfConntrackMax = int
vmMaxMapCount = int
vmSwappiness = int
vmVfsCachePressure = int
}
transparentHugePageDefrag = "string"
transparentHugePageEnabled = "string"
}
maxCount = int
maxPods = int
messageOfTheDay = "string"
minCount = int
mode = "string"
name = "string"
networkProfile = {
allowedHostPorts = [
{
portEnd = int
portStart = int
protocol = "string"
}
]
applicationSecurityGroups = [
"string"
]
nodePublicIPTags = [
{
ipTagType = "string"
tag = "string"
}
]
}
nodeInitializationTaints = [
"string"
]
nodeLabels = {
{customized property} = "string"
}
nodePublicIPPrefixID = "string"
nodeTaints = [
"string"
]
orchestratorVersion = "string"
osDiskSizeGB = int
osDiskType = "string"
osSKU = "string"
osType = "string"
podIPAllocationMode = "string"
podSubnetID = "string"
powerState = {
code = "string"
}
proximityPlacementGroupID = "string"
scaleDownMode = "string"
scaleSetEvictionPolicy = "string"
scaleSetPriority = "string"
securityProfile = {
enableSecureBoot = bool
enableVTPM = bool
sshAccess = "string"
}
spotMaxPrice = int
tags = {
{customized property} = "string"
}
type = "string"
upgradeSettings = {
drainTimeoutInMinutes = int
maxSurge = "string"
maxUnavailable = "string"
nodeSoakDurationInMinutes = int
undrainableNodeBehavior = "string"
}
virtualMachineNodesStatus = [
{
count = int
size = "string"
}
]
virtualMachinesProfile = {
scale = {
autoscale = [
{
maxCount = int
minCount = int
sizes = [
"string"
]
}
]
manual = [
{
count = int
sizes = [
"string"
]
}
]
}
}
vmSize = "string"
vnetSubnetID = "string"
windowsProfile = {
disableOutboundNat = bool
}
workloadRuntime = "string"
}
]
aiToolchainOperatorProfile = {
enabled = bool
}
apiServerAccessProfile = {
authorizedIPRanges = [
"string"
]
disableRunCommand = bool
enablePrivateCluster = bool
enablePrivateClusterPublicFQDN = bool
enableVnetIntegration = bool
privateDNSZone = "string"
subnetId = "string"
}
autoScalerProfile = {
balance-similar-node-groups = "string"
daemonset-eviction-for-empty-nodes = bool
daemonset-eviction-for-occupied-nodes = bool
expander = "string"
ignore-daemonsets-utilization = bool
max-empty-bulk-delete = "string"
max-graceful-termination-sec = "string"
max-node-provision-time = "string"
max-total-unready-percentage = "string"
new-pod-scale-up-delay = "string"
ok-total-unready-count = "string"
scale-down-delay-after-add = "string"
scale-down-delay-after-delete = "string"
scale-down-delay-after-failure = "string"
scale-down-unneeded-time = "string"
scale-down-unready-time = "string"
scale-down-utilization-threshold = "string"
scan-interval = "string"
skip-nodes-with-local-storage = "string"
skip-nodes-with-system-pods = "string"
}
autoUpgradeProfile = {
nodeOSUpgradeChannel = "string"
upgradeChannel = "string"
}
azureMonitorProfile = {
appMonitoring = {
autoInstrumentation = {
enabled = bool
}
openTelemetryLogs = {
enabled = bool
port = int
}
openTelemetryMetrics = {
enabled = bool
port = int
}
}
containerInsights = {
disableCustomMetrics = bool
disablePrometheusMetricsScraping = bool
enabled = bool
logAnalyticsWorkspaceResourceId = "string"
syslogPort = int
}
metrics = {
enabled = bool
kubeStateMetrics = {
metricAnnotationsAllowList = "string"
metricLabelsAllowlist = "string"
}
}
}
bootstrapProfile = {
artifactSource = "string"
containerRegistryId = "string"
}
creationData = {
sourceResourceId = "string"
}
disableLocalAccounts = bool
diskEncryptionSetID = "string"
dnsPrefix = "string"
enableNamespaceResources = bool
enablePodSecurityPolicy = bool
enableRBAC = bool
fqdnSubdomain = "string"
httpProxyConfig = {
httpProxy = "string"
httpsProxy = "string"
noProxy = [
"string"
]
trustedCa = "string"
}
identityProfile = {
{customized property} = {
clientId = "string"
objectId = "string"
resourceId = "string"
}
}
ingressProfile = {
webAppRouting = {
dnsZoneResourceIds = [
"string"
]
enabled = bool
nginx = {
defaultIngressControllerType = "string"
}
}
}
kubernetesVersion = "string"
linuxProfile = {
adminUsername = "string"
ssh = {
publicKeys = [
{
keyData = "string"
}
]
}
}
metricsProfile = {
costAnalysis = {
enabled = bool
}
}
networkProfile = {
advancedNetworking = {
enabled = bool
observability = {
enabled = bool
}
security = {
enabled = bool
}
}
dnsServiceIP = "string"
ipFamilies = [
"string"
]
kubeProxyConfig = {
enabled = bool
ipvsConfig = {
scheduler = "string"
tcpFinTimeoutSeconds = int
tcpTimeoutSeconds = int
udpTimeoutSeconds = int
}
mode = "string"
}
loadBalancerProfile = {
allocatedOutboundPorts = int
backendPoolType = "string"
clusterServiceLoadBalancerHealthProbeMode = "string"
effectiveOutboundIPs = [
{
id = "string"
}
]
enableMultipleStandardLoadBalancers = bool
idleTimeoutInMinutes = int
managedOutboundIPs = {
count = int
countIPv6 = int
}
outboundIPPrefixes = {
publicIPPrefixes = [
{
id = "string"
}
]
}
outboundIPs = {
publicIPs = [
{
id = "string"
}
]
}
}
loadBalancerSku = "string"
natGatewayProfile = {
effectiveOutboundIPs = [
{
id = "string"
}
]
idleTimeoutInMinutes = int
managedOutboundIPProfile = {
count = int
}
}
networkDataplane = "string"
networkMode = "string"
networkPlugin = "string"
networkPluginMode = "string"
networkPolicy = "string"
outboundType = "string"
podCidr = "string"
podCidrs = [
"string"
]
podLinkLocalAccess = "string"
serviceCidr = "string"
serviceCidrs = [
"string"
]
staticEgressGatewayProfile = {
enabled = bool
}
}
nodeProvisioningProfile = {
mode = "string"
}
nodeResourceGroup = "string"
nodeResourceGroupProfile = {
restrictionLevel = "string"
}
oidcIssuerProfile = {
enabled = bool
}
podIdentityProfile = {
allowNetworkPluginKubenet = bool
enabled = bool
userAssignedIdentities = [
{
bindingSelector = "string"
identity = {
clientId = "string"
objectId = "string"
resourceId = "string"
}
name = "string"
namespace = "string"
}
]
userAssignedIdentityExceptions = [
{
name = "string"
namespace = "string"
podLabels = {
{customized property} = "string"
}
}
]
}
privateLinkResources = [
{
groupId = "string"
id = "string"
name = "string"
requiredMembers = [
"string"
]
type = "string"
}
]
publicNetworkAccess = "string"
safeguardsProfile = {
excludedNamespaces = [
"string"
]
level = "string"
version = "string"
}
securityProfile = {
azureKeyVaultKms = {
enabled = bool
keyId = "string"
keyVaultNetworkAccess = "string"
keyVaultResourceId = "string"
}
customCATrustCertificates = [
?
]
defender = {
logAnalyticsWorkspaceResourceId = "string"
securityMonitoring = {
enabled = bool
}
}
imageCleaner = {
enabled = bool
intervalHours = int
}
imageIntegrity = {
enabled = bool
}
nodeRestriction = {
enabled = bool
}
workloadIdentity = {
enabled = bool
}
}
serviceMeshProfile = {
istio = {
certificateAuthority = {
plugin = {
certChainObjectName = "string"
certObjectName = "string"
keyObjectName = "string"
keyVaultId = "string"
rootCertObjectName = "string"
}
}
components = {
egressGateways = [
{
enabled = bool
}
]
ingressGateways = [
{
enabled = bool
mode = "string"
}
]
}
revisions = [
"string"
]
}
mode = "string"
}
servicePrincipalProfile = {
clientId = "string"
secret = "string"
}
storageProfile = {
blobCSIDriver = {
enabled = bool
}
diskCSIDriver = {
enabled = bool
version = "string"
}
fileCSIDriver = {
enabled = bool
}
snapshotController = {
enabled = bool
}
}
supportPlan = "string"
upgradeSettings = {
overrideSettings = {
forceUpgrade = bool
until = "string"
}
}
windowsProfile = {
adminPassword = "string"
adminUsername = "string"
enableCSIProxy = bool
gmsaProfile = {
dnsServer = "string"
enabled = bool
rootDomainName = "string"
}
licenseType = "string"
}
workloadAutoScalerProfile = {
keda = {
enabled = bool
}
verticalPodAutoscaler = {
addonAutoscaling = "string"
enabled = bool
}
}
}
})
}
Property values
AdvancedNetworking
Name | Description | Value |
---|---|---|
enabled | Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false. | bool |
observability | Observability profile to enable advanced network metrics and flow logs with historical contexts. | AdvancedNetworkingObservability |
security | Security profile to enable security features on cilium based cluster. | AdvancedNetworkingSecurity |
AdvancedNetworkingObservability
Name | Description | Value |
---|---|---|
enabled | Indicates the enablement of Advanced Networking observability functionalities on clusters. | bool |
AdvancedNetworkingSecurity
Name | Description | Value |
---|---|---|
enabled | This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false. | bool |
AgentPoolArtifactStreamingProfile
Name | Description | Value |
---|---|---|
enabled | Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR. If not specified, the default is false. | bool |
AgentPoolGatewayProfile
Name | Description | Value |
---|---|---|
publicIPPrefixSize | The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide public egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with one IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure public IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8 nodes/IPs, /28 = 16 nodes/IPs). The default value is 31. | int Constraints: Min value = 28 Max value = 31 |
AgentPoolGPUProfile
Name | Description | Value |
---|---|---|
driverType | Specify the type of GPU driver to install when creating Windows agent pools. If not provided, AKS selects the driver based on system compatibility. This cannot be changed once the AgentPool has been created. This cannot be set on Linux AgentPools. For Linux AgentPools, the driver is selected based on system compatibility. | 'CUDA' 'GRID' |
installGPUDriver | The default value is true when the vmSize of the agent pool contains a GPU, false otherwise. GPU Driver Installation can only be set true when VM has an associated GPU resource. Setting this field to false prevents automatic GPU driver installation. In that case, in order for the GPU to be usable, the user must perform GPU driver installation themselves. | bool |
AgentPoolNetworkProfile
Name | Description | Value |
---|---|---|
allowedHostPorts | The port ranges that are allowed to access. The specified ranges are allowed to overlap. | PortRange[] |
applicationSecurityGroups | The IDs of the application security groups which agent pool will associate when created. | string[] |
nodePublicIPTags | IPTags of instance-level public IPs. | IPTag[] |
AgentPoolSecurityProfile
Name | Description | Value |
---|---|---|
enableSecureBoot | Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. | bool |
enableVTPM | vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. | bool |
sshAccess | SSH access method of an agent pool. | 'Disabled' 'LocalUser' |
AgentPoolUpgradeSettings
Name | Description | Value |
---|---|---|
drainTimeoutInMinutes | The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes. | int Constraints: Min value = 1 Max value = 1440 |
maxSurge | This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster | string |
maxUnavailable | This can either be set to an integer (e.g. '1') or a percentage (e.g. '5%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 0. For more information, including best practices, see: /azure/aks/upgrade-cluster | string |
nodeSoakDurationInMinutes | The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes. | int Constraints: Min value = 0 Max value = 30 |
undrainableNodeBehavior | Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes. | 'Cordon' 'Schedule' |
AgentPoolWindowsProfile
Name | Description | Value |
---|---|---|
disableOutboundNat | The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled. | bool |
AutoScaleProfile
Name | Description | Value |
---|---|---|
maxCount | The maximum number of nodes of the specified sizes. | int |
minCount | The minimum number of nodes of the specified sizes. | int |
sizes | The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when auto scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size. | string[] |
AzureKeyVaultKms
Name | Description | Value |
---|---|---|
enabled | Whether to enable Azure Key Vault key management service. The default is false. | bool |
keyId | Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. | string |
keyVaultNetworkAccess | Network access of key vault. The possible values are Public and Private . Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public . |
'Private' 'Public' |
keyVaultResourceId | Resource ID of key vault. When keyVaultNetworkAccess is Private , this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public , leave the field empty. |
string |
ClusterUpgradeSettings
Name | Description | Value |
---|---|---|
overrideSettings | Settings for overrides. | UpgradeOverrideSettings |
ContainerServiceLinuxProfile
Name | Description | Value |
---|---|---|
adminUsername | The administrator username to use for Linux VMs. | string Constraints: Pattern = ^[A-Za-z][-A-Za-z0-9_]*$ (required) |
ssh | The SSH configuration for Linux-based VMs running on Azure. | ContainerServiceSshConfiguration (required) |
ContainerServiceNetworkProfile
Name | Description | Value |
---|---|---|
advancedNetworking | Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. | AdvancedNetworking |
dnsServiceIP | An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | string Constraints: Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ |
ipFamilies | IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. | String array containing any of: 'IPv4' 'IPv6' |
kubeProxyConfig | Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy defaulting behavior. See https://v<version>.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ where <version> is represented by a <major version>-<minor version> string. Kubernetes version 1.23 would be '1-23'. | ContainerServiceNetworkProfileKubeProxyConfig |
loadBalancerProfile | Profile of the cluster load balancer. | ManagedClusterLoadBalancerProfile |
loadBalancerSku | The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. | 'basic' 'standard' |
natGatewayProfile | Profile of the cluster NAT gateway. | ManagedClusterNATGatewayProfile |
networkDataplane | Network dataplane used in the Kubernetes cluster. | 'azure' 'cilium' |
networkMode | This cannot be specified if networkPlugin is anything other than 'azure'. | 'bridge' 'transparent' |
networkPlugin | Network plugin used for building the Kubernetes network. | 'azure' 'kubenet' 'none' |
networkPluginMode | Network plugin mode used for building the Kubernetes network. | 'overlay' |
networkPolicy | Network policy used for building the Kubernetes network. | 'azure' 'calico' 'cilium' 'none' |
outboundType | This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. | 'loadBalancer' 'managedNATGateway' 'none' 'userAssignedNATGateway' 'userDefinedRouting' |
podCidr | A CIDR notation IP range from which to assign pod IPs when kubenet is used. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ |
podCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. | string[] |
podLinkLocalAccess | Defines access to special link local addresses (Azure Instance Metadata Service, aka IMDS) for pods with hostNetwork=false. if not specified, the default is 'IMDS'. | 'IMDS' 'None' |
serviceCidr | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ |
serviceCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. | string[] |
staticEgressGatewayProfile | The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway. | ManagedClusterStaticEgressGatewayProfile |
ContainerServiceNetworkProfileKubeProxyConfig
Name | Description | Value |
---|---|---|
enabled | Whether to enable on kube-proxy on the cluster (if no 'kubeProxyConfig' exists, kube-proxy is enabled in AKS by default without these customizations). | bool |
ipvsConfig | Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'. | ContainerServiceNetworkProfileKubeProxyConfigIpvsConfig |
mode | Specify which proxy mode to use ('IPTABLES' or 'IPVS') | 'IPTABLES' 'IPVS' |
ContainerServiceNetworkProfileKubeProxyConfigIpvsConfig
Name | Description | Value |
---|---|---|
scheduler | IPVS scheduler, for more information please see http://www.linuxvirtualserver.org/docs/scheduling.html. | 'LeastConnection' 'RoundRobin' |
tcpFinTimeoutSeconds | The timeout value used for IPVS TCP sessions after receiving a FIN in seconds. Must be a positive integer value. | int |
tcpTimeoutSeconds | The timeout value used for idle IPVS TCP sessions in seconds. Must be a positive integer value. | int |
udpTimeoutSeconds | The timeout value used for IPVS UDP packets in seconds. Must be a positive integer value. | int |
ContainerServiceSshConfiguration
Name | Description | Value |
---|---|---|
publicKeys | The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. | ContainerServiceSshPublicKey[] (required) |
ContainerServiceSshPublicKey
Name | Description | Value |
---|---|---|
keyData | Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. | string (required) |
CreationData
Name | Description | Value |
---|---|---|
sourceResourceId | This is the ARM ID of the source object to be used to create the target object. | string |
DelegatedResource
Name | Description | Value |
---|---|---|
location | The source resource location - internal use only. | string |
referralResource | The delegation id of the referral delegation (optional) - internal use only. | string |
resourceId | The ARM resource id of the delegated resource - internal use only. | string |
tenantId | The tenant id of the delegated resource - internal use only. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
DelegatedResources
Name | Description | Value |
---|
ExtendedLocation
Name | Description | Value |
---|---|---|
name | The name of the extended location. | string |
type | The type of the extended location. | 'EdgeZone' |
IPTag
Name | Description | Value |
---|---|---|
ipTagType | The IP tag type. Example: RoutingPreference. | string |
tag | The value of the IP tag associated with the public IP. Example: Internet. | string |
IstioCertificateAuthority
Name | Description | Value |
---|---|---|
plugin | Plugin certificates information for Service Mesh. | IstioPluginCertificateAuthority |
IstioComponents
Name | Description | Value |
---|---|---|
egressGateways | Istio egress gateways. | IstioEgressGateway[] |
ingressGateways | Istio ingress gateways. | IstioIngressGateway[] |
IstioEgressGateway
Name | Description | Value |
---|---|---|
enabled | Whether to enable the egress gateway. | bool (required) |
IstioIngressGateway
Name | Description | Value |
---|---|---|
enabled | Whether to enable the ingress gateway. | bool (required) |
mode | Mode of an ingress gateway. | 'External' 'Internal' (required) |
IstioPluginCertificateAuthority
Name | Description | Value |
---|---|---|
certChainObjectName | Certificate chain object name in Azure Key Vault. | string |
certObjectName | Intermediate certificate object name in Azure Key Vault. | string |
keyObjectName | Intermediate certificate private key object name in Azure Key Vault. | string |
keyVaultId | The resource ID of the Key Vault. | string |
rootCertObjectName | Root certificate object name in Azure Key Vault. | string |
IstioServiceMesh
Name | Description | Value |
---|---|---|
certificateAuthority | Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca | IstioCertificateAuthority |
components | Istio components configuration. | IstioComponents |
revisions | The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: /azure/aks/istio-upgrade | string[] |
KubeletConfig
Name | Description | Value |
---|---|---|
allowedUnsafeSysctls | Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in * ). |
string[] |
containerLogMaxFiles | The maximum number of container log files that can be present for a container. The number must be ≥ 2. | int Constraints: Min value = 2 |
containerLogMaxSizeMB | The maximum size (e.g. 10Mi) of container log file before it is rotated. | int |
cpuCfsQuota | The default is true. | bool |
cpuCfsQuotaPeriod | The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. | string |
cpuManagerPolicy | The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. | string |
failSwapOn | If set to true it will make the Kubelet fail to start if swap is enabled on the node. | bool |
imageGcHighThreshold | To disable image garbage collection, set to 100. The default is 85% | int |
imageGcLowThreshold | This cannot be set higher than imageGcHighThreshold. The default is 80% | int |
podMaxPids | The maximum number of processes per pod. | int |
seccompDefault | Specifies the default seccomp profile applied to all workloads. If not specified, 'Unconfined' will be used by default. | 'RuntimeDefault' 'Unconfined' |
topologyManagerPolicy | For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. | string |
LinuxOSConfig
Name | Description | Value |
---|---|---|
swapFileSizeMB | The size in MB of a swap file that will be created on each node. | int |
sysctls | Sysctl settings for Linux agent nodes. | SysctlConfig |
transparentHugePageDefrag | Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. | string |
transparentHugePageEnabled | Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. | string |
ManagedClusterAADProfile
Name | Description | Value |
---|---|---|
adminGroupObjectIDs | The list of AAD group object IDs that will have admin role of the cluster. | string[] |
clientAppID | (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. | string |
enableAzureRBAC | Whether to enable Azure RBAC for Kubernetes authorization. | bool |
managed | Whether to enable managed AAD. | bool |
serverAppID | (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. | string |
serverAppSecret | (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy. | string |
tenantID | The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. | string |
ManagedClusterAddonProfile
Name | Description | Value |
---|---|---|
config | Key-value pairs for configuring an add-on. | ManagedClusterAddonProfileConfig |
enabled | Whether the add-on is enabled or not. | bool (required) |
ManagedClusterAddonProfileConfig
Name | Description | Value |
---|
ManagedClusterAgentPoolProfile
Name | Description | Value |
---|---|---|
artifactStreamingProfile | Configuration for using artifact streaming on AKS. | AgentPoolArtifactStreamingProfile |
availabilityZones | The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. | string[] |
capacityReservationGroupID | AKS will associate the specified agent pool with the Capacity Reservation Group. | string |
count | Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. | int |
creationData | CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. | CreationData |
enableAutoScaling | Whether to enable auto-scaler | bool |
enableCustomCATrust | When set to true, AKS adds a label to the node indicating that the feature is enabled and deploys a daemonset along with host services to sync custom certificate authorities from user-provided list of base64 encoded certificates into node trust stores. Defaults to false. | bool |
enableEncryptionAtHost | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption | bool |
enableFIPS | See Add a FIPS-enabled node pool for more details. | bool |
enableNodePublicIP | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. | bool |
enableUltraSSD | Whether to enable UltraSSD | bool |
gatewayProfile | Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is not Gateway. | AgentPoolGatewayProfile |
gpuInstanceProfile | GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. | 'MIG1g' 'MIG2g' 'MIG3g' 'MIG4g' 'MIG7g' |
gpuProfile | The GPU settings of an agent pool. | AgentPoolGPUProfile |
hostGroupID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts. | string |
kubeletConfig | The Kubelet configuration on the agent pool nodes. | KubeletConfig |
kubeletDiskType | Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. | 'OS' 'Temporary' |
linuxOSConfig | The OS configuration of Linux agent nodes. | LinuxOSConfig |
maxCount | The maximum number of nodes for auto-scaling | int |
maxPods | The maximum number of pods that can run on a node. | int |
messageOfTheDay | A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). | string |
minCount | The minimum number of nodes for auto-scaling | int |
mode | A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools | 'Gateway' 'System' 'User' |
name | Windows agent pool names must be 6 characters or less. | string Constraints: Pattern = ^[a-z][a-z0-9]{0,11}$ (required) |
networkProfile | Network-related settings of an agent pool. | AgentPoolNetworkProfile |
nodeInitializationTaints | These taints will not be reconciled by AKS and can be removed with a kubectl call. This field can be modified after node pool is created, but nodes will not be recreated with new taints until another operation that requires recreation (e.g. node image upgrade) happens. These taints allow for required configuration to run before the node is ready to accept workloads, for example 'key1=value1:NoSchedule' that then can be removed with kubectl taint nodes node1 key1=value1:NoSchedule- |
string[] |
nodeLabels | The node labels to be persisted across all nodes in agent pool. | ManagedClusterAgentPoolProfilePropertiesNodeLabels |
nodePublicIPPrefixID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} | string |
nodeTaints | The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | string[] |
orchestratorVersion | Both patch version <major.minor.patch> and <major.minor> are supported. When <major.minor> is specified, the latest supported patch version is chosen automatically. Updating the agent pool with the same <major.minor> once it has been created will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. | string |
osDiskSizeGB | OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | int Constraints: Min value = 0 Max value = 2048 |
osDiskType | The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. | 'Ephemeral' 'Managed' |
osSKU | Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. | 'AzureLinux' 'CBLMariner' 'Mariner' 'Ubuntu' 'Windows2019' 'Windows2022' 'WindowsAnnual' |
osType | The operating system type. The default is Linux. | 'Linux' 'Windows' |
podIPAllocationMode | The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'. | 'DynamicIndividual' 'StaticBlock' |
podSubnetID | If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string |
powerState | When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded | PowerState |
proximityPlacementGroupID | The ID for Proximity Placement Group. | string |
scaleDownMode | This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. | 'Deallocate' 'Delete' |
scaleSetEvictionPolicy | This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. | 'Deallocate' 'Delete' |
scaleSetPriority | The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. | 'Regular' 'Spot' |
securityProfile | The security settings of an agent pool. | AgentPoolSecurityProfile |
spotMaxPrice | Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing | int |
tags | The tags to be persisted on the agent pool virtual machine scale set. | ManagedClusterAgentPoolProfilePropertiesTags |
type | The type of Agent Pool. | 'AvailabilitySet' 'VirtualMachines' 'VirtualMachineScaleSets' |
upgradeSettings | Settings for upgrading the agentpool | AgentPoolUpgradeSettings |
virtualMachineNodesStatus | The status of nodes in a VirtualMachines agent pool. | VirtualMachineNodes[] |
virtualMachinesProfile | Specifications on VirtualMachines agent pool. | VirtualMachinesProfile |
vmSize | VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions | string |
vnetSubnetID | If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string |
windowsProfile | The Windows agent pool's specific profile. | AgentPoolWindowsProfile |
workloadRuntime | Determines the type of workload a node can run. | 'KataMshvVmIsolation' 'OCIContainer' 'WasmWasi' |
ManagedClusterAgentPoolProfilePropertiesNodeLabels
Name | Description | Value |
---|
ManagedClusterAgentPoolProfilePropertiesTags
Name | Description | Value |
---|
ManagedClusterAIToolchainOperatorProfile
Name | Description | Value |
---|---|---|
enabled | Indicates if AI toolchain operator enabled or not. | bool |
ManagedClusterAPIServerAccessProfile
Name | Description | Value |
---|---|---|
authorizedIPRanges | IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges. | string[] |
disableRunCommand | Whether to disable run command for the cluster or not. | bool |
enablePrivateCluster | For more details, see Creating a private AKS cluster. | bool |
enablePrivateClusterPublicFQDN | Whether to create additional public FQDN for private cluster or not. | bool |
enableVnetIntegration | Whether to enable apiserver vnet integration for the cluster or not. | bool |
privateDNSZone | The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'. | string |
subnetId | It is required when: 1. creating a new cluster with BYO Vnet; 2. updating an existing cluster to enable apiserver vnet integration. | string |
ManagedClusterAutoUpgradeProfile
Name | Description | Value |
---|---|---|
nodeOSUpgradeChannel | The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA. | 'NodeImage' 'None' 'SecurityPatch' 'Unmanaged' |
upgradeChannel | For more information see setting the AKS cluster auto-upgrade channel. | 'node-image' 'none' 'patch' 'rapid' 'stable' |
ManagedClusterAzureMonitorProfile
Name | Description | Value |
---|---|---|
appMonitoring | Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics and traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoring |
containerInsights | Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout & stderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview. | ManagedClusterAzureMonitorProfileContainerInsights |
metrics | Metrics profile for the prometheus service addon | ManagedClusterAzureMonitorProfileMetrics |
ManagedClusterAzureMonitorProfileAppMonitoring
Name | Description | Value |
---|---|---|
autoInstrumentation | Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook to auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the application. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoringAutoInstrumentation |
openTelemetryLogs | Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and Traces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryLogs |
openTelemetryMetrics | Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Metrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview. | ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryMetrics |
ManagedClusterAzureMonitorProfileAppMonitoringAutoInstrumentation
Name | Description | Value |
---|---|---|
enabled | Indicates if Application Monitoring Auto Instrumentation is enabled or not. | bool |
ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryLogs
Name | Description | Value |
---|---|---|
enabled | Indicates if Application Monitoring Open Telemetry Logs and traces is enabled or not. | bool |
port | The Open Telemetry host port for Open Telemetry logs and traces. If not specified, the default port is 28331. | int |
ManagedClusterAzureMonitorProfileAppMonitoringOpenTelemetryMetrics
Name | Description | Value |
---|---|---|
enabled | Indicates if Application Monitoring Open Telemetry Metrics is enabled or not. | bool |
port | The Open Telemetry host port for Open Telemetry metrics. If not specified, the default port is 28333. | int |
ManagedClusterAzureMonitorProfileContainerInsights
Name | Description | Value |
---|---|---|
disableCustomMetrics | Indicates whether custom metrics collection has to be disabled or not. If not specified the default is false. No custom metrics will be emitted if this field is false but the container insights enabled field is false | bool |
disablePrometheusMetricsScraping | Indicates whether prometheus metrics scraping is disabled or not. If not specified the default is false. No prometheus metrics will be emitted if this field is false but the container insights enabled field is false | bool |
enabled | Indicates if Azure Monitor Container Insights Logs Addon is enabled or not. | bool |
logAnalyticsWorkspaceResourceId | Fully Qualified ARM Resource Id of Azure Log Analytics Workspace for storing Azure Monitor Container Insights Logs. | string |
syslogPort | The syslog host port. If not specified, the default port is 28330. | int |
ManagedClusterAzureMonitorProfileKubeStateMetrics
Name | Description | Value |
---|---|---|
metricAnnotationsAllowList | Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric. | string |
metricLabelsAllowlist | Comma-separated list of Kubernetes annotations keys that will be used in the resource's labels metric. | string |
ManagedClusterAzureMonitorProfileMetrics
Name | Description | Value |
---|---|---|
enabled | Whether to enable the Prometheus collector | bool (required) |
kubeStateMetrics | Kube State Metrics for prometheus addon profile for the container service cluster | ManagedClusterAzureMonitorProfileKubeStateMetrics |
ManagedClusterBootstrapProfile
Name | Description | Value |
---|---|---|
artifactSource | The source where the artifacts are downloaded from. | 'Cache' 'Direct' |
containerRegistryId | The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy. | string |
ManagedClusterCostAnalysis
Name | Description | Value |
---|---|---|
enabled | The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis. | bool |
ManagedClusterHttpProxyConfig
Name | Description | Value |
---|---|---|
httpProxy | The HTTP proxy server endpoint to use. | string |
httpsProxy | The HTTPS proxy server endpoint to use. | string |
noProxy | The endpoints that should not go through proxy. | string[] |
trustedCa | Alternative CA cert to use for connecting to proxy servers. | string |
ManagedClusterIdentity
Name | Description | Value |
---|---|---|
delegatedResources | The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only. | DelegatedResources |
type | For more information see use managed identities in AKS. | 'None' 'SystemAssigned' 'UserAssigned' |
userAssignedIdentities | The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedClusterIdentityUserAssignedIdentities |
ManagedClusterIdentityUserAssignedIdentities
Name | Description | Value |
---|
ManagedClusterIngressProfile
Name | Description | Value |
---|---|---|
webAppRouting | Web App Routing settings for the ingress profile. | ManagedClusterIngressProfileWebAppRouting |
ManagedClusterIngressProfileNginx
Name | Description | Value |
---|---|---|
defaultIngressControllerType | Ingress type for the default NginxIngressController custom resource | 'AnnotationControlled' 'External' 'Internal' 'None' |
ManagedClusterIngressProfileWebAppRouting
Name | Description | Value |
---|---|---|
dnsZoneResourceIds | Resource IDs of the DNS zones to be associated with the Web App Routing add-on. Used only when Web App Routing is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group. | string[] |
enabled | Whether to enable Web App Routing. | bool |
nginx | Configuration for the default NginxIngressController. See more at /azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller. | ManagedClusterIngressProfileNginx |
ManagedClusterLoadBalancerProfile
Name | Description | Value |
---|---|---|
allocatedOutboundPorts | The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. | int Constraints: Min value = 0 Max value = 64000 |
backendPoolType | The type of the managed inbound Load Balancer BackendPool. | 'NodeIP' 'NodeIPConfiguration' |
clusterServiceLoadBalancerHealthProbeMode | The health probing behavior for External Traffic Policy Cluster services. | 'ServiceNodePort' 'Shared' |
effectiveOutboundIPs | The effective outbound IP resources of the cluster load balancer. | ResourceReference[] |
enableMultipleStandardLoadBalancers | Enable multiple standard load balancers per AKS cluster or not. | bool |
idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. | int Constraints: Min value = 4 Max value = 120 |
managedOutboundIPs | Desired managed outbound IPs for the cluster load balancer. | ManagedClusterLoadBalancerProfileManagedOutboundIPs |
outboundIPPrefixes | Desired outbound IP Prefix resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPPrefixes |
outboundIPs | Desired outbound IP resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPs |
ManagedClusterLoadBalancerProfileManagedOutboundIPs
Name | Description | Value |
---|---|---|
count | The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 100 |
countIPv6 | The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. | int Constraints: Min value = 0 Max value = 100 |
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
Name | Description | Value |
---|---|---|
publicIPPrefixes | A list of public IP prefix resources. | ResourceReference[] |
ManagedClusterLoadBalancerProfileOutboundIPs
Name | Description | Value |
---|---|---|
publicIPs | A list of public IP resources. | ResourceReference[] |
ManagedClusterManagedOutboundIPProfile
Name | Description | Value |
---|---|---|
count | The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 16 |
ManagedClusterMetricsProfile
Name | Description | Value |
---|---|---|
costAnalysis | The cost analysis configuration for the cluster | ManagedClusterCostAnalysis |
ManagedClusterNATGatewayProfile
Name | Description | Value |
---|---|---|
effectiveOutboundIPs | The effective outbound IP resources of the cluster NAT gateway. | ResourceReference[] |
idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. | int Constraints: Min value = 4 Max value = 120 |
managedOutboundIPProfile | Profile of the managed outbound IP resources of the cluster NAT gateway. | ManagedClusterManagedOutboundIPProfile |
ManagedClusterNodeProvisioningProfile
Name | Description | Value |
---|---|---|
mode | Once the mode it set to Auto, it cannot be changed back to Manual. | 'Auto' 'Manual' |
ManagedClusterNodeResourceGroupProfile
Name | Description | Value |
---|---|---|
restrictionLevel | The restriction level applied to the cluster's node resource group | 'ReadOnly' 'Unrestricted' |
ManagedClusterOidcIssuerProfile
Name | Description | Value |
---|---|---|
enabled | Whether the OIDC issuer is enabled. | bool |
ManagedClusterPodIdentity
Name | Description | Value |
---|---|---|
bindingSelector | The binding selector to use for the AzureIdentityBinding resource. | string |
identity | The user assigned identity details. | UserAssignedIdentity (required) |
name | The name of the pod identity. | string (required) |
namespace | The namespace of the pod identity. | string (required) |
ManagedClusterPodIdentityException
Name | Description | Value |
---|---|---|
name | The name of the pod identity exception. | string (required) |
namespace | The namespace of the pod identity exception. | string (required) |
podLabels | The pod labels to match. | ManagedClusterPodIdentityExceptionPodLabels (required) |
ManagedClusterPodIdentityExceptionPodLabels
Name | Description | Value |
---|
ManagedClusterPodIdentityProfile
Name | Description | Value |
---|---|---|
allowNetworkPluginKubenet | Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information. | bool |
enabled | Whether the pod identity addon is enabled. | bool |
userAssignedIdentities | The pod identities to use in the cluster. | ManagedClusterPodIdentity[] |
userAssignedIdentityExceptions | The pod identity exceptions to allow. | ManagedClusterPodIdentityException[] |
ManagedClusterProperties
Name | Description | Value |
---|---|---|
aadProfile | The Azure Active Directory configuration. | ManagedClusterAADProfile |
addonProfiles | The profile of managed cluster add-on. | ManagedClusterPropertiesAddonProfiles |
agentPoolProfiles | The agent pool properties. | ManagedClusterAgentPoolProfile[] |
aiToolchainOperatorProfile | AI toolchain operator settings that apply to the whole cluster. | ManagedClusterAIToolchainOperatorProfile |
apiServerAccessProfile | The access profile for managed cluster API server. | ManagedClusterAPIServerAccessProfile |
autoScalerProfile | Parameters to be applied to the cluster-autoscaler when enabled | ManagedClusterPropertiesAutoScalerProfile |
autoUpgradeProfile | The auto upgrade configuration. | ManagedClusterAutoUpgradeProfile |
azureMonitorProfile | Prometheus addon profile for the container service cluster | ManagedClusterAzureMonitorProfile |
bootstrapProfile | Profile of the cluster bootstrap configuration. | ManagedClusterBootstrapProfile |
creationData | CreationData to be used to specify the source Snapshot ID if the cluster will be created/upgraded using a snapshot. | CreationData |
disableLocalAccounts | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts. | bool |
diskEncryptionSetID | This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' | string |
dnsPrefix | This cannot be updated once the Managed Cluster has been created. | string |
enableNamespaceResources | The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See https://aka.ms/NamespaceARMResource for more details on Namespace as a ARM Resource. | bool |
enablePodSecurityPolicy | (DEPRECATED) Whether to enable Kubernetes pod security policy (preview). PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Learn more at https://aka.ms/k8s/psp and https://aka.ms/aks/psp. | bool |
enableRBAC | Whether to enable Kubernetes Role-Based Access Control. | bool |
fqdnSubdomain | This cannot be updated once the Managed Cluster has been created. | string |
httpProxyConfig | Configurations for provisioning the cluster with HTTP proxy servers. | ManagedClusterHttpProxyConfig |
identityProfile | The user identity associated with the managed cluster. This identity will be used by the kubelet. Only one user assigned identity is allowed. The only accepted key is "kubeletidentity", with value of "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}". | ManagedClusterPropertiesIdentityProfile |
ingressProfile | Ingress profile for the managed cluster. | ManagedClusterIngressProfile |
kubernetesVersion | When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details. | string |
linuxProfile | The profile for Linux VMs in the Managed Cluster. | ContainerServiceLinuxProfile |
metricsProfile | Optional cluster metrics configuration. | ManagedClusterMetricsProfile |
networkProfile | The network configuration profile. | ContainerServiceNetworkProfile |
nodeProvisioningProfile | Node provisioning settings that apply to the whole cluster. | ManagedClusterNodeProvisioningProfile |
nodeResourceGroup | The name of the resource group containing agent pool nodes. | string |
nodeResourceGroupProfile | The node resource group configuration profile. | ManagedClusterNodeResourceGroupProfile |
oidcIssuerProfile | The OIDC issuer profile of the Managed Cluster. | ManagedClusterOidcIssuerProfile |
podIdentityProfile | See use AAD pod identity for more details on AAD pod identity integration. | ManagedClusterPodIdentityProfile |
privateLinkResources | Private link resources associated with the cluster. | PrivateLinkResource[] |
publicNetworkAccess | Allow or deny public network access for AKS | 'Disabled' 'Enabled' 'SecuredByPerimeter' |
safeguardsProfile | The Safeguards profile holds all the safeguards information for a given cluster | SafeguardsProfile |
securityProfile | Security profile for the managed cluster. | ManagedClusterSecurityProfile |
serviceMeshProfile | Service mesh profile for a managed cluster. | ServiceMeshProfile |
servicePrincipalProfile | Information about a service principal identity for the cluster to use for manipulating Azure APIs. | ManagedClusterServicePrincipalProfile |
storageProfile | Storage profile for the managed cluster. | ManagedClusterStorageProfile |
supportPlan | The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'. | 'AKSLongTermSupport' 'KubernetesOfficial' |
upgradeSettings | Settings for upgrading a cluster. | ClusterUpgradeSettings |
windowsProfile | The profile for Windows VMs in the Managed Cluster. | ManagedClusterWindowsProfile |
workloadAutoScalerProfile | Workload Auto-scaler profile for the managed cluster. | ManagedClusterWorkloadAutoScalerProfile |
ManagedClusterPropertiesAddonProfiles
Name | Description | Value |
---|
ManagedClusterPropertiesAutoScalerProfile
Name | Description | Value |
---|---|---|
balance-similar-node-groups | Valid values are 'true' and 'false' | string |
daemonset-eviction-for-empty-nodes | If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. | bool |
daemonset-eviction-for-occupied-nodes | If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. | bool |
expander | Available values are: 'least-waste', 'most-pods', 'priority', 'random'. | 'least-waste' 'most-pods' 'priority' 'random' |
ignore-daemonsets-utilization | If set to true, the resources used by daemonset will be taken into account when making scaling down decisions. | bool |
max-empty-bulk-delete | The default is 10. | string |
max-graceful-termination-sec | The default is 600. | string |
max-node-provision-time | The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
max-total-unready-percentage | The default is 45. The maximum is 100 and the minimum is 0. | string |
new-pod-scale-up-delay | For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). | string |
ok-total-unready-count | This must be an integer. The default is 3. | string |
scale-down-delay-after-add | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-delay-after-delete | The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-delay-after-failure | The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-unneeded-time | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-unready-time | The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string |
scale-down-utilization-threshold | The default is '0.5'. | string |
scan-interval | The default is '10'. Values must be an integer number of seconds. | string |
skip-nodes-with-local-storage | The default is true. | string |
skip-nodes-with-system-pods | The default is true. | string |
ManagedClusterPropertiesIdentityProfile
Name | Description | Value |
---|
ManagedClusterSecurityProfile
Name | Description | Value |
---|---|---|
azureKeyVaultKms | Azure Key Vault key management service settings for the security profile. | AzureKeyVaultKms |
customCATrustCertificates | A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the Custom CA Trust feature enabled. For more information see Custom CA Trust Certificates | any[] |
defender | Microsoft Defender settings for the security profile. | ManagedClusterSecurityProfileDefender |
imageCleaner | Image Cleaner settings for the security profile. | ManagedClusterSecurityProfileImageCleaner |
imageIntegrity | Image integrity is a feature that works with Azure Policy to verify image integrity by signature. This will not have any effect unless Azure Policy is applied to enforce image signatures. See https://aka.ms/aks/image-integrity for how to use this feature via policy. | ManagedClusterSecurityProfileImageIntegrity |
nodeRestriction | Node Restriction settings for the security profile. | ManagedClusterSecurityProfileNodeRestriction |
workloadIdentity | Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details. | ManagedClusterSecurityProfileWorkloadIdentity |
ManagedClusterSecurityProfileDefender
Name | Description | Value |
---|---|---|
logAnalyticsWorkspaceResourceId | Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty. | string |
securityMonitoring | Microsoft Defender threat detection for Cloud settings for the security profile. | ManagedClusterSecurityProfileDefenderSecurityMonitoring |
ManagedClusterSecurityProfileDefenderSecurityMonitoring
Name | Description | Value |
---|---|---|
enabled | Whether to enable Defender threat detection | bool |
ManagedClusterSecurityProfileImageCleaner
Name | Description | Value |
---|---|---|
enabled | Whether to enable Image Cleaner on AKS cluster. | bool |
intervalHours | Image Cleaner scanning interval in hours. | int |
ManagedClusterSecurityProfileImageIntegrity
Name | Description | Value |
---|---|---|
enabled | Whether to enable image integrity. The default value is false. | bool |
ManagedClusterSecurityProfileNodeRestriction
Name | Description | Value |
---|---|---|
enabled | Whether to enable Node Restriction | bool |
ManagedClusterSecurityProfileWorkloadIdentity
Name | Description | Value |
---|---|---|
enabled | Whether to enable workload identity. | bool |
ManagedClusterServicePrincipalProfile
Name | Description | Value |
---|---|---|
clientId | The ID for the service principal. | string (required) |
secret | The secret password associated with the service principal in plain text. | string |
ManagedClusterSKU
Name | Description | Value |
---|---|---|
name | The name of a managed cluster SKU. | 'Automatic' 'Base' |
tier | If not specified, the default is 'Free'. See AKS Pricing Tier for more details. | 'Free' 'Premium' 'Standard' |
ManagedClusterStaticEgressGatewayProfile
Name | Description | Value |
---|---|---|
enabled | Indicates if Static Egress Gateway addon is enabled or not. | bool |
ManagedClusterStorageProfile
Name | Description | Value |
---|---|---|
blobCSIDriver | AzureBlob CSI Driver settings for the storage profile. | ManagedClusterStorageProfileBlobCSIDriver |
diskCSIDriver | AzureDisk CSI Driver settings for the storage profile. | ManagedClusterStorageProfileDiskCSIDriver |
fileCSIDriver | AzureFile CSI Driver settings for the storage profile. | ManagedClusterStorageProfileFileCSIDriver |
snapshotController | Snapshot Controller settings for the storage profile. | ManagedClusterStorageProfileSnapshotController |
ManagedClusterStorageProfileBlobCSIDriver
Name | Description | Value |
---|---|---|
enabled | Whether to enable AzureBlob CSI Driver. The default value is false. | bool |
ManagedClusterStorageProfileDiskCSIDriver
Name | Description | Value |
---|---|---|
enabled | Whether to enable AzureDisk CSI Driver. The default value is true. | bool |
version | The version of AzureDisk CSI Driver. The default value is v1. | string |
ManagedClusterStorageProfileFileCSIDriver
Name | Description | Value |
---|---|---|
enabled | Whether to enable AzureFile CSI Driver. The default value is true. | bool |
ManagedClusterStorageProfileSnapshotController
Name | Description | Value |
---|---|---|
enabled | Whether to enable Snapshot Controller. The default value is true. | bool |
ManagedClusterWindowsProfile
Name | Description | Value |
---|---|---|
adminPassword | Specifies the password of the administrator account. Minimum-length: 8 characters Max-length: 123 characters Complexity requirements: 3 out of 4 conditions below need to be fulfilled Has lower characters Has upper characters Has a digit Has a special character (Regex match [\W_]) Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" |
string |
adminUsername | Specifies the name of the administrator account. Restriction: Cannot end in "." Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". Minimum-length: 1 character Max-length: 20 characters |
string (required) |
enableCSIProxy | For more details on CSI proxy, see the CSI proxy GitHub repo. | bool |
gmsaProfile | The Windows gMSA Profile in the Managed Cluster. | WindowsGmsaProfile |
licenseType | The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. | 'None' 'Windows_Server' |
ManagedClusterWorkloadAutoScalerProfile
Name | Description | Value |
---|---|---|
keda | KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. | ManagedClusterWorkloadAutoScalerProfileKeda |
verticalPodAutoscaler | ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler |
ManagedClusterWorkloadAutoScalerProfileKeda
Name | Description | Value |
---|---|---|
enabled | Whether to enable KEDA. | bool (required) |
ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler
Name | Description | Value |
---|---|---|
addonAutoscaling | Whether VPA add-on is enabled and configured to scale AKS-managed add-ons. | 'Disabled' 'Enabled' |
enabled | Whether to enable VPA add-on in cluster. Default value is false. | bool (required) |
ManagedServiceIdentityUserAssignedIdentitiesValue
Name | Description | Value |
---|
ManualScaleProfile
Name | Description | Value |
---|---|---|
count | Number of nodes. | int |
sizes | The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size. | string[] |
Microsoft.ContainerService/managedClusters
Name | Description | Value |
---|---|---|
extendedLocation | The extended location of the Virtual Machine. | ExtendedLocation |
identity | The identity of the managed cluster, if configured. | ManagedClusterIdentity |
kind | This is primarily used to expose different UI experiences in the portal for different kinds | string |
location | The geo-location where the resource lives | string (required) |
name | The resource name | string Constraints: Min length = 1 Max length = 1 Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$ (required) |
properties | Properties of a managed cluster. | ManagedClusterProperties |
sku | The managed cluster SKU. | ManagedClusterSKU |
tags | Resource tags | Dictionary of tag names and values. |
type | The resource type | "Microsoft.ContainerService/managedClusters@2024-09-02-preview" |
PortRange
Name | Description | Value |
---|---|---|
portEnd | The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart. | int Constraints: Min value = 1 Max value = 65535 |
portStart | The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd. | int Constraints: Min value = 1 Max value = 65535 |
protocol | The network protocol of the port. | 'TCP' 'UDP' |
PowerState
Name | Description | Value |
---|---|---|
code | Tells whether the cluster is Running or Stopped | 'Running' 'Stopped' |
PrivateLinkResource
Name | Description | Value |
---|---|---|
groupId | The group ID of the resource. | string |
id | The ID of the private link resource. | string |
name | The name of the private link resource. | string |
requiredMembers | The RequiredMembers of the resource | string[] |
type | The resource type. | string |
ResourceReference
Name | Description | Value |
---|---|---|
id | The fully qualified Azure resource id. | string |
SafeguardsProfile
Name | Description | Value |
---|---|---|
excludedNamespaces | List of namespaces excluded from Safeguards checks | string[] |
level | The Safeguards level to be used. By default, Safeguards is enabled for all namespaces except those that AKS excludes via systemExcludedNamespaces | 'Enforcement' 'Off' 'Warning' (required) |
version | The version of constraints to use | string |
ScaleProfile
Name | Description | Value |
---|---|---|
autoscale | Specifications on how to auto-scale the VirtualMachines agent pool within a predefined size range. Currently, at most one AutoScaleProfile is allowed. | AutoScaleProfile[] |
manual | Specifications on how to scale the VirtualMachines agent pool to a fixed size. | ManualScaleProfile[] |
ServiceMeshProfile
Name | Description | Value |
---|---|---|
istio | Istio service mesh configuration. | IstioServiceMesh |
mode | Mode of the service mesh. | 'Disabled' 'Istio' (required) |
SysctlConfig
Name | Description | Value |
---|---|---|
fsAioMaxNr | Sysctl setting fs.aio-max-nr. | int |
fsFileMax | Sysctl setting fs.file-max. | int |
fsInotifyMaxUserWatches | Sysctl setting fs.inotify.max_user_watches. | int |
fsNrOpen | Sysctl setting fs.nr_open. | int |
kernelThreadsMax | Sysctl setting kernel.threads-max. | int |
netCoreNetdevMaxBacklog | Sysctl setting net.core.netdev_max_backlog. | int |
netCoreOptmemMax | Sysctl setting net.core.optmem_max. | int |
netCoreRmemDefault | Sysctl setting net.core.rmem_default. | int |
netCoreRmemMax | Sysctl setting net.core.rmem_max. | int |
netCoreSomaxconn | Sysctl setting net.core.somaxconn. | int |
netCoreWmemDefault | Sysctl setting net.core.wmem_default. | int |
netCoreWmemMax | Sysctl setting net.core.wmem_max. | int |
netIpv4IpLocalPortRange | Sysctl setting net.ipv4.ip_local_port_range. | string |
netIpv4NeighDefaultGcThresh1 | Sysctl setting net.ipv4.neigh.default.gc_thresh1. | int |
netIpv4NeighDefaultGcThresh2 | Sysctl setting net.ipv4.neigh.default.gc_thresh2. | int |
netIpv4NeighDefaultGcThresh3 | Sysctl setting net.ipv4.neigh.default.gc_thresh3. | int |
netIpv4TcpFinTimeout | Sysctl setting net.ipv4.tcp_fin_timeout. | int |
netIpv4TcpkeepaliveIntvl | Sysctl setting net.ipv4.tcp_keepalive_intvl. | int Constraints: Min value = 10 Max value = 90 |
netIpv4TcpKeepaliveProbes | Sysctl setting net.ipv4.tcp_keepalive_probes. | int |
netIpv4TcpKeepaliveTime | Sysctl setting net.ipv4.tcp_keepalive_time. | int |
netIpv4TcpMaxSynBacklog | Sysctl setting net.ipv4.tcp_max_syn_backlog. | int |
netIpv4TcpMaxTwBuckets | Sysctl setting net.ipv4.tcp_max_tw_buckets. | int |
netIpv4TcpTwReuse | Sysctl setting net.ipv4.tcp_tw_reuse. | bool |
netNetfilterNfConntrackBuckets | Sysctl setting net.netfilter.nf_conntrack_buckets. | int Constraints: Min value = 65536 Max value = 524288 |
netNetfilterNfConntrackMax | Sysctl setting net.netfilter.nf_conntrack_max. | int Constraints: Min value = 131072 Max value = 2097152 |
vmMaxMapCount | Sysctl setting vm.max_map_count. | int |
vmSwappiness | Sysctl setting vm.swappiness. | int |
vmVfsCachePressure | Sysctl setting vm.vfs_cache_pressure. | int |
TrackedResourceTags
Name | Description | Value |
---|
UpgradeOverrideSettings
Name | Description | Value |
---|---|---|
forceUpgrade | Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution. | bool |
until | Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the until expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect. |
string |
UserAssignedIdentity
Name | Description | Value |
---|---|---|
clientId | The client ID of the user assigned identity. | string |
objectId | The object ID of the user assigned identity. | string |
resourceId | The resource ID of the user assigned identity. | string |
VirtualMachineNodes
Name | Description | Value |
---|---|---|
count | Number of nodes. | int |
size | The VM size of the agents used to host this group of nodes. | string |
VirtualMachinesProfile
Name | Description | Value |
---|---|---|
scale | Specifications on how to scale a VirtualMachines agent pool. | ScaleProfile |
WindowsGmsaProfile
Name | Description | Value |
---|---|---|
dnsServer | Specifies the DNS server for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. |
string |
enabled | Specifies whether to enable Windows gMSA in the managed cluster. | bool |
rootDomainName | Specifies the root domain name for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. |
string |