|
|
相关文章推荐
|
彷徨的机器人 · stringvar转变成str ...· 1 月前 · |
|
|
留胡子的汤圆 · SharePoint 搜索 REST ...· 4 周前 · |
|
|
没有腹肌的开水瓶 · Exception in thread ...· 4 周前 · |
|
|
冷冷的胡萝卜 · SpringBoot学习笔记(八)——JWT ...· 2 周前 · |
|
|
刀枪不入的马铃薯 · ASP.NET Core 中的配置 | ...· 2 天前 · |
|
|
近视的鸡蛋 · C#使用Resources资源文件_C#教程 ...· 1 年前 · |
|
|
着急的回锅肉 · java比较两个list元素是否有相等_百度知道· 1 年前 · |
|
|
喝醉的感冒药 · 经济学人|Day1004-AI淘金热:英伟达 ...· 1 年前 · |
|
|
有胆有识的回锅肉 · JavaScript Array 对象 | ...· 1 年前 · |
Code
›
Microsoft.ContainerService/managedClusters - Bicep, ARM template & Terraform AzAPI reference | Micro
|
幸福的金针菇
4 月前 |
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Download Microsoft Edge More info about Internet Explorer and Microsoft EdgeBicep resource definition
The managedClusters resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log .
Remarks
For information about available add-ons, see Add-ons, extensions, and other integrations with Azure Kubernetes Service .
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.ContainerService/managedClusters@2024-06-02-preview' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
sku: {
name: 'string'
tier: 'string'
kind: 'string'
extendedLocation: {
name: 'string'
type: 'EdgeZone'
identity: {
delegatedResources: {
{customized property}: {
location: 'string'
referralResource: 'string'
resourceId: 'string'
tenantId: 'string'
type: 'string'
userAssignedIdentities: {
{customized property}: {}
properties: {
aadProfile: {
adminGroupObjectIDs: [
'string'
clientAppID: 'string'
enableAzureRBAC: bool
managed: bool
serverAppID: 'string'
serverAppSecret: 'string'
tenantID: 'string'
addonProfiles: {
{customized property}: {
config: {
{customized property}: 'string'
enabled: bool
agentPoolProfiles: [
artifactStreamingProfile: {
enabled: bool
availabilityZones: [
'string'
capacityReservationGroupID: 'string'
count: int
creationData: {
sourceResourceId: 'string'
enableAutoScaling: bool
enableCustomCATrust: bool
enableEncryptionAtHost: bool
enableFIPS: bool
enableNodePublicIP: bool
enableUltraSSD: bool
gatewayProfile: {
publicIPPrefixSize: int
gpuInstanceProfile: 'string'
gpuProfile: {
installGPUDriver: bool
hostGroupID: 'string'
kubeletConfig: {
allowedUnsafeSysctls: [
'string'
containerLogMaxFiles: int
containerLogMaxSizeMB: int
cpuCfsQuota: bool
cpuCfsQuotaPeriod: 'string'
cpuManagerPolicy: 'string'
failSwapOn: bool
imageGcHighThreshold: int
imageGcLowThreshold: int
podMaxPids: int
topologyManagerPolicy: 'string'
kubeletDiskType: 'string'
linuxOSConfig: {
swapFileSizeMB: int
sysctls: {
fsAioMaxNr: int
fsFileMax: int
fsInotifyMaxUserWatches: int
fsNrOpen: int
kernelThreadsMax: int
netCoreNetdevMaxBacklog: int
netCoreOptmemMax: int
netCoreRmemDefault: int
netCoreRmemMax: int
netCoreSomaxconn: int
netCoreWmemDefault: int
netCoreWmemMax: int
netIpv4IpLocalPortRange: 'string'
netIpv4NeighDefaultGcThresh1: int
netIpv4NeighDefaultGcThresh2: int
netIpv4NeighDefaultGcThresh3: int
netIpv4TcpFinTimeout: int
netIpv4TcpkeepaliveIntvl: int
netIpv4TcpKeepaliveProbes: int
netIpv4TcpKeepaliveTime: int
netIpv4TcpMaxSynBacklog: int
netIpv4TcpMaxTwBuckets: int
netIpv4TcpTwReuse: bool
netNetfilterNfConntrackBuckets: int
netNetfilterNfConntrackMax: int
vmMaxMapCount: int
vmSwappiness: int
vmVfsCachePressure: int
transparentHugePageDefrag: 'string'
transparentHugePageEnabled: 'string'
maxCount: int
maxPods: int
messageOfTheDay: 'string'
minCount: int
mode: 'string'
name: 'string'
networkProfile: {
allowedHostPorts: [
portEnd: int
portStart: int
protocol: 'string'
applicationSecurityGroups: [
'string'
nodePublicIPTags: [
ipTagType: 'string'
tag: 'string'
nodeInitializationTaints: [
'string'
nodeLabels: {
{customized property}: 'string'
nodePublicIPPrefixID: 'string'
nodeTaints: [
'string'
orchestratorVersion: 'string'
osDiskSizeGB: int
osDiskType: 'string'
osSKU: 'string'
osType: 'string'
podIPAllocationMode: 'string'
podSubnetID: 'string'
powerState: {
code: 'string'
proximityPlacementGroupID: 'string'
scaleDownMode: 'string'
scaleSetEvictionPolicy: 'string'
scaleSetPriority: 'string'
securityProfile: {
enableSecureBoot: bool
enableVTPM: bool
sshAccess: 'string'
spotMaxPrice: json('decimal-as-string')
tags: {}
type: 'string'
upgradeSettings: {
drainTimeoutInMinutes: int
maxSurge: 'string'
nodeSoakDurationInMinutes: int
undrainableNodeBehavior: 'string'
virtualMachineNodesStatus: [
count: int
size: 'string'
virtualMachinesProfile: {
scale: {
autoscale: [
maxCount: int
minCount: int
sizes: [
'string'
manual: [
count: int
sizes: [
'string'
vmSize: 'string'
vnetSubnetID: 'string'
windowsProfile: {
disableOutboundNat: bool
workloadRuntime: 'string'
aiToolchainOperatorProfile: {
enabled: bool
apiServerAccessProfile: {
authorizedIPRanges: [
'string'
disableRunCommand: bool
enablePrivateCluster: bool
enablePrivateClusterPublicFQDN: bool
enableVnetIntegration: bool
privateDNSZone: 'string'
subnetId: 'string'
autoScalerProfile: {
'balance-similar-node-groups': 'string'
'daemonset-eviction-for-empty-nodes': bool
'daemonset-eviction-for-occupied-nodes': bool
expander: 'string'
'ignore-daemonsets-utilization': bool
'max-empty-bulk-delete': 'string'
'max-graceful-termination-sec': 'string'
'max-node-provision-time': 'string'
'max-total-unready-percentage': 'string'
'new-pod-scale-up-delay': 'string'
'ok-total-unready-count': 'string'
'scale-down-delay-after-add': 'string'
'scale-down-delay-after-delete': 'string'
'scale-down-delay-after-failure': 'string'
'scale-down-unneeded-time': 'string'
'scale-down-unready-time': 'string'
'scale-down-utilization-threshold': 'string'
'scan-interval': 'string'
'skip-nodes-with-local-storage': 'string'
'skip-nodes-with-system-pods': 'string'
autoUpgradeProfile: {
nodeOSUpgradeChannel: 'string'
upgradeChannel: 'string'
azureMonitorProfile: {
appMonitoring: {
autoInstrumentation: {
enabled: bool
openTelemetryLogs: {
enabled: bool
port: int
openTelemetryMetrics: {
enabled: bool
port: int
containerInsights: {
disableCustomMetrics: bool
disablePrometheusMetricsScraping: bool
enabled: bool
logAnalyticsWorkspaceResourceId: 'string'
syslogPort: int
metrics: {
enabled: bool
kubeStateMetrics: {
metricAnnotationsAllowList: 'string'
metricLabelsAllowlist: 'string'
bootstrapProfile: {
artifactSource: 'string'
containerRegistryId: 'string'
creationData: {
sourceResourceId: 'string'
disableLocalAccounts: bool
diskEncryptionSetID: 'string'
dnsPrefix: 'string'
enableNamespaceResources: bool
enablePodSecurityPolicy: bool
enableRBAC: bool
fqdnSubdomain: 'string'
httpProxyConfig: {
httpProxy: 'string'
httpsProxy: 'string'
noProxy: [
'string'
trustedCa: 'string'
identityProfile: {
{customized property}: {
clientId: 'string'
objectId: 'string'
resourceId: 'string'
ingressProfile: {
webAppRouting: {
dnsZoneResourceIds: [
'string'
enabled: bool
nginx: {
defaultIngressControllerType: 'string'
kubernetesVersion: 'string'
linuxProfile: {
adminUsername: 'string'
ssh: {
publicKeys: [
keyData: 'string'
metricsProfile: {
costAnalysis: {
enabled: bool
networkProfile: {
advancedNetworking: {
observability: {
enabled: bool
tlsManagement: 'string'
security: {
fqdnPolicy: {
enabled: bool
dnsServiceIP: 'string'
ipFamilies: [
'string'
kubeProxyConfig: {
enabled: bool
ipvsConfig: {
scheduler: 'string'
tcpFinTimeoutSeconds: int
tcpTimeoutSeconds: int
udpTimeoutSeconds: int
mode: 'string'
loadBalancerProfile: {
allocatedOutboundPorts: int
backendPoolType: 'string'
clusterServiceLoadBalancerHealthProbeMode: 'string'
effectiveOutboundIPs: [
id: 'string'
enableMultipleStandardLoadBalancers: bool
idleTimeoutInMinutes: int
managedOutboundIPs: {
count: int
countIPv6: int
outboundIPPrefixes: {
publicIPPrefixes: [
id: 'string'
outboundIPs: {
publicIPs: [
id: 'string'
loadBalancerSku: 'string'
natGatewayProfile: {
effectiveOutboundIPs: [
id: 'string'
idleTimeoutInMinutes: int
managedOutboundIPProfile: {
count: int
networkDataplane: 'string'
networkMode: 'string'
networkPlugin: 'string'
networkPluginMode: 'overlay'
networkPolicy: 'string'
outboundType: 'string'
podCidr: 'string'
podCidrs: [
'string'
podLinkLocalAccess: 'string'
serviceCidr: 'string'
serviceCidrs: [
'string'
staticEgressGatewayProfile: {
enabled: bool
nodeProvisioningProfile: {
mode: 'string'
nodeResourceGroup: 'string'
nodeResourceGroupProfile: {
restrictionLevel: 'string'
oidcIssuerProfile: {
enabled: bool
podIdentityProfile: {
allowNetworkPluginKubenet: bool
enabled: bool
userAssignedIdentities: [
bindingSelector: 'string'
identity: {
clientId: 'string'
objectId: 'string'
resourceId: 'string'
name: 'string'
namespace: 'string'
userAssignedIdentityExceptions: [
name: 'string'
namespace: 'string'
podLabels: {
{customized property}: 'string'
privateLinkResources: [
groupId: 'string'
id: 'string'
name: 'string'
requiredMembers: [
'string'
type: 'string'
publicNetworkAccess: 'string'
safeguardsProfile: {
excludedNamespaces: [
'string'
level: 'string'
version: 'string'
securityProfile: {
azureKeyVaultKms: {
enabled: bool
keyId: 'string'
keyVaultNetworkAccess: 'string'
keyVaultResourceId: 'string'
customCATrustCertificates: [
defender: {
logAnalyticsWorkspaceResourceId: 'string'
securityMonitoring: {
enabled: bool
imageCleaner: {
enabled: bool
intervalHours: int
imageIntegrity: {
enabled: bool
nodeRestriction: {
enabled: bool
workloadIdentity: {
enabled: bool
serviceMeshProfile: {
istio: {
certificateAuthority: {
plugin: {
certChainObjectName: 'string'
certObjectName: 'string'
keyObjectName: 'string'
keyVaultId: 'string'
rootCertObjectName: 'string'
components: {
egressGateways: [
enabled: bool
ingressGateways: [
enabled: bool
mode: 'string'
revisions: [
'string'
mode: 'string'
servicePrincipalProfile: {
clientId: 'string'
secret: 'string'
storageProfile: {
blobCSIDriver: {
enabled: bool
diskCSIDriver: {
enabled: bool
version: 'string'
fileCSIDriver: {
enabled: bool
snapshotController: {
enabled: bool
supportPlan: 'string'
upgradeSettings: {
overrideSettings: {
forceUpgrade: bool
until: 'string'
windowsProfile: {
adminPassword: 'string'
adminUsername: 'string'
enableCSIProxy: bool
gmsaProfile: {
dnsServer: 'string'
enabled: bool
rootDomainName: 'string'
licenseType: 'string'
workloadAutoScalerProfile: {
keda: {
enabled: bool
verticalPodAutoscaler: {
addonAutoscaling: 'string'
enabled: bool
Property values
managedClusters
Description
Value
The resource name
string (required)
Character limit: 1-63
Valid characters:
Alphanumerics, underscores, and hyphens.
Start and end with alphanumeric.
location
The geo-location where the resource lives
string (required)
Resource tags.
Dictionary of tag names and values. See Tags in templates
The managed cluster SKU.
ManagedClusterSKU
This is primarily used to expose different UI experiences in the portal for different kinds
string
extendedLocation
The extended location of the Virtual Machine.
ExtendedLocation
identity
The identity of the managed cluster, if configured.
ManagedClusterIdentity
properties
Properties of a managed cluster.
ManagedClusterProperties
ExtendedLocation
Description
Value
delegatedResources
The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only.
DelegatedResources
For more information see use managed identities in AKS.
'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities
The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
ManagedClusterIdentityUserAssignedIdentities
DelegatedResources
Description
Value
referralResource
The delegation id of the referral delegation (optional) - internal use only.
string
resourceId
The ARM resource id of the delegated resource - internal use only.
string
tenantId
The tenant id of the delegated resource - internal use only.
string
Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
ManagedClusterIdentityUserAssignedIdentities
Description
Value
ManagedServiceIdentityUserAssignedIdentitiesValue
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
ManagedClusterProperties
Description
Value
aiToolchainOperatorProfile
AI toolchain operator settings that apply to the whole cluster.
ManagedClusterAIToolchainOperatorProfile
apiServerAccessProfile
The access profile for managed cluster API server.
ManagedClusterAPIServerAccessProfile
autoScalerProfile
Parameters to be applied to the cluster-autoscaler when enabled
ManagedClusterPropertiesAutoScalerProfile
autoUpgradeProfile
The auto upgrade configuration.
ManagedClusterAutoUpgradeProfile
azureMonitorProfile
Prometheus addon profile for the container service cluster
ManagedClusterAzureMonitorProfile
bootstrapProfile
Profile of the cluster bootstrap configuration.
ManagedClusterBootstrapProfile
creationData
CreationData to be used to specify the source Snapshot ID if the cluster will be created/upgraded using a snapshot.
CreationData
disableLocalAccounts
If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts.
diskEncryptionSetID
This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}'
string
dnsPrefix
This cannot be updated once the Managed Cluster has been created.
string
enableNamespaceResources
The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See https://aka.ms/NamespaceARMResource for more details on Namespace as a ARM Resource.
enablePodSecurityPolicy
(DEPRECATED) Whether to enable Kubernetes pod security policy (preview). PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Learn more at https://aka.ms/k8s/psp and https://aka.ms/aks/psp.
enableRBAC
Whether to enable Kubernetes Role-Based Access Control.
fqdnSubdomain
This cannot be updated once the Managed Cluster has been created.
string
httpProxyConfig
Configurations for provisioning the cluster with HTTP proxy servers.
ManagedClusterHttpProxyConfig
identityProfile
Identities associated with the cluster.
ManagedClusterPropertiesIdentityProfile
ingressProfile
Ingress profile for the managed cluster.
ManagedClusterIngressProfile
kubernetesVersion
When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details.
string
linuxProfile
The profile for Linux VMs in the Managed Cluster.
ContainerServiceLinuxProfile
metricsProfile
Optional cluster metrics configuration.
ManagedClusterMetricsProfile
networkProfile
The network configuration profile.
ContainerServiceNetworkProfile
nodeProvisioningProfile
Node provisioning settings that apply to the whole cluster.
ManagedClusterNodeProvisioningProfile
nodeResourceGroup
The name of the resource group containing agent pool nodes.
string
nodeResourceGroupProfile
The node resource group configuration profile.
ManagedClusterNodeResourceGroupProfile
oidcIssuerProfile
The OIDC issuer profile of the Managed Cluster.
ManagedClusterOidcIssuerProfile
podIdentityProfile
See use AAD pod identity for more details on AAD pod identity integration.
ManagedClusterPodIdentityProfile
privateLinkResources
Private link resources associated with the cluster.
PrivateLinkResource[]
publicNetworkAccess
Allow or deny public network access for AKS
'Disabled'
'Enabled'
'SecuredByPerimeter'
safeguardsProfile
The Safeguards profile holds all the safeguards information for a given cluster
SafeguardsProfile
securityProfile
Security profile for the managed cluster.
ManagedClusterSecurityProfile
serviceMeshProfile
Service mesh profile for a managed cluster.
ServiceMeshProfile
servicePrincipalProfile
Information about a service principal identity for the cluster to use for manipulating Azure APIs.
ManagedClusterServicePrincipalProfile
storageProfile
Storage profile for the managed cluster.
ManagedClusterStorageProfile
supportPlan
The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'.
'AKSLongTermSupport'
'KubernetesOfficial'
upgradeSettings
Settings for upgrading a cluster.
ClusterUpgradeSettings
windowsProfile
The profile for Windows VMs in the Managed Cluster.
ManagedClusterWindowsProfile
workloadAutoScalerProfile
Workload Auto-scaler profile for the managed cluster.
ManagedClusterWorkloadAutoScalerProfile
ManagedClusterAADProfile
Description
Value
adminGroupObjectIDs
The list of AAD group object IDs that will have admin role of the cluster.
string[]
clientAppID
(DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.
string
enableAzureRBAC
Whether to enable Azure RBAC for Kubernetes authorization.
managed
Whether to enable managed AAD.
serverAppID
(DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.
string
serverAppSecret
(DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy.
string
tenantID
The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription.
string
ManagedClusterPropertiesAddonProfiles
Description
Value
artifactStreamingProfile
Configuration for using artifact streaming on AKS.
AgentPoolArtifactStreamingProfile
availabilityZones
The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'.
string[]
capacityReservationGroupID
AKS will associate the specified agent pool with the Capacity Reservation Group.
string
count
Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1.
creationData
CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot.
CreationData
enableAutoScaling
Whether to enable auto-scaler
enableCustomCATrust
When set to true, AKS adds a label to the node indicating that the feature is enabled and deploys a daemonset along with host services to sync custom certificate authorities from user-provided list of base64 encoded certificates into node trust stores. Defaults to false.
enableEncryptionAtHost
This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption
enableFIPS
See Add a FIPS-enabled node pool for more details.
enableNodePublicIP
Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false.
enableUltraSSD
Whether to enable UltraSSD
gatewayProfile
Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is not Gateway.
AgentPoolGatewayProfile
gpuInstanceProfile
GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.
'MIG1g'
'MIG2g'
'MIG3g'
'MIG4g'
'MIG7g'
gpuProfile
The GPU settings of an agent pool.
AgentPoolGPUProfile
hostGroupID
This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts.
string
kubeletConfig
The Kubelet configuration on the agent pool nodes.
KubeletConfig
kubeletDiskType
Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage.
'OS'
'Temporary'
linuxOSConfig
The OS configuration of Linux agent nodes.
LinuxOSConfig
maxCount
The maximum number of nodes for auto-scaling
maxPods
The maximum number of pods that can run on a node.
messageOfTheDay
A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script).
string
minCount
The minimum number of nodes for auto-scaling
A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools
'Gateway'
'System'
'User'
Windows agent pool names must be 6 characters or less.
string (required)
Constraints:
Pattern = ^[a-z][a-z0-9]{0,11}$
networkProfile
Network-related settings of an agent pool.
AgentPoolNetworkProfile
nodeInitializationTaints
These taints will not be reconciled by AKS and can be removed with a kubectl call. This field can be modified after node pool is created, but nodes will not be recreated with new taints until another operation that requires recreation (e.g. node image upgrade) happens. These taints allow for required configuration to run before the node is ready to accept workloads, for example 'key1=value1:NoSchedule' that then can be removed with kubectl taint nodes node1 key1=value1:NoSchedule-
string[]
nodeLabels
The node labels to be persisted across all nodes in agent pool.
ManagedClusterAgentPoolProfilePropertiesNodeLabels
nodePublicIPPrefixID
This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName}
string
nodeTaints
The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule.
string[]
orchestratorVersion
Both patch version {major.minor.patch} and {major.minor} are supported. When {major.minor} is specified, the latest supported patch version is chosen automatically. Updating the agent pool with the same {major.minor} once it has been created will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool.
string
osDiskSizeGB
OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.
int
Constraints:
Min value = 0
Max value = 2048
osDiskType
The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS.
'Ephemeral'
'Managed'
osSKU
Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated.
'AzureLinux'
'CBLMariner'
'Mariner'
'Ubuntu'
'Windows2019'
'Windows2022'
'WindowsAnnual'
osType
The operating system type. The default is Linux.
'Linux'
'Windows'
podIPAllocationMode
The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'.
'DynamicIndividual'
'StaticBlock'
podSubnetID
If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}
string
powerState
When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded
PowerState
proximityPlacementGroupID
The ID for Proximity Placement Group.
string
scaleDownMode
This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete.
'Deallocate'
'Delete'
scaleSetEvictionPolicy
This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'.
'Deallocate'
'Delete'
scaleSetPriority
The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'.
'Regular'
'Spot'
securityProfile
The security settings of an agent pool.
AgentPoolSecurityProfile
spotMaxPrice
Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing To specify a decimal value, use the json() function.
int or json decimal
The tags to be persisted on the agent pool virtual machine scale set.
object
The type of Agent Pool.
'AvailabilitySet'
'VirtualMachineScaleSets'
'VirtualMachines'
upgradeSettings
Settings for upgrading the agentpool
AgentPoolUpgradeSettings
virtualMachineNodesStatus
The status of nodes in a VirtualMachines agent pool.
VirtualMachineNodes[]
virtualMachinesProfile
Specifications on VirtualMachines agent pool.
VirtualMachinesProfile
vmSize
VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions
string
vnetSubnetID
If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}
string
windowsProfile
The Windows agent pool's specific profile.
AgentPoolWindowsProfile
workloadRuntime
Determines the type of workload a node can run.
'KataMshvVmIsolation'
'OCIContainer'
'WasmWasi'
AgentPoolArtifactStreamingProfile
Description
Value
enabled
Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR. If not specified, the default is false.
CreationData
Description
Value
sourceResourceId
This is the ARM ID of the source object to be used to create the target object.
string
AgentPoolGatewayProfile
Description
Value
publicIPPrefixSize
The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide public egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with one IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure public IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8 nodes/IPs, /28 = 16 nodes/IPs). The default value is 31.
int
Constraints:
Min value = 28
Max value = 31
AgentPoolGPUProfile
Description
Value
installGPUDriver
The default value is true when the vmSize of the agent pool contains a GPU, false otherwise. GPU Driver Installation can only be set true when VM has an associated GPU resource. Setting this field to false prevents automatic GPU driver installation. In that case, in order for the GPU to be usable, the user must perform GPU driver installation themselves.
KubeletConfig
Description
Value
allowedUnsafeSysctls
Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *).
string[]
containerLogMaxFiles
The maximum number of container log files that can be present for a container. The number must be ≥ 2.
int
Constraints:
Min value = 2
containerLogMaxSizeMB
The maximum size (e.g. 10Mi) of container log file before it is rotated.
cpuCfsQuota
The default is true.
cpuCfsQuotaPeriod
The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'.
string
cpuManagerPolicy
The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'.
string
failSwapOn
If set to true it will make the Kubelet fail to start if swap is enabled on the node.
imageGcHighThreshold
To disable image garbage collection, set to 100. The default is 85%
imageGcLowThreshold
This cannot be set higher than imageGcHighThreshold. The default is 80%
podMaxPids
The maximum number of processes per pod.
topologyManagerPolicy
For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'.
string
LinuxOSConfig
Description
Value
transparentHugePageDefrag
Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages.
string
transparentHugePageEnabled
Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages.
string
SysctlConfig
Description
Value
netIpv4TcpkeepaliveIntvl
Sysctl setting net.ipv4.tcp_keepalive_intvl.
int
Constraints:
Min value = 10
Max value = 90
netIpv4TcpKeepaliveProbes
Sysctl setting net.ipv4.tcp_keepalive_probes.
netIpv4TcpKeepaliveTime
Sysctl setting net.ipv4.tcp_keepalive_time.
netIpv4TcpMaxSynBacklog
Sysctl setting net.ipv4.tcp_max_syn_backlog.
netIpv4TcpMaxTwBuckets
Sysctl setting net.ipv4.tcp_max_tw_buckets.
netIpv4TcpTwReuse
Sysctl setting net.ipv4.tcp_tw_reuse.
netNetfilterNfConntrackBuckets
Sysctl setting net.netfilter.nf_conntrack_buckets.
int
Constraints:
Min value = 65536
Max value = 524288
netNetfilterNfConntrackMax
Sysctl setting net.netfilter.nf_conntrack_max.
int
Constraints:
Min value = 131072
Max value = 2097152
vmMaxMapCount
Sysctl setting vm.max_map_count.
vmSwappiness
Sysctl setting vm.swappiness.
vmVfsCachePressure
Sysctl setting vm.vfs_cache_pressure.
AgentPoolNetworkProfile
Description
Value
allowedHostPorts
The port ranges that are allowed to access. The specified ranges are allowed to overlap.
PortRange[]
applicationSecurityGroups
The IDs of the application security groups which agent pool will associate when created.
string[]
nodePublicIPTags
IPTags of instance-level public IPs.
IPTag[]
PortRange
Description
Value
portEnd
The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart.
int
Constraints:
Min value = 1
Max value = 65535
portStart
The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd.
int
Constraints:
Min value = 1
Max value = 65535
protocol
The network protocol of the port.
'TCP'
'UDP'
IPTag
Description
Value
enableSecureBoot
Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.
enableVTPM
vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.
sshAccess
SSH access method of an agent pool.
'Disabled'
'LocalUser'
AgentPoolUpgradeSettings
Description
Value
drainTimeoutInMinutes
The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes.
int
Constraints:
Min value = 1
Max value = 1440
maxSurge
This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade
string
nodeSoakDurationInMinutes
The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes.
int
Constraints:
Min value = 0
Max value = 30
undrainableNodeBehavior
Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes.
'Cordon'
'Schedule'
VirtualMachineNodes
Description
Value
autoscale
Specifications on how to auto-scale the VirtualMachines agent pool within a predefined size range. Currently, at most one AutoScaleProfile is allowed.
AutoScaleProfile[]
manual
Specifications on how to scale the VirtualMachines agent pool to a fixed size. Currently, at most one ManualScaleProfile is allowed.
ManualScaleProfile[]
AutoScaleProfile
Description
Value
sizes
The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when auto scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size.
string[]
ManualScaleProfile
Description
Value
sizes
The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size.
string[]
AgentPoolWindowsProfile
Description
Value
disableOutboundNat
The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled.
ManagedClusterAIToolchainOperatorProfile
Description
Value
authorizedIPRanges
IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges.
string[]
disableRunCommand
Whether to disable run command for the cluster or not.
enablePrivateCluster
For more details, see Creating a private AKS cluster.
enablePrivateClusterPublicFQDN
Whether to create additional public FQDN for private cluster or not.
enableVnetIntegration
Whether to enable apiserver vnet integration for the cluster or not.
privateDNSZone
The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'.
string
subnetId
It is required when: 1. creating a new cluster with BYO Vnet; 2. updating an existing cluster to enable apiserver vnet integration.
string
ManagedClusterPropertiesAutoScalerProfile
Description
Value
daemonset-eviction-for-empty-nodes
If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.
daemonset-eviction-for-occupied-nodes
If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.
expander
Available values are: 'least-waste', 'most-pods', 'priority', 'random'.
'least-waste'
'most-pods'
'priority'
'random'
ignore-daemonsets-utilization
If set to true, the resources used by daemonset will be taken into account when making scaling down decisions.
max-empty-bulk-delete
The default is 10.
string
max-graceful-termination-sec
The default is 600.
string
max-node-provision-time
The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
max-total-unready-percentage
The default is 45. The maximum is 100 and the minimum is 0.
string
new-pod-scale-up-delay
For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc).
string
ok-total-unready-count
This must be an integer. The default is 3.
string
scale-down-delay-after-add
The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-delay-after-delete
The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-delay-after-failure
The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-unneeded-time
The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-unready-time
The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-utilization-threshold
The default is '0.5'.
string
scan-interval
The default is '10'. Values must be an integer number of seconds.
string
skip-nodes-with-local-storage
The default is true.
string
skip-nodes-with-system-pods
The default is true.
string
ManagedClusterAutoUpgradeProfile
Description
Value
nodeOSUpgradeChannel
The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA.
'NodeImage'
'None'
'SecurityPatch'
'Unmanaged'
upgradeChannel
For more information see setting the AKS cluster auto-upgrade channel.
'node-image'
'none'
'patch'
'rapid'
'stable'
ManagedClusterAzureMonitorProfile
Description
Value
appMonitoring
Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics and traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoring
containerInsights
Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout & stderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview.
ManagedClusterAzureMonitorProfileContainerInsights
metrics
Metrics profile for the prometheus service addon
ManagedClusterAzureMonitorProfileMetrics
ManagedClusterAzureMonitorProfileAppMonitoring
Description
Value
autoInstrumentation
Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook to auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the application. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoringAutoIn...
openTelemetryLogs
Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and Traces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoringOpenTe...
openTelemetryMetrics
Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Metrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoringOpenTe...
enabled
Indicates if Application Monitoring Open Telemetry Logs and traces is enabled or not.
The Open Telemetry host port for Open Telemetry logs and traces. If not specified, the default port is 28331.
The Open Telemetry host port for Open Telemetry metrics. If not specified, the default port is 28333.
ManagedClusterAzureMonitorProfileContainerInsights
Description
Value
disableCustomMetrics
Indicates whether custom metrics collection has to be disabled or not. If not specified the default is false. No custom metrics will be emitted if this field is false but the container insights enabled field is false
disablePrometheusMetricsScraping
Indicates whether prometheus metrics scraping is disabled or not. If not specified the default is false. No prometheus metrics will be emitted if this field is false but the container insights enabled field is false
enabled
Indicates if Azure Monitor Container Insights Logs Addon is enabled or not.
logAnalyticsWorkspaceResourceId
Fully Qualified ARM Resource Id of Azure Log Analytics Workspace for storing Azure Monitor Container Insights Logs.
string
syslogPort
The syslog host port. If not specified, the default port is 28330.
ManagedClusterAzureMonitorProfileMetrics
Description
Value
kubeStateMetrics
Kube State Metrics for prometheus addon profile for the container service cluster
ManagedClusterAzureMonitorProfileKubeStateMetrics
ManagedClusterAzureMonitorProfileKubeStateMetrics
Description
Value
metricAnnotationsAllowList
Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric.
string
metricLabelsAllowlist
Comma-separated list of Kubernetes annotations keys that will be used in the resource's labels metric.
string
ManagedClusterBootstrapProfile
Description
Value
containerRegistryId
The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy.
string
ManagedClusterHttpProxyConfig
Description
Value
dnsZoneResourceIds
Resource IDs of the DNS zones to be associated with the Web App Routing add-on. Used only when Web App Routing is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group.
string[]
Constraints:
Max length = 5
enabled
Whether to enable Web App Routing.
nginx
Configuration for the default NginxIngressController. See more at /azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller.
ManagedClusterIngressProfileNginx
ManagedClusterIngressProfileNginx
Description
Value
defaultIngressControllerType
Ingress type for the default NginxIngressController custom resource
'AnnotationControlled'
'External'
'Internal'
'None'
ContainerServiceLinuxProfile
Description
Value
adminUsername
The administrator username to use for Linux VMs.
string (required)
Constraints:
Pattern = ^[A-Za-z][-A-Za-z0-9_]*$
The SSH configuration for Linux-based VMs running on Azure.
ContainerServiceSshConfiguration (required)
ContainerServiceSshConfiguration
Description
Value
publicKeys
The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified.
ContainerServiceSshPublicKey[] (required)
ContainerServiceSshPublicKey
Description
Value
keyData
Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers.
string (required)
ManagedClusterMetricsProfile
Description
Value
enabled
The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis.
ContainerServiceNetworkProfile
Description
Value
advancedNetworking
Advanced Networking profile for enabling observability on a cluster. Note that enabling advanced networking features may incur additional costs. For more information see aka.ms/aksadvancednetworking.
AdvancedNetworking
dnsServiceIP
An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr.
string
Constraints:
Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
ipFamilies
IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6.
String array containing any of:
'IPv4'
'IPv6'
kubeProxyConfig
Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy defaulting behavior. See https://v{version}.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ where {version} is represented by a {major version}-{minor version} string. Kubernetes version 1.23 would be '1-23'.
ContainerServiceNetworkProfileKubeProxyConfig
loadBalancerProfile
Profile of the cluster load balancer.
ManagedClusterLoadBalancerProfile
loadBalancerSku
The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs.
'basic'
'standard'
natGatewayProfile
Profile of the cluster NAT gateway.
ManagedClusterNATGatewayProfile
networkDataplane
Network dataplane used in the Kubernetes cluster.
'azure'
'cilium'
networkMode
This cannot be specified if networkPlugin is anything other than 'azure'.
'bridge'
'transparent'
networkPlugin
Network plugin used for building the Kubernetes network.
'azure'
'kubenet'
'none'
networkPluginMode
Network plugin mode used for building the Kubernetes network.
'overlay'
networkPolicy
Network policy used for building the Kubernetes network.
'azure'
'calico'
'cilium'
'none'
outboundType
This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type.
'loadBalancer'
'managedNATGateway'
'none'
'userAssignedNATGateway'
'userDefinedRouting'
podCidr
A CIDR notation IP range from which to assign pod IPs when kubenet is used.
string
Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
podCidrs
One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking.
string[]
podLinkLocalAccess
Defines access to special link local addresses (Azure Instance Metadata Service, aka IMDS) for pods with hostNetwork=false. if not specified, the default is 'IMDS'.
'IMDS'
'None'
serviceCidr
A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges.
string
Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
serviceCidrs
One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges.
string[]
staticEgressGatewayProfile
The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway.
ManagedClusterStaticEgressGatewayProfile
AdvancedNetworking
Description
Value
observability
Observability profile to enable advanced network metrics and flow logs with historical contexts.
AdvancedNetworkingObservability
security
Security profile to enable security features on cilium based cluster.
AdvancedNetworkingSecurity
AdvancedNetworkingObservability
Description
Value
enabled
Indicates the enablement of Advanced Networking observability functionalities on clusters.
tlsManagement
Management of TLS certificates for querying network flow logs via the flow log endpoint for Advanced Networking observability clusters. If not specified, the default is Managed. For more information see aka.ms/acnstls.
'Managed'
'None'
AdvancedNetworkingSecurity
Description
Value
enabled
This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false.
ContainerServiceNetworkProfileKubeProxyConfig
Description
Value
enabled
Whether to enable on kube-proxy on the cluster (if no 'kubeProxyConfig' exists, kube-proxy is enabled in AKS by default without these customizations).
ipvsConfig
Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'.
ContainerServiceNetworkProfileKubeProxyConfigIpvsCon...
Specify which proxy mode to use ('IPTABLES' or 'IPVS')
'IPTABLES'
'IPVS'
scheduler
IPVS scheduler, for more information please see http://www.linuxvirtualserver.org/docs/scheduling.html.
'LeastConnection'
'RoundRobin'
tcpFinTimeoutSeconds
The timeout value used for IPVS TCP sessions after receiving a FIN in seconds. Must be a positive integer value.
tcpTimeoutSeconds
The timeout value used for idle IPVS TCP sessions in seconds. Must be a positive integer value.
udpTimeoutSeconds
The timeout value used for IPVS UDP packets in seconds. Must be a positive integer value.
ManagedClusterLoadBalancerProfile
Description
Value
allocatedOutboundPorts
The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports.
int
Constraints:
Min value = 0
Max value = 64000
backendPoolType
The type of the managed inbound Load Balancer BackendPool.
'NodeIP'
'NodeIPConfiguration'
clusterServiceLoadBalancerHealthProbeMode
The health probing behavior for External Traffic Policy Cluster services.
'ServiceNodePort'
'Shared'
effectiveOutboundIPs
The effective outbound IP resources of the cluster load balancer.
ResourceReference[]
enableMultipleStandardLoadBalancers
Enable multiple standard load balancers per AKS cluster or not.
idleTimeoutInMinutes
Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes.
int
Constraints:
Min value = 4
Max value = 120
managedOutboundIPs
Desired managed outbound IPs for the cluster load balancer.
ManagedClusterLoadBalancerProfileManagedOutboundIPs
outboundIPPrefixes
Desired outbound IP Prefix resources for the cluster load balancer.
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
outboundIPs
Desired outbound IP resources for the cluster load balancer.
ManagedClusterLoadBalancerProfileOutboundIPs
ResourceReference
Description
Value
count
The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1.
int
Constraints:
Min value = 1
Max value = 100
countIPv6
The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.
int
Constraints:
Min value = 0
Max value = 100
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
Description
Value
effectiveOutboundIPs
The effective outbound IP resources of the cluster NAT gateway.
ResourceReference[]
idleTimeoutInMinutes
Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes.
int
Constraints:
Min value = 4
Max value = 120
managedOutboundIPProfile
Profile of the managed outbound IP resources of the cluster NAT gateway.
ManagedClusterManagedOutboundIPProfile
ManagedClusterManagedOutboundIPProfile
Description
Value
count
The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1.
int
Constraints:
Min value = 1
Max value = 16
ManagedClusterStaticEgressGatewayProfile
Description
Value
allowNetworkPluginKubenet
Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information.
enabled
Whether the pod identity addon is enabled.
userAssignedIdentities
The pod identities to use in the cluster.
ManagedClusterPodIdentity[]
userAssignedIdentityExceptions
The pod identity exceptions to allow.
ManagedClusterPodIdentityException[]
ManagedClusterPodIdentity
Description
Value
level
The Safeguards level to be used. By default, Safeguards is enabled for all namespaces except those that AKS excludes via systemExcludedNamespaces
'Enforcement'
'Off'
'Warning' (required)
version
The version of constraints to use
string
ManagedClusterSecurityProfile
Description
Value
azureKeyVaultKms
Azure Key Vault key management service settings for the security profile.
AzureKeyVaultKms
customCATrustCertificates
A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the Custom CA Trust feature enabled. For more information see Custom CA Trust Certificates
any[]
Constraints:
Max length = 10
defender
Microsoft Defender settings for the security profile.
ManagedClusterSecurityProfileDefender
imageCleaner
Image Cleaner settings for the security profile.
ManagedClusterSecurityProfileImageCleaner
imageIntegrity
Image integrity is a feature that works with Azure Policy to verify image integrity by signature. This will not have any effect unless Azure Policy is applied to enforce image signatures. See https://aka.ms/aks/image-integrity for how to use this feature via policy.
ManagedClusterSecurityProfileImageIntegrity
nodeRestriction
Node Restriction settings for the security profile.
ManagedClusterSecurityProfileNodeRestriction
workloadIdentity
Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details.
ManagedClusterSecurityProfileWorkloadIdentity
AzureKeyVaultKms
Description
Value
enabled
Whether to enable Azure Key Vault key management service. The default is false.
keyId
Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty.
string
keyVaultNetworkAccess
Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.
'Private'
'Public'
keyVaultResourceId
Resource ID of key vault. When keyVaultNetworkAccess is Private, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public, leave the field empty.
string
ManagedClusterSecurityProfileDefender
Description
Value
logAnalyticsWorkspaceResourceId
Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty.
string
securityMonitoring
Microsoft Defender threat detection for Cloud settings for the security profile.
ManagedClusterSecurityProfileDefenderSecurityMonitor...
certificateAuthority
Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca
IstioCertificateAuthority
components
Istio components configuration.
IstioComponents
revisions
The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: /azure/aks/istio-upgrade
string[]
Constraints:
Max length = 2
IstioCertificateAuthority
Description
Value
blobCSIDriver
AzureBlob CSI Driver settings for the storage profile.
ManagedClusterStorageProfileBlobCSIDriver
diskCSIDriver
AzureDisk CSI Driver settings for the storage profile.
ManagedClusterStorageProfileDiskCSIDriver
fileCSIDriver
AzureFile CSI Driver settings for the storage profile.
ManagedClusterStorageProfileFileCSIDriver
snapshotController
Snapshot Controller settings for the storage profile.
ManagedClusterStorageProfileSnapshotController
ManagedClusterStorageProfileBlobCSIDriver
Description
Value
forceUpgrade
Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution.
until
Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the until expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect.
string
ManagedClusterWindowsProfile
Description
Value
adminPassword
Specifies the password of the administrator account.
Minimum-length: 8 characters
Max-length: 123 characters
Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])
Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
string
adminUsername
Specifies the name of the administrator account.
Restriction: Cannot end in "."
Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".
Minimum-length: 1 character
Max-length: 20 characters
string (required)
enableCSIProxy
For more details on CSI proxy, see the CSI proxy GitHub repo.
gmsaProfile
The Windows gMSA Profile in the Managed Cluster.
WindowsGmsaProfile
licenseType
The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details.
'None'
'Windows_Server'
WindowsGmsaProfile
Description
Value
dnsServer
Specifies the DNS server for Windows gMSA.
Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string
enabled
Specifies whether to enable Windows gMSA in the managed cluster.
rootDomainName
Specifies the root domain name for Windows gMSA.
Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string
ManagedClusterWorkloadAutoScalerProfile
Description
Value
KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile.
ManagedClusterWorkloadAutoScalerProfileKeda
verticalPodAutoscaler
ManagedClusterWorkloadAutoScalerProfileVerticalPodAu...
ManagedClusterWorkloadAutoScalerProfileKeda
Description
Value
addonAutoscaling
Whether VPA add-on is enabled and configured to scale AKS-managed add-ons.
'Disabled'
'Enabled'
enabled
Whether to enable VPA add-on in cluster. Default value is false.
bool (required)
ManagedClusterSKU
Description
Value
CI/CD using Jenkins on Azure Container Service (AKS)
Containers make it very easy for you to continuously build and deploy your applications. By orchestrating deployment of those containers using Kubernetes in Azure Container Service, you can achieve replicable, manageable clusters of containers. By setting up a continuous build to produce your container images and orchestration, you can increase the speed and reliability of your deployment.
min.io Azure Gateway
Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage
AKS Cluster with a NAT Gateway and an Application Gateway
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
Create a Private AKS Cluster
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Deploy a managed Kubernetes Cluster (AKS)
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy a managed Kubernetes Cluster with AAD (AKS)
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network and Azure AD Integeration. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy an AKS cluster for Azure ML
This template allows you to deploy an entreprise compliant AKS cluster which can be attached to Azure ML
Azure Container Service (AKS)
Deploy a managed cluster with Azure Container Service (AKS)
Azure Container Service (AKS)
Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts
Azure Container Service (AKS) with Helm
Deploy a managed cluster with Azure Container Service (AKS) with Helm
Azure Kubernetes Service (AKS)
Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS)
AKS cluster with the Application Gateway Ingress Controller
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
ARM template resource definition
The managedClusters resource type can be deployed with operations that target:
Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Remarks
For information about available add-ons, see Add-ons, extensions, and other integrations with Azure Kubernetes Service.
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following JSON to your template.
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2024-06-02-preview",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
"sku": {
"name": "string",
"tier": "string"
"kind": "string",
"extendedLocation": {
"name": "string",
"type": "EdgeZone"
"identity": {
"delegatedResources": {
"{customized property}": {
"location": "string",
"referralResource": "string",
"resourceId": "string",
"tenantId": "string"
"type": "string",
"userAssignedIdentities": {
"{customized property}": {}
"properties": {
"aadProfile": {
"adminGroupObjectIDs": [ "string" ],
"clientAppID": "string",
"enableAzureRBAC": "bool",
"managed": "bool",
"serverAppID": "string",
"serverAppSecret": "string",
"tenantID": "string"
"addonProfiles": {
"{customized property}": {
"config": {
"{customized property}": "string"
"enabled": "bool"
"agentPoolProfiles": [
"artifactStreamingProfile": {
"enabled": "bool"
"availabilityZones": [ "string" ],
"capacityReservationGroupID": "string",
"count": "int",
"creationData": {
"sourceResourceId": "string"
"enableAutoScaling": "bool",
"enableCustomCATrust": "bool",
"enableEncryptionAtHost": "bool",
"enableFIPS": "bool",
"enableNodePublicIP": "bool",
"enableUltraSSD": "bool",
"gatewayProfile": {
"publicIPPrefixSize": "int"
"gpuInstanceProfile": "string",
"gpuProfile": {
"installGPUDriver": "bool"
"hostGroupID": "string",
"kubeletConfig": {
"allowedUnsafeSysctls": [ "string" ],
"containerLogMaxFiles": "int",
"containerLogMaxSizeMB": "int",
"cpuCfsQuota": "bool",
"cpuCfsQuotaPeriod": "string",
"cpuManagerPolicy": "string",
"failSwapOn": "bool",
"imageGcHighThreshold": "int",
"imageGcLowThreshold": "int",
"podMaxPids": "int",
"topologyManagerPolicy": "string"
"kubeletDiskType": "string",
"linuxOSConfig": {
"swapFileSizeMB": "int",
"sysctls": {
"fsAioMaxNr": "int",
"fsFileMax": "int",
"fsInotifyMaxUserWatches": "int",
"fsNrOpen": "int",
"kernelThreadsMax": "int",
"netCoreNetdevMaxBacklog": "int",
"netCoreOptmemMax": "int",
"netCoreRmemDefault": "int",
"netCoreRmemMax": "int",
"netCoreSomaxconn": "int",
"netCoreWmemDefault": "int",
"netCoreWmemMax": "int",
"netIpv4IpLocalPortRange": "string",
"netIpv4NeighDefaultGcThresh1": "int",
"netIpv4NeighDefaultGcThresh2": "int",
"netIpv4NeighDefaultGcThresh3": "int",
"netIpv4TcpFinTimeout": "int",
"netIpv4TcpkeepaliveIntvl": "int",
"netIpv4TcpKeepaliveProbes": "int",
"netIpv4TcpKeepaliveTime": "int",
"netIpv4TcpMaxSynBacklog": "int",
"netIpv4TcpMaxTwBuckets": "int",
"netIpv4TcpTwReuse": "bool",
"netNetfilterNfConntrackBuckets": "int",
"netNetfilterNfConntrackMax": "int",
"vmMaxMapCount": "int",
"vmSwappiness": "int",
"vmVfsCachePressure": "int"
"transparentHugePageDefrag": "string",
"transparentHugePageEnabled": "string"
"maxCount": "int",
"maxPods": "int",
"messageOfTheDay": "string",
"minCount": "int",
"mode": "string",
"name": "string",
"networkProfile": {
"allowedHostPorts": [
"portEnd": "int",
"portStart": "int",
"protocol": "string"
"applicationSecurityGroups": [ "string" ],
"nodePublicIPTags": [
"ipTagType": "string",
"tag": "string"
"nodeInitializationTaints": [ "string" ],
"nodeLabels": {
"{customized property}": "string"
"nodePublicIPPrefixID": "string",
"nodeTaints": [ "string" ],
"orchestratorVersion": "string",
"osDiskSizeGB": "int",
"osDiskType": "string",
"osSKU": "string",
"osType": "string",
"podIPAllocationMode": "string",
"podSubnetID": "string",
"powerState": {
"code": "string"
"proximityPlacementGroupID": "string",
"scaleDownMode": "string",
"scaleSetEvictionPolicy": "string",
"scaleSetPriority": "string",
"securityProfile": {
"enableSecureBoot": "bool",
"enableVTPM": "bool",
"sshAccess": "string"
"spotMaxPrice": "[json('decimal-as-string')]",
"tags": {},
"type": "string",
"upgradeSettings": {
"drainTimeoutInMinutes": "int",
"maxSurge": "string",
"nodeSoakDurationInMinutes": "int",
"undrainableNodeBehavior": "string"
"virtualMachineNodesStatus": [
"count": "int",
"size": "string"
"virtualMachinesProfile": {
"scale": {
"autoscale": [
"maxCount": "int",
"minCount": "int",
"sizes": [ "string" ]
"manual": [
"count": "int",
"sizes": [ "string" ]
"vmSize": "string",
"vnetSubnetID": "string",
"windowsProfile": {
"disableOutboundNat": "bool"
"workloadRuntime": "string"
"aiToolchainOperatorProfile": {
"enabled": "bool"
"apiServerAccessProfile": {
"authorizedIPRanges": [ "string" ],
"disableRunCommand": "bool",
"enablePrivateCluster": "bool",
"enablePrivateClusterPublicFQDN": "bool",
"enableVnetIntegration": "bool",
"privateDNSZone": "string",
"subnetId": "string"
"autoScalerProfile": {
"balance-similar-node-groups": "string",
"daemonset-eviction-for-empty-nodes": "bool",
"daemonset-eviction-for-occupied-nodes": "bool",
"expander": "string",
"ignore-daemonsets-utilization": "bool",
"max-empty-bulk-delete": "string",
"max-graceful-termination-sec": "string",
"max-node-provision-time": "string",
"max-total-unready-percentage": "string",
"new-pod-scale-up-delay": "string",
"ok-total-unready-count": "string",
"scale-down-delay-after-add": "string",
"scale-down-delay-after-delete": "string",
"scale-down-delay-after-failure": "string",
"scale-down-unneeded-time": "string",
"scale-down-unready-time": "string",
"scale-down-utilization-threshold": "string",
"scan-interval": "string",
"skip-nodes-with-local-storage": "string",
"skip-nodes-with-system-pods": "string"
"autoUpgradeProfile": {
"nodeOSUpgradeChannel": "string",
"upgradeChannel": "string"
"azureMonitorProfile": {
"appMonitoring": {
"autoInstrumentation": {
"enabled": "bool"
"openTelemetryLogs": {
"enabled": "bool",
"port": "int"
"openTelemetryMetrics": {
"enabled": "bool",
"port": "int"
"containerInsights": {
"disableCustomMetrics": "bool",
"disablePrometheusMetricsScraping": "bool",
"enabled": "bool",
"logAnalyticsWorkspaceResourceId": "string",
"syslogPort": "int"
"metrics": {
"enabled": "bool",
"kubeStateMetrics": {
"metricAnnotationsAllowList": "string",
"metricLabelsAllowlist": "string"
"bootstrapProfile": {
"artifactSource": "string",
"containerRegistryId": "string"
"creationData": {
"sourceResourceId": "string"
"disableLocalAccounts": "bool",
"diskEncryptionSetID": "string",
"dnsPrefix": "string",
"enableNamespaceResources": "bool",
"enablePodSecurityPolicy": "bool",
"enableRBAC": "bool",
"fqdnSubdomain": "string",
"httpProxyConfig": {
"httpProxy": "string",
"httpsProxy": "string",
"noProxy": [ "string" ],
"trustedCa": "string"
"identityProfile": {
"{customized property}": {
"clientId": "string",
"objectId": "string",
"resourceId": "string"
"ingressProfile": {
"webAppRouting": {
"dnsZoneResourceIds": [ "string" ],
"enabled": "bool",
"nginx": {
"defaultIngressControllerType": "string"
"kubernetesVersion": "string",
"linuxProfile": {
"adminUsername": "string",
"ssh": {
"publicKeys": [
"keyData": "string"
"metricsProfile": {
"costAnalysis": {
"enabled": "bool"
"networkProfile": {
"advancedNetworking": {
"observability": {
"enabled": "bool",
"tlsManagement": "string"
"security": {
"fqdnPolicy": {
"enabled": "bool"
"dnsServiceIP": "string",
"ipFamilies": [ "string" ],
"kubeProxyConfig": {
"enabled": "bool",
"ipvsConfig": {
"scheduler": "string",
"tcpFinTimeoutSeconds": "int",
"tcpTimeoutSeconds": "int",
"udpTimeoutSeconds": "int"
"mode": "string"
"loadBalancerProfile": {
"allocatedOutboundPorts": "int",
"backendPoolType": "string",
"clusterServiceLoadBalancerHealthProbeMode": "string",
"effectiveOutboundIPs": [
"id": "string"
"enableMultipleStandardLoadBalancers": "bool",
"idleTimeoutInMinutes": "int",
"managedOutboundIPs": {
"count": "int",
"countIPv6": "int"
"outboundIPPrefixes": {
"publicIPPrefixes": [
"id": "string"
"outboundIPs": {
"publicIPs": [
"id": "string"
"loadBalancerSku": "string",
"natGatewayProfile": {
"effectiveOutboundIPs": [
"id": "string"
"idleTimeoutInMinutes": "int",
"managedOutboundIPProfile": {
"count": "int"
"networkDataplane": "string",
"networkMode": "string",
"networkPlugin": "string",
"networkPluginMode": "overlay",
"networkPolicy": "string",
"outboundType": "string",
"podCidr": "string",
"podCidrs": [ "string" ],
"podLinkLocalAccess": "string",
"serviceCidr": "string",
"serviceCidrs": [ "string" ],
"staticEgressGatewayProfile": {
"enabled": "bool"
"nodeProvisioningProfile": {
"mode": "string"
"nodeResourceGroup": "string",
"nodeResourceGroupProfile": {
"restrictionLevel": "string"
"oidcIssuerProfile": {
"enabled": "bool"
"podIdentityProfile": {
"allowNetworkPluginKubenet": "bool",
"enabled": "bool",
"userAssignedIdentities": [
"bindingSelector": "string",
"identity": {
"clientId": "string",
"objectId": "string",
"resourceId": "string"
"name": "string",
"namespace": "string"
"userAssignedIdentityExceptions": [
"name": "string",
"namespace": "string",
"podLabels": {
"{customized property}": "string"
"privateLinkResources": [
"groupId": "string",
"id": "string",
"name": "string",
"requiredMembers": [ "string" ],
"type": "string"
"publicNetworkAccess": "string",
"safeguardsProfile": {
"excludedNamespaces": [ "string" ],
"level": "string",
"version": "string"
"securityProfile": {
"azureKeyVaultKms": {
"enabled": "bool",
"keyId": "string",
"keyVaultNetworkAccess": "string",
"keyVaultResourceId": "string"
"customCATrustCertificates": [ object ],
"defender": {
"logAnalyticsWorkspaceResourceId": "string",
"securityMonitoring": {
"enabled": "bool"
"imageCleaner": {
"enabled": "bool",
"intervalHours": "int"
"imageIntegrity": {
"enabled": "bool"
"nodeRestriction": {
"enabled": "bool"
"workloadIdentity": {
"enabled": "bool"
"serviceMeshProfile": {
"istio": {
"certificateAuthority": {
"plugin": {
"certChainObjectName": "string",
"certObjectName": "string",
"keyObjectName": "string",
"keyVaultId": "string",
"rootCertObjectName": "string"
"components": {
"egressGateways": [
"enabled": "bool"
"ingressGateways": [
"enabled": "bool",
"mode": "string"
"revisions": [ "string" ]
"mode": "string"
"servicePrincipalProfile": {
"clientId": "string",
"secret": "string"
"storageProfile": {
"blobCSIDriver": {
"enabled": "bool"
"diskCSIDriver": {
"enabled": "bool",
"version": "string"
"fileCSIDriver": {
"enabled": "bool"
"snapshotController": {
"enabled": "bool"
"supportPlan": "string",
"upgradeSettings": {
"overrideSettings": {
"forceUpgrade": "bool",
"until": "string"
"windowsProfile": {
"adminPassword": "string",
"adminUsername": "string",
"enableCSIProxy": "bool",
"gmsaProfile": {
"dnsServer": "string",
"enabled": "bool",
"rootDomainName": "string"
"licenseType": "string"
"workloadAutoScalerProfile": {
"keda": {
"enabled": "bool"
"verticalPodAutoscaler": {
"addonAutoscaling": "string",
"enabled": "bool"
Property values
managedClusters
Description
Value
The resource name
string (required)
Character limit: 1-63
Valid characters:
Alphanumerics, underscores, and hyphens.
Start and end with alphanumeric.
location
The geo-location where the resource lives
string (required)
Resource tags.
Dictionary of tag names and values. See Tags in templates
The managed cluster SKU.
ManagedClusterSKU
This is primarily used to expose different UI experiences in the portal for different kinds
string
extendedLocation
The extended location of the Virtual Machine.
ExtendedLocation
identity
The identity of the managed cluster, if configured.
ManagedClusterIdentity
properties
Properties of a managed cluster.
ManagedClusterProperties
ExtendedLocation
Description
Value
delegatedResources
The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only.
DelegatedResources
For more information see use managed identities in AKS.
'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities
The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
ManagedClusterIdentityUserAssignedIdentities
DelegatedResources
Description
Value
referralResource
The delegation id of the referral delegation (optional) - internal use only.
string
resourceId
The ARM resource id of the delegated resource - internal use only.
string
tenantId
The tenant id of the delegated resource - internal use only.
string
Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
ManagedClusterIdentityUserAssignedIdentities
Description
Value
ManagedServiceIdentityUserAssignedIdentitiesValue
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
ManagedClusterProperties
Description
Value
aiToolchainOperatorProfile
AI toolchain operator settings that apply to the whole cluster.
ManagedClusterAIToolchainOperatorProfile
apiServerAccessProfile
The access profile for managed cluster API server.
ManagedClusterAPIServerAccessProfile
autoScalerProfile
Parameters to be applied to the cluster-autoscaler when enabled
ManagedClusterPropertiesAutoScalerProfile
autoUpgradeProfile
The auto upgrade configuration.
ManagedClusterAutoUpgradeProfile
azureMonitorProfile
Prometheus addon profile for the container service cluster
ManagedClusterAzureMonitorProfile
bootstrapProfile
Profile of the cluster bootstrap configuration.
ManagedClusterBootstrapProfile
creationData
CreationData to be used to specify the source Snapshot ID if the cluster will be created/upgraded using a snapshot.
CreationData
disableLocalAccounts
If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts.
diskEncryptionSetID
This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}'
string
dnsPrefix
This cannot be updated once the Managed Cluster has been created.
string
enableNamespaceResources
The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See https://aka.ms/NamespaceARMResource for more details on Namespace as a ARM Resource.
enablePodSecurityPolicy
(DEPRECATED) Whether to enable Kubernetes pod security policy (preview). PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Learn more at https://aka.ms/k8s/psp and https://aka.ms/aks/psp.
enableRBAC
Whether to enable Kubernetes Role-Based Access Control.
fqdnSubdomain
This cannot be updated once the Managed Cluster has been created.
string
httpProxyConfig
Configurations for provisioning the cluster with HTTP proxy servers.
ManagedClusterHttpProxyConfig
identityProfile
Identities associated with the cluster.
ManagedClusterPropertiesIdentityProfile
ingressProfile
Ingress profile for the managed cluster.
ManagedClusterIngressProfile
kubernetesVersion
When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details.
string
linuxProfile
The profile for Linux VMs in the Managed Cluster.
ContainerServiceLinuxProfile
metricsProfile
Optional cluster metrics configuration.
ManagedClusterMetricsProfile
networkProfile
The network configuration profile.
ContainerServiceNetworkProfile
nodeProvisioningProfile
Node provisioning settings that apply to the whole cluster.
ManagedClusterNodeProvisioningProfile
nodeResourceGroup
The name of the resource group containing agent pool nodes.
string
nodeResourceGroupProfile
The node resource group configuration profile.
ManagedClusterNodeResourceGroupProfile
oidcIssuerProfile
The OIDC issuer profile of the Managed Cluster.
ManagedClusterOidcIssuerProfile
podIdentityProfile
See use AAD pod identity for more details on AAD pod identity integration.
ManagedClusterPodIdentityProfile
privateLinkResources
Private link resources associated with the cluster.
PrivateLinkResource[]
publicNetworkAccess
Allow or deny public network access for AKS
'Disabled'
'Enabled'
'SecuredByPerimeter'
safeguardsProfile
The Safeguards profile holds all the safeguards information for a given cluster
SafeguardsProfile
securityProfile
Security profile for the managed cluster.
ManagedClusterSecurityProfile
serviceMeshProfile
Service mesh profile for a managed cluster.
ServiceMeshProfile
servicePrincipalProfile
Information about a service principal identity for the cluster to use for manipulating Azure APIs.
ManagedClusterServicePrincipalProfile
storageProfile
Storage profile for the managed cluster.
ManagedClusterStorageProfile
supportPlan
The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'.
'AKSLongTermSupport'
'KubernetesOfficial'
upgradeSettings
Settings for upgrading a cluster.
ClusterUpgradeSettings
windowsProfile
The profile for Windows VMs in the Managed Cluster.
ManagedClusterWindowsProfile
workloadAutoScalerProfile
Workload Auto-scaler profile for the managed cluster.
ManagedClusterWorkloadAutoScalerProfile
ManagedClusterAADProfile
Description
Value
adminGroupObjectIDs
The list of AAD group object IDs that will have admin role of the cluster.
string[]
clientAppID
(DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.
string
enableAzureRBAC
Whether to enable Azure RBAC for Kubernetes authorization.
managed
Whether to enable managed AAD.
serverAppID
(DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.
string
serverAppSecret
(DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy.
string
tenantID
The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription.
string
ManagedClusterPropertiesAddonProfiles
Description
Value
artifactStreamingProfile
Configuration for using artifact streaming on AKS.
AgentPoolArtifactStreamingProfile
availabilityZones
The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'.
string[]
capacityReservationGroupID
AKS will associate the specified agent pool with the Capacity Reservation Group.
string
count
Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1.
creationData
CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot.
CreationData
enableAutoScaling
Whether to enable auto-scaler
enableCustomCATrust
When set to true, AKS adds a label to the node indicating that the feature is enabled and deploys a daemonset along with host services to sync custom certificate authorities from user-provided list of base64 encoded certificates into node trust stores. Defaults to false.
enableEncryptionAtHost
This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption
enableFIPS
See Add a FIPS-enabled node pool for more details.
enableNodePublicIP
Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false.
enableUltraSSD
Whether to enable UltraSSD
gatewayProfile
Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is not Gateway.
AgentPoolGatewayProfile
gpuInstanceProfile
GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.
'MIG1g'
'MIG2g'
'MIG3g'
'MIG4g'
'MIG7g'
gpuProfile
The GPU settings of an agent pool.
AgentPoolGPUProfile
hostGroupID
This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts.
string
kubeletConfig
The Kubelet configuration on the agent pool nodes.
KubeletConfig
kubeletDiskType
Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage.
'OS'
'Temporary'
linuxOSConfig
The OS configuration of Linux agent nodes.
LinuxOSConfig
maxCount
The maximum number of nodes for auto-scaling
maxPods
The maximum number of pods that can run on a node.
messageOfTheDay
A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script).
string
minCount
The minimum number of nodes for auto-scaling
A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools
'Gateway'
'System'
'User'
Windows agent pool names must be 6 characters or less.
string (required)
Constraints:
Pattern = ^[a-z][a-z0-9]{0,11}$
networkProfile
Network-related settings of an agent pool.
AgentPoolNetworkProfile
nodeInitializationTaints
These taints will not be reconciled by AKS and can be removed with a kubectl call. This field can be modified after node pool is created, but nodes will not be recreated with new taints until another operation that requires recreation (e.g. node image upgrade) happens. These taints allow for required configuration to run before the node is ready to accept workloads, for example 'key1=value1:NoSchedule' that then can be removed with kubectl taint nodes node1 key1=value1:NoSchedule-
string[]
nodeLabels
The node labels to be persisted across all nodes in agent pool.
ManagedClusterAgentPoolProfilePropertiesNodeLabels
nodePublicIPPrefixID
This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName}
string
nodeTaints
The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule.
string[]
orchestratorVersion
Both patch version {major.minor.patch} and {major.minor} are supported. When {major.minor} is specified, the latest supported patch version is chosen automatically. Updating the agent pool with the same {major.minor} once it has been created will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool.
string
osDiskSizeGB
OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.
int
Constraints:
Min value = 0
Max value = 2048
osDiskType
The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS.
'Ephemeral'
'Managed'
osSKU
Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated.
'AzureLinux'
'CBLMariner'
'Mariner'
'Ubuntu'
'Windows2019'
'Windows2022'
'WindowsAnnual'
osType
The operating system type. The default is Linux.
'Linux'
'Windows'
podIPAllocationMode
The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'.
'DynamicIndividual'
'StaticBlock'
podSubnetID
If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}
string
powerState
When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded
PowerState
proximityPlacementGroupID
The ID for Proximity Placement Group.
string
scaleDownMode
This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete.
'Deallocate'
'Delete'
scaleSetEvictionPolicy
This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'.
'Deallocate'
'Delete'
scaleSetPriority
The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'.
'Regular'
'Spot'
securityProfile
The security settings of an agent pool.
AgentPoolSecurityProfile
spotMaxPrice
Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing To specify a decimal value, use the json() function.
int or json decimal
The tags to be persisted on the agent pool virtual machine scale set.
object
The type of Agent Pool.
'AvailabilitySet'
'VirtualMachineScaleSets'
'VirtualMachines'
upgradeSettings
Settings for upgrading the agentpool
AgentPoolUpgradeSettings
virtualMachineNodesStatus
The status of nodes in a VirtualMachines agent pool.
VirtualMachineNodes[]
virtualMachinesProfile
Specifications on VirtualMachines agent pool.
VirtualMachinesProfile
vmSize
VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions
string
vnetSubnetID
If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}
string
windowsProfile
The Windows agent pool's specific profile.
AgentPoolWindowsProfile
workloadRuntime
Determines the type of workload a node can run.
'KataMshvVmIsolation'
'OCIContainer'
'WasmWasi'
AgentPoolArtifactStreamingProfile
Description
Value
enabled
Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR. If not specified, the default is false.
CreationData
Description
Value
sourceResourceId
This is the ARM ID of the source object to be used to create the target object.
string
AgentPoolGatewayProfile
Description
Value
publicIPPrefixSize
The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide public egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with one IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure public IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8 nodes/IPs, /28 = 16 nodes/IPs). The default value is 31.
int
Constraints:
Min value = 28
Max value = 31
AgentPoolGPUProfile
Description
Value
installGPUDriver
The default value is true when the vmSize of the agent pool contains a GPU, false otherwise. GPU Driver Installation can only be set true when VM has an associated GPU resource. Setting this field to false prevents automatic GPU driver installation. In that case, in order for the GPU to be usable, the user must perform GPU driver installation themselves.
KubeletConfig
Description
Value
allowedUnsafeSysctls
Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *).
string[]
containerLogMaxFiles
The maximum number of container log files that can be present for a container. The number must be ≥ 2.
int
Constraints:
Min value = 2
containerLogMaxSizeMB
The maximum size (e.g. 10Mi) of container log file before it is rotated.
cpuCfsQuota
The default is true.
cpuCfsQuotaPeriod
The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'.
string
cpuManagerPolicy
The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'.
string
failSwapOn
If set to true it will make the Kubelet fail to start if swap is enabled on the node.
imageGcHighThreshold
To disable image garbage collection, set to 100. The default is 85%
imageGcLowThreshold
This cannot be set higher than imageGcHighThreshold. The default is 80%
podMaxPids
The maximum number of processes per pod.
topologyManagerPolicy
For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'.
string
LinuxOSConfig
Description
Value
transparentHugePageDefrag
Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages.
string
transparentHugePageEnabled
Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages.
string
SysctlConfig
Description
Value
netIpv4TcpkeepaliveIntvl
Sysctl setting net.ipv4.tcp_keepalive_intvl.
int
Constraints:
Min value = 10
Max value = 90
netIpv4TcpKeepaliveProbes
Sysctl setting net.ipv4.tcp_keepalive_probes.
netIpv4TcpKeepaliveTime
Sysctl setting net.ipv4.tcp_keepalive_time.
netIpv4TcpMaxSynBacklog
Sysctl setting net.ipv4.tcp_max_syn_backlog.
netIpv4TcpMaxTwBuckets
Sysctl setting net.ipv4.tcp_max_tw_buckets.
netIpv4TcpTwReuse
Sysctl setting net.ipv4.tcp_tw_reuse.
netNetfilterNfConntrackBuckets
Sysctl setting net.netfilter.nf_conntrack_buckets.
int
Constraints:
Min value = 65536
Max value = 524288
netNetfilterNfConntrackMax
Sysctl setting net.netfilter.nf_conntrack_max.
int
Constraints:
Min value = 131072
Max value = 2097152
vmMaxMapCount
Sysctl setting vm.max_map_count.
vmSwappiness
Sysctl setting vm.swappiness.
vmVfsCachePressure
Sysctl setting vm.vfs_cache_pressure.
AgentPoolNetworkProfile
Description
Value
allowedHostPorts
The port ranges that are allowed to access. The specified ranges are allowed to overlap.
PortRange[]
applicationSecurityGroups
The IDs of the application security groups which agent pool will associate when created.
string[]
nodePublicIPTags
IPTags of instance-level public IPs.
IPTag[]
PortRange
Description
Value
portEnd
The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart.
int
Constraints:
Min value = 1
Max value = 65535
portStart
The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd.
int
Constraints:
Min value = 1
Max value = 65535
protocol
The network protocol of the port.
'TCP'
'UDP'
IPTag
Description
Value
enableSecureBoot
Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.
enableVTPM
vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.
sshAccess
SSH access method of an agent pool.
'Disabled'
'LocalUser'
AgentPoolUpgradeSettings
Description
Value
drainTimeoutInMinutes
The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes.
int
Constraints:
Min value = 1
Max value = 1440
maxSurge
This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade
string
nodeSoakDurationInMinutes
The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes.
int
Constraints:
Min value = 0
Max value = 30
undrainableNodeBehavior
Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes.
'Cordon'
'Schedule'
VirtualMachineNodes
Description
Value
autoscale
Specifications on how to auto-scale the VirtualMachines agent pool within a predefined size range. Currently, at most one AutoScaleProfile is allowed.
AutoScaleProfile[]
manual
Specifications on how to scale the VirtualMachines agent pool to a fixed size. Currently, at most one ManualScaleProfile is allowed.
ManualScaleProfile[]
AutoScaleProfile
Description
Value
sizes
The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when auto scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size.
string[]
ManualScaleProfile
Description
Value
sizes
The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size.
string[]
AgentPoolWindowsProfile
Description
Value
disableOutboundNat
The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled.
ManagedClusterAIToolchainOperatorProfile
Description
Value
authorizedIPRanges
IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges.
string[]
disableRunCommand
Whether to disable run command for the cluster or not.
enablePrivateCluster
For more details, see Creating a private AKS cluster.
enablePrivateClusterPublicFQDN
Whether to create additional public FQDN for private cluster or not.
enableVnetIntegration
Whether to enable apiserver vnet integration for the cluster or not.
privateDNSZone
The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'.
string
subnetId
It is required when: 1. creating a new cluster with BYO Vnet; 2. updating an existing cluster to enable apiserver vnet integration.
string
ManagedClusterPropertiesAutoScalerProfile
Description
Value
daemonset-eviction-for-empty-nodes
If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.
daemonset-eviction-for-occupied-nodes
If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.
expander
Available values are: 'least-waste', 'most-pods', 'priority', 'random'.
'least-waste'
'most-pods'
'priority'
'random'
ignore-daemonsets-utilization
If set to true, the resources used by daemonset will be taken into account when making scaling down decisions.
max-empty-bulk-delete
The default is 10.
string
max-graceful-termination-sec
The default is 600.
string
max-node-provision-time
The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
max-total-unready-percentage
The default is 45. The maximum is 100 and the minimum is 0.
string
new-pod-scale-up-delay
For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc).
string
ok-total-unready-count
This must be an integer. The default is 3.
string
scale-down-delay-after-add
The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-delay-after-delete
The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-delay-after-failure
The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-unneeded-time
The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-unready-time
The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-utilization-threshold
The default is '0.5'.
string
scan-interval
The default is '10'. Values must be an integer number of seconds.
string
skip-nodes-with-local-storage
The default is true.
string
skip-nodes-with-system-pods
The default is true.
string
ManagedClusterAutoUpgradeProfile
Description
Value
nodeOSUpgradeChannel
The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA.
'NodeImage'
'None'
'SecurityPatch'
'Unmanaged'
upgradeChannel
For more information see setting the AKS cluster auto-upgrade channel.
'node-image'
'none'
'patch'
'rapid'
'stable'
ManagedClusterAzureMonitorProfile
Description
Value
appMonitoring
Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics and traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoring
containerInsights
Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout & stderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview.
ManagedClusterAzureMonitorProfileContainerInsights
metrics
Metrics profile for the prometheus service addon
ManagedClusterAzureMonitorProfileMetrics
ManagedClusterAzureMonitorProfileAppMonitoring
Description
Value
autoInstrumentation
Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook to auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the application. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoringAutoIn...
openTelemetryLogs
Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and Traces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoringOpenTe...
openTelemetryMetrics
Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Metrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoringOpenTe...
enabled
Indicates if Application Monitoring Open Telemetry Logs and traces is enabled or not.
The Open Telemetry host port for Open Telemetry logs and traces. If not specified, the default port is 28331.
The Open Telemetry host port for Open Telemetry metrics. If not specified, the default port is 28333.
ManagedClusterAzureMonitorProfileContainerInsights
Description
Value
disableCustomMetrics
Indicates whether custom metrics collection has to be disabled or not. If not specified the default is false. No custom metrics will be emitted if this field is false but the container insights enabled field is false
disablePrometheusMetricsScraping
Indicates whether prometheus metrics scraping is disabled or not. If not specified the default is false. No prometheus metrics will be emitted if this field is false but the container insights enabled field is false
enabled
Indicates if Azure Monitor Container Insights Logs Addon is enabled or not.
logAnalyticsWorkspaceResourceId
Fully Qualified ARM Resource Id of Azure Log Analytics Workspace for storing Azure Monitor Container Insights Logs.
string
syslogPort
The syslog host port. If not specified, the default port is 28330.
ManagedClusterAzureMonitorProfileMetrics
Description
Value
kubeStateMetrics
Kube State Metrics for prometheus addon profile for the container service cluster
ManagedClusterAzureMonitorProfileKubeStateMetrics
ManagedClusterAzureMonitorProfileKubeStateMetrics
Description
Value
metricAnnotationsAllowList
Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric.
string
metricLabelsAllowlist
Comma-separated list of Kubernetes annotations keys that will be used in the resource's labels metric.
string
ManagedClusterBootstrapProfile
Description
Value
containerRegistryId
The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy.
string
ManagedClusterHttpProxyConfig
Description
Value
dnsZoneResourceIds
Resource IDs of the DNS zones to be associated with the Web App Routing add-on. Used only when Web App Routing is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group.
string[]
Constraints:
Max length = 5
enabled
Whether to enable Web App Routing.
nginx
Configuration for the default NginxIngressController. See more at /azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller.
ManagedClusterIngressProfileNginx
ManagedClusterIngressProfileNginx
Description
Value
defaultIngressControllerType
Ingress type for the default NginxIngressController custom resource
'AnnotationControlled'
'External'
'Internal'
'None'
ContainerServiceLinuxProfile
Description
Value
adminUsername
The administrator username to use for Linux VMs.
string (required)
Constraints:
Pattern = ^[A-Za-z][-A-Za-z0-9_]*$
The SSH configuration for Linux-based VMs running on Azure.
ContainerServiceSshConfiguration (required)
ContainerServiceSshConfiguration
Description
Value
publicKeys
The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified.
ContainerServiceSshPublicKey[] (required)
ContainerServiceSshPublicKey
Description
Value
keyData
Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers.
string (required)
ManagedClusterMetricsProfile
Description
Value
enabled
The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis.
ContainerServiceNetworkProfile
Description
Value
advancedNetworking
Advanced Networking profile for enabling observability on a cluster. Note that enabling advanced networking features may incur additional costs. For more information see aka.ms/aksadvancednetworking.
AdvancedNetworking
dnsServiceIP
An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr.
string
Constraints:
Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
ipFamilies
IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6.
String array containing any of:
'IPv4'
'IPv6'
kubeProxyConfig
Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy defaulting behavior. See https://v{version}.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ where {version} is represented by a {major version}-{minor version} string. Kubernetes version 1.23 would be '1-23'.
ContainerServiceNetworkProfileKubeProxyConfig
loadBalancerProfile
Profile of the cluster load balancer.
ManagedClusterLoadBalancerProfile
loadBalancerSku
The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs.
'basic'
'standard'
natGatewayProfile
Profile of the cluster NAT gateway.
ManagedClusterNATGatewayProfile
networkDataplane
Network dataplane used in the Kubernetes cluster.
'azure'
'cilium'
networkMode
This cannot be specified if networkPlugin is anything other than 'azure'.
'bridge'
'transparent'
networkPlugin
Network plugin used for building the Kubernetes network.
'azure'
'kubenet'
'none'
networkPluginMode
Network plugin mode used for building the Kubernetes network.
'overlay'
networkPolicy
Network policy used for building the Kubernetes network.
'azure'
'calico'
'cilium'
'none'
outboundType
This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type.
'loadBalancer'
'managedNATGateway'
'none'
'userAssignedNATGateway'
'userDefinedRouting'
podCidr
A CIDR notation IP range from which to assign pod IPs when kubenet is used.
string
Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
podCidrs
One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking.
string[]
podLinkLocalAccess
Defines access to special link local addresses (Azure Instance Metadata Service, aka IMDS) for pods with hostNetwork=false. if not specified, the default is 'IMDS'.
'IMDS'
'None'
serviceCidr
A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges.
string
Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
serviceCidrs
One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges.
string[]
staticEgressGatewayProfile
The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway.
ManagedClusterStaticEgressGatewayProfile
AdvancedNetworking
Description
Value
observability
Observability profile to enable advanced network metrics and flow logs with historical contexts.
AdvancedNetworkingObservability
security
Security profile to enable security features on cilium based cluster.
AdvancedNetworkingSecurity
AdvancedNetworkingObservability
Description
Value
enabled
Indicates the enablement of Advanced Networking observability functionalities on clusters.
tlsManagement
Management of TLS certificates for querying network flow logs via the flow log endpoint for Advanced Networking observability clusters. If not specified, the default is Managed. For more information see aka.ms/acnstls.
'Managed'
'None'
AdvancedNetworkingSecurity
Description
Value
enabled
This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false.
ContainerServiceNetworkProfileKubeProxyConfig
Description
Value
enabled
Whether to enable on kube-proxy on the cluster (if no 'kubeProxyConfig' exists, kube-proxy is enabled in AKS by default without these customizations).
ipvsConfig
Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'.
ContainerServiceNetworkProfileKubeProxyConfigIpvsCon...
Specify which proxy mode to use ('IPTABLES' or 'IPVS')
'IPTABLES'
'IPVS'
scheduler
IPVS scheduler, for more information please see http://www.linuxvirtualserver.org/docs/scheduling.html.
'LeastConnection'
'RoundRobin'
tcpFinTimeoutSeconds
The timeout value used for IPVS TCP sessions after receiving a FIN in seconds. Must be a positive integer value.
tcpTimeoutSeconds
The timeout value used for idle IPVS TCP sessions in seconds. Must be a positive integer value.
udpTimeoutSeconds
The timeout value used for IPVS UDP packets in seconds. Must be a positive integer value.
ManagedClusterLoadBalancerProfile
Description
Value
allocatedOutboundPorts
The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports.
int
Constraints:
Min value = 0
Max value = 64000
backendPoolType
The type of the managed inbound Load Balancer BackendPool.
'NodeIP'
'NodeIPConfiguration'
clusterServiceLoadBalancerHealthProbeMode
The health probing behavior for External Traffic Policy Cluster services.
'ServiceNodePort'
'Shared'
effectiveOutboundIPs
The effective outbound IP resources of the cluster load balancer.
ResourceReference[]
enableMultipleStandardLoadBalancers
Enable multiple standard load balancers per AKS cluster or not.
idleTimeoutInMinutes
Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes.
int
Constraints:
Min value = 4
Max value = 120
managedOutboundIPs
Desired managed outbound IPs for the cluster load balancer.
ManagedClusterLoadBalancerProfileManagedOutboundIPs
outboundIPPrefixes
Desired outbound IP Prefix resources for the cluster load balancer.
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
outboundIPs
Desired outbound IP resources for the cluster load balancer.
ManagedClusterLoadBalancerProfileOutboundIPs
ResourceReference
Description
Value
count
The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1.
int
Constraints:
Min value = 1
Max value = 100
countIPv6
The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.
int
Constraints:
Min value = 0
Max value = 100
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
Description
Value
effectiveOutboundIPs
The effective outbound IP resources of the cluster NAT gateway.
ResourceReference[]
idleTimeoutInMinutes
Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes.
int
Constraints:
Min value = 4
Max value = 120
managedOutboundIPProfile
Profile of the managed outbound IP resources of the cluster NAT gateway.
ManagedClusterManagedOutboundIPProfile
ManagedClusterManagedOutboundIPProfile
Description
Value
count
The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1.
int
Constraints:
Min value = 1
Max value = 16
ManagedClusterStaticEgressGatewayProfile
Description
Value
allowNetworkPluginKubenet
Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information.
enabled
Whether the pod identity addon is enabled.
userAssignedIdentities
The pod identities to use in the cluster.
ManagedClusterPodIdentity[]
userAssignedIdentityExceptions
The pod identity exceptions to allow.
ManagedClusterPodIdentityException[]
ManagedClusterPodIdentity
Description
Value
level
The Safeguards level to be used. By default, Safeguards is enabled for all namespaces except those that AKS excludes via systemExcludedNamespaces
'Enforcement'
'Off'
'Warning' (required)
version
The version of constraints to use
string
ManagedClusterSecurityProfile
Description
Value
azureKeyVaultKms
Azure Key Vault key management service settings for the security profile.
AzureKeyVaultKms
customCATrustCertificates
A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the Custom CA Trust feature enabled. For more information see Custom CA Trust Certificates
any[]
Constraints:
Max length = 10
defender
Microsoft Defender settings for the security profile.
ManagedClusterSecurityProfileDefender
imageCleaner
Image Cleaner settings for the security profile.
ManagedClusterSecurityProfileImageCleaner
imageIntegrity
Image integrity is a feature that works with Azure Policy to verify image integrity by signature. This will not have any effect unless Azure Policy is applied to enforce image signatures. See https://aka.ms/aks/image-integrity for how to use this feature via policy.
ManagedClusterSecurityProfileImageIntegrity
nodeRestriction
Node Restriction settings for the security profile.
ManagedClusterSecurityProfileNodeRestriction
workloadIdentity
Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details.
ManagedClusterSecurityProfileWorkloadIdentity
AzureKeyVaultKms
Description
Value
enabled
Whether to enable Azure Key Vault key management service. The default is false.
keyId
Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty.
string
keyVaultNetworkAccess
Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.
'Private'
'Public'
keyVaultResourceId
Resource ID of key vault. When keyVaultNetworkAccess is Private, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public, leave the field empty.
string
ManagedClusterSecurityProfileDefender
Description
Value
logAnalyticsWorkspaceResourceId
Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty.
string
securityMonitoring
Microsoft Defender threat detection for Cloud settings for the security profile.
ManagedClusterSecurityProfileDefenderSecurityMonitor...
certificateAuthority
Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca
IstioCertificateAuthority
components
Istio components configuration.
IstioComponents
revisions
The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: /azure/aks/istio-upgrade
string[]
Constraints:
Max length = 2
IstioCertificateAuthority
Description
Value
blobCSIDriver
AzureBlob CSI Driver settings for the storage profile.
ManagedClusterStorageProfileBlobCSIDriver
diskCSIDriver
AzureDisk CSI Driver settings for the storage profile.
ManagedClusterStorageProfileDiskCSIDriver
fileCSIDriver
AzureFile CSI Driver settings for the storage profile.
ManagedClusterStorageProfileFileCSIDriver
snapshotController
Snapshot Controller settings for the storage profile.
ManagedClusterStorageProfileSnapshotController
ManagedClusterStorageProfileBlobCSIDriver
Description
Value
forceUpgrade
Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution.
until
Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the until expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect.
string
ManagedClusterWindowsProfile
Description
Value
adminPassword
Specifies the password of the administrator account.
Minimum-length: 8 characters
Max-length: 123 characters
Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])
Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
string
adminUsername
Specifies the name of the administrator account.
Restriction: Cannot end in "."
Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".
Minimum-length: 1 character
Max-length: 20 characters
string (required)
enableCSIProxy
For more details on CSI proxy, see the CSI proxy GitHub repo.
gmsaProfile
The Windows gMSA Profile in the Managed Cluster.
WindowsGmsaProfile
licenseType
The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details.
'None'
'Windows_Server'
WindowsGmsaProfile
Description
Value
dnsServer
Specifies the DNS server for Windows gMSA.
Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string
enabled
Specifies whether to enable Windows gMSA in the managed cluster.
rootDomainName
Specifies the root domain name for Windows gMSA.
Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string
ManagedClusterWorkloadAutoScalerProfile
Description
Value
KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile.
ManagedClusterWorkloadAutoScalerProfileKeda
verticalPodAutoscaler
ManagedClusterWorkloadAutoScalerProfileVerticalPodAu...
ManagedClusterWorkloadAutoScalerProfileKeda
Description
Value
addonAutoscaling
Whether VPA add-on is enabled and configured to scale AKS-managed add-ons.
'Disabled'
'Enabled'
enabled
Whether to enable VPA add-on in cluster. Default value is false.
bool (required)
ManagedClusterSKU
Description
Value
CI/CD using Jenkins on Azure Container Service (AKS)
Containers make it very easy for you to continuously build and deploy your applications. By orchestrating deployment of those containers using Kubernetes in Azure Container Service, you can achieve replicable, manageable clusters of containers. By setting up a continuous build to produce your container images and orchestration, you can increase the speed and reliability of your deployment.
min.io Azure Gateway
Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage
AKS Cluster with a NAT Gateway and an Application Gateway
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
Create a Private AKS Cluster
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Deploy a managed Kubernetes Cluster (AKS)
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy a managed Kubernetes Cluster with AAD (AKS)
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network and Azure AD Integeration. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy an AKS cluster for Azure ML
This template allows you to deploy an entreprise compliant AKS cluster which can be attached to Azure ML
Azure Container Service (AKS)
Deploy a managed cluster with Azure Container Service (AKS)
Azure Container Service (AKS)
Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts
Azure Container Service (AKS) with Helm
Deploy a managed cluster with Azure Container Service (AKS) with Helm
Azure Kubernetes Service (AKS)
Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS)
AKS cluster with the Application Gateway Ingress Controller
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Terraform (AzAPI provider) resource definition
The managedClusters resource type can be deployed with operations that target:
Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.ContainerService/managedClusters@2024-06-02-preview"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
identity {
delegatedResources = {
{customized property} = {
location = "string"
referralResource = "string"
resourceId = "string"
tenantId = "string"
type = "string"
identity_ids = []
body = jsonencode({
properties = {
aadProfile = {
adminGroupObjectIDs = [
"string"
clientAppID = "string"
enableAzureRBAC = bool
managed = bool
serverAppID = "string"
serverAppSecret = "string"
tenantID = "string"
addonProfiles = {
{customized property} = {
config = {
{customized property} = "string"
enabled = bool
agentPoolProfiles = [
artifactStreamingProfile = {
enabled = bool
availabilityZones = [
"string"
capacityReservationGroupID = "string"
count = int
creationData = {
sourceResourceId = "string"
enableAutoScaling = bool
enableCustomCATrust = bool
enableEncryptionAtHost = bool
enableFIPS = bool
enableNodePublicIP = bool
enableUltraSSD = bool
gatewayProfile = {
publicIPPrefixSize = int
gpuInstanceProfile = "string"
gpuProfile = {
installGPUDriver = bool
hostGroupID = "string"
kubeletConfig = {
allowedUnsafeSysctls = [
"string"
containerLogMaxFiles = int
containerLogMaxSizeMB = int
cpuCfsQuota = bool
cpuCfsQuotaPeriod = "string"
cpuManagerPolicy = "string"
failSwapOn = bool
imageGcHighThreshold = int
imageGcLowThreshold = int
podMaxPids = int
topologyManagerPolicy = "string"
kubeletDiskType = "string"
linuxOSConfig = {
swapFileSizeMB = int
sysctls = {
fsAioMaxNr = int
fsFileMax = int
fsInotifyMaxUserWatches = int
fsNrOpen = int
kernelThreadsMax = int
netCoreNetdevMaxBacklog = int
netCoreOptmemMax = int
netCoreRmemDefault = int
netCoreRmemMax = int
netCoreSomaxconn = int
netCoreWmemDefault = int
netCoreWmemMax = int
netIpv4IpLocalPortRange = "string"
netIpv4NeighDefaultGcThresh1 = int
netIpv4NeighDefaultGcThresh2 = int
netIpv4NeighDefaultGcThresh3 = int
netIpv4TcpFinTimeout = int
netIpv4TcpkeepaliveIntvl = int
netIpv4TcpKeepaliveProbes = int
netIpv4TcpKeepaliveTime = int
netIpv4TcpMaxSynBacklog = int
netIpv4TcpMaxTwBuckets = int
netIpv4TcpTwReuse = bool
netNetfilterNfConntrackBuckets = int
netNetfilterNfConntrackMax = int
vmMaxMapCount = int
vmSwappiness = int
vmVfsCachePressure = int
transparentHugePageDefrag = "string"
transparentHugePageEnabled = "string"
maxCount = int
maxPods = int
messageOfTheDay = "string"
minCount = int
mode = "string"
name = "string"
networkProfile = {
allowedHostPorts = [
portEnd = int
portStart = int
protocol = "string"
applicationSecurityGroups = [
"string"
nodePublicIPTags = [
ipTagType = "string"
tag = "string"
nodeInitializationTaints = [
"string"
nodeLabels = {
{customized property} = "string"
nodePublicIPPrefixID = "string"
nodeTaints = [
"string"
orchestratorVersion = "string"
osDiskSizeGB = int
osDiskType = "string"
osSKU = "string"
osType = "string"
podIPAllocationMode = "string"
podSubnetID = "string"
powerState = {
code = "string"
proximityPlacementGroupID = "string"
scaleDownMode = "string"
scaleSetEvictionPolicy = "string"
scaleSetPriority = "string"
securityProfile = {
enableSecureBoot = bool
enableVTPM = bool
sshAccess = "string"
spotMaxPrice = "decimal-as-string"
tags = {}
type = "string"
upgradeSettings = {
drainTimeoutInMinutes = int
maxSurge = "string"
nodeSoakDurationInMinutes = int
undrainableNodeBehavior = "string"
virtualMachineNodesStatus = [
count = int
size = "string"
virtualMachinesProfile = {
scale = {
autoscale = [
maxCount = int
minCount = int
sizes = [
"string"
manual = [
count = int
sizes = [
"string"
vmSize = "string"
vnetSubnetID = "string"
windowsProfile = {
disableOutboundNat = bool
workloadRuntime = "string"
aiToolchainOperatorProfile = {
enabled = bool
apiServerAccessProfile = {
authorizedIPRanges = [
"string"
disableRunCommand = bool
enablePrivateCluster = bool
enablePrivateClusterPublicFQDN = bool
enableVnetIntegration = bool
privateDNSZone = "string"
subnetId = "string"
autoScalerProfile = {
balance-similar-node-groups = "string"
daemonset-eviction-for-empty-nodes = bool
daemonset-eviction-for-occupied-nodes = bool
expander = "string"
ignore-daemonsets-utilization = bool
max-empty-bulk-delete = "string"
max-graceful-termination-sec = "string"
max-node-provision-time = "string"
max-total-unready-percentage = "string"
new-pod-scale-up-delay = "string"
ok-total-unready-count = "string"
scale-down-delay-after-add = "string"
scale-down-delay-after-delete = "string"
scale-down-delay-after-failure = "string"
scale-down-unneeded-time = "string"
scale-down-unready-time = "string"
scale-down-utilization-threshold = "string"
scan-interval = "string"
skip-nodes-with-local-storage = "string"
skip-nodes-with-system-pods = "string"
autoUpgradeProfile = {
nodeOSUpgradeChannel = "string"
upgradeChannel = "string"
azureMonitorProfile = {
appMonitoring = {
autoInstrumentation = {
enabled = bool
openTelemetryLogs = {
enabled = bool
port = int
openTelemetryMetrics = {
enabled = bool
port = int
containerInsights = {
disableCustomMetrics = bool
disablePrometheusMetricsScraping = bool
enabled = bool
logAnalyticsWorkspaceResourceId = "string"
syslogPort = int
metrics = {
enabled = bool
kubeStateMetrics = {
metricAnnotationsAllowList = "string"
metricLabelsAllowlist = "string"
bootstrapProfile = {
artifactSource = "string"
containerRegistryId = "string"
creationData = {
sourceResourceId = "string"
disableLocalAccounts = bool
diskEncryptionSetID = "string"
dnsPrefix = "string"
enableNamespaceResources = bool
enablePodSecurityPolicy = bool
enableRBAC = bool
fqdnSubdomain = "string"
httpProxyConfig = {
httpProxy = "string"
httpsProxy = "string"
noProxy = [
"string"
trustedCa = "string"
identityProfile = {
{customized property} = {
clientId = "string"
objectId = "string"
resourceId = "string"
ingressProfile = {
webAppRouting = {
dnsZoneResourceIds = [
"string"
enabled = bool
nginx = {
defaultIngressControllerType = "string"
kubernetesVersion = "string"
linuxProfile = {
adminUsername = "string"
ssh = {
publicKeys = [
keyData = "string"
metricsProfile = {
costAnalysis = {
enabled = bool
networkProfile = {
advancedNetworking = {
observability = {
enabled = bool
tlsManagement = "string"
security = {
fqdnPolicy = {
enabled = bool
dnsServiceIP = "string"
ipFamilies = [
"string"
kubeProxyConfig = {
enabled = bool
ipvsConfig = {
scheduler = "string"
tcpFinTimeoutSeconds = int
tcpTimeoutSeconds = int
udpTimeoutSeconds = int
mode = "string"
loadBalancerProfile = {
allocatedOutboundPorts = int
backendPoolType = "string"
clusterServiceLoadBalancerHealthProbeMode = "string"
effectiveOutboundIPs = [
id = "string"
enableMultipleStandardLoadBalancers = bool
idleTimeoutInMinutes = int
managedOutboundIPs = {
count = int
countIPv6 = int
outboundIPPrefixes = {
publicIPPrefixes = [
id = "string"
outboundIPs = {
publicIPs = [
id = "string"
loadBalancerSku = "string"
natGatewayProfile = {
effectiveOutboundIPs = [
id = "string"
idleTimeoutInMinutes = int
managedOutboundIPProfile = {
count = int
networkDataplane = "string"
networkMode = "string"
networkPlugin = "string"
networkPluginMode = "overlay"
networkPolicy = "string"
outboundType = "string"
podCidr = "string"
podCidrs = [
"string"
podLinkLocalAccess = "string"
serviceCidr = "string"
serviceCidrs = [
"string"
staticEgressGatewayProfile = {
enabled = bool
nodeProvisioningProfile = {
mode = "string"
nodeResourceGroup = "string"
nodeResourceGroupProfile = {
restrictionLevel = "string"
oidcIssuerProfile = {
enabled = bool
podIdentityProfile = {
allowNetworkPluginKubenet = bool
enabled = bool
userAssignedIdentities = [
bindingSelector = "string"
identity = {
clientId = "string"
objectId = "string"
resourceId = "string"
name = "string"
namespace = "string"
userAssignedIdentityExceptions = [
name = "string"
namespace = "string"
podLabels = {
{customized property} = "string"
privateLinkResources = [
groupId = "string"
id = "string"
name = "string"
requiredMembers = [
"string"
type = "string"
publicNetworkAccess = "string"
safeguardsProfile = {
excludedNamespaces = [
"string"
level = "string"
version = "string"
securityProfile = {
azureKeyVaultKms = {
enabled = bool
keyId = "string"
keyVaultNetworkAccess = "string"
keyVaultResourceId = "string"
customCATrustCertificates = [ object ]
defender = {
logAnalyticsWorkspaceResourceId = "string"
securityMonitoring = {
enabled = bool
imageCleaner = {
enabled = bool
intervalHours = int
imageIntegrity = {
enabled = bool
nodeRestriction = {
enabled = bool
workloadIdentity = {
enabled = bool
serviceMeshProfile = {
istio = {
certificateAuthority = {
plugin = {
certChainObjectName = "string"
certObjectName = "string"
keyObjectName = "string"
keyVaultId = "string"
rootCertObjectName = "string"
components = {
egressGateways = [
enabled = bool
ingressGateways = [
enabled = bool
mode = "string"
revisions = [
"string"
mode = "string"
servicePrincipalProfile = {
clientId = "string"
secret = "string"
storageProfile = {
blobCSIDriver = {
enabled = bool
diskCSIDriver = {
enabled = bool
version = "string"
fileCSIDriver = {
enabled = bool
snapshotController = {
enabled = bool
supportPlan = "string"
upgradeSettings = {
overrideSettings = {
forceUpgrade = bool
until = "string"
windowsProfile = {
adminPassword = "string"
adminUsername = "string"
enableCSIProxy = bool
gmsaProfile = {
dnsServer = "string"
enabled = bool
rootDomainName = "string"
licenseType = "string"
workloadAutoScalerProfile = {
keda = {
enabled = bool
verticalPodAutoscaler = {
addonAutoscaling = "string"
enabled = bool
sku = {
name = "string"
tier = "string"
kind = "string"
extendedLocation = {
name = "string"
type = "EdgeZone"
Property values
managedClusters
Description
Value
The resource name
string (required)
Character limit: 1-63
Valid characters:
Alphanumerics, underscores, and hyphens.
Start and end with alphanumeric.
location
The geo-location where the resource lives
string (required)
parent_id
To deploy to a resource group, use the ID of that resource group.
string (required)
Resource tags.
Dictionary of tag names and values.
The managed cluster SKU.
ManagedClusterSKU
This is primarily used to expose different UI experiences in the portal for different kinds
string
extendedLocation
The extended location of the Virtual Machine.
ExtendedLocation
identity
The identity of the managed cluster, if configured.
ManagedClusterIdentity
properties
Properties of a managed cluster.
ManagedClusterProperties
ExtendedLocation
Description
Value
delegatedResources
The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only.
DelegatedResources
For more information see use managed identities in AKS.
"SystemAssigned"
"UserAssigned"
identity_ids
The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
Array of user identity IDs.
DelegatedResources
Description
Value
referralResource
The delegation id of the referral delegation (optional) - internal use only.
string
resourceId
The ARM resource id of the delegated resource - internal use only.
string
tenantId
The tenant id of the delegated resource - internal use only.
string
Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
ManagedClusterIdentityUserAssignedIdentities
Description
Value
ManagedServiceIdentityUserAssignedIdentitiesValue
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
ManagedClusterProperties
Description
Value
aiToolchainOperatorProfile
AI toolchain operator settings that apply to the whole cluster.
ManagedClusterAIToolchainOperatorProfile
apiServerAccessProfile
The access profile for managed cluster API server.
ManagedClusterAPIServerAccessProfile
autoScalerProfile
Parameters to be applied to the cluster-autoscaler when enabled
ManagedClusterPropertiesAutoScalerProfile
autoUpgradeProfile
The auto upgrade configuration.
ManagedClusterAutoUpgradeProfile
azureMonitorProfile
Prometheus addon profile for the container service cluster
ManagedClusterAzureMonitorProfile
bootstrapProfile
Profile of the cluster bootstrap configuration.
ManagedClusterBootstrapProfile
creationData
CreationData to be used to specify the source Snapshot ID if the cluster will be created/upgraded using a snapshot.
CreationData
disableLocalAccounts
If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts.
diskEncryptionSetID
This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}'
string
dnsPrefix
This cannot be updated once the Managed Cluster has been created.
string
enableNamespaceResources
The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See https://aka.ms/NamespaceARMResource for more details on Namespace as a ARM Resource.
enablePodSecurityPolicy
(DEPRECATED) Whether to enable Kubernetes pod security policy (preview). PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Learn more at https://aka.ms/k8s/psp and https://aka.ms/aks/psp.
enableRBAC
Whether to enable Kubernetes Role-Based Access Control.
fqdnSubdomain
This cannot be updated once the Managed Cluster has been created.
string
httpProxyConfig
Configurations for provisioning the cluster with HTTP proxy servers.
ManagedClusterHttpProxyConfig
identityProfile
Identities associated with the cluster.
ManagedClusterPropertiesIdentityProfile
ingressProfile
Ingress profile for the managed cluster.
ManagedClusterIngressProfile
kubernetesVersion
When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details.
string
linuxProfile
The profile for Linux VMs in the Managed Cluster.
ContainerServiceLinuxProfile
metricsProfile
Optional cluster metrics configuration.
ManagedClusterMetricsProfile
networkProfile
The network configuration profile.
ContainerServiceNetworkProfile
nodeProvisioningProfile
Node provisioning settings that apply to the whole cluster.
ManagedClusterNodeProvisioningProfile
nodeResourceGroup
The name of the resource group containing agent pool nodes.
string
nodeResourceGroupProfile
The node resource group configuration profile.
ManagedClusterNodeResourceGroupProfile
oidcIssuerProfile
The OIDC issuer profile of the Managed Cluster.
ManagedClusterOidcIssuerProfile
podIdentityProfile
See use AAD pod identity for more details on AAD pod identity integration.
ManagedClusterPodIdentityProfile
privateLinkResources
Private link resources associated with the cluster.
PrivateLinkResource[]
publicNetworkAccess
Allow or deny public network access for AKS
"Disabled"
"Enabled"
"SecuredByPerimeter"
safeguardsProfile
The Safeguards profile holds all the safeguards information for a given cluster
SafeguardsProfile
securityProfile
Security profile for the managed cluster.
ManagedClusterSecurityProfile
serviceMeshProfile
Service mesh profile for a managed cluster.
ServiceMeshProfile
servicePrincipalProfile
Information about a service principal identity for the cluster to use for manipulating Azure APIs.
ManagedClusterServicePrincipalProfile
storageProfile
Storage profile for the managed cluster.
ManagedClusterStorageProfile
supportPlan
The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'.
"AKSLongTermSupport"
"KubernetesOfficial"
upgradeSettings
Settings for upgrading a cluster.
ClusterUpgradeSettings
windowsProfile
The profile for Windows VMs in the Managed Cluster.
ManagedClusterWindowsProfile
workloadAutoScalerProfile
Workload Auto-scaler profile for the managed cluster.
ManagedClusterWorkloadAutoScalerProfile
ManagedClusterAADProfile
Description
Value
adminGroupObjectIDs
The list of AAD group object IDs that will have admin role of the cluster.
string[]
clientAppID
(DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.
string
enableAzureRBAC
Whether to enable Azure RBAC for Kubernetes authorization.
managed
Whether to enable managed AAD.
serverAppID
(DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.
string
serverAppSecret
(DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy.
string
tenantID
The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription.
string
ManagedClusterPropertiesAddonProfiles
Description
Value
artifactStreamingProfile
Configuration for using artifact streaming on AKS.
AgentPoolArtifactStreamingProfile
availabilityZones
The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'.
string[]
capacityReservationGroupID
AKS will associate the specified agent pool with the Capacity Reservation Group.
string
count
Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1.
creationData
CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot.
CreationData
enableAutoScaling
Whether to enable auto-scaler
enableCustomCATrust
When set to true, AKS adds a label to the node indicating that the feature is enabled and deploys a daemonset along with host services to sync custom certificate authorities from user-provided list of base64 encoded certificates into node trust stores. Defaults to false.
enableEncryptionAtHost
This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption
enableFIPS
See Add a FIPS-enabled node pool for more details.
enableNodePublicIP
Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false.
enableUltraSSD
Whether to enable UltraSSD
gatewayProfile
Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is not Gateway.
AgentPoolGatewayProfile
gpuInstanceProfile
GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.
"MIG1g"
"MIG2g"
"MIG3g"
"MIG4g"
"MIG7g"
gpuProfile
The GPU settings of an agent pool.
AgentPoolGPUProfile
hostGroupID
This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts.
string
kubeletConfig
The Kubelet configuration on the agent pool nodes.
KubeletConfig
kubeletDiskType
Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage.
"OS"
"Temporary"
linuxOSConfig
The OS configuration of Linux agent nodes.
LinuxOSConfig
maxCount
The maximum number of nodes for auto-scaling
maxPods
The maximum number of pods that can run on a node.
messageOfTheDay
A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script).
string
minCount
The minimum number of nodes for auto-scaling
A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools
"Gateway"
"System"
"User"
Windows agent pool names must be 6 characters or less.
string (required)
Constraints:
Pattern = ^[a-z][a-z0-9]{0,11}$
networkProfile
Network-related settings of an agent pool.
AgentPoolNetworkProfile
nodeInitializationTaints
These taints will not be reconciled by AKS and can be removed with a kubectl call. This field can be modified after node pool is created, but nodes will not be recreated with new taints until another operation that requires recreation (e.g. node image upgrade) happens. These taints allow for required configuration to run before the node is ready to accept workloads, for example 'key1=value1:NoSchedule' that then can be removed with kubectl taint nodes node1 key1=value1:NoSchedule-
string[]
nodeLabels
The node labels to be persisted across all nodes in agent pool.
ManagedClusterAgentPoolProfilePropertiesNodeLabels
nodePublicIPPrefixID
This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName}
string
nodeTaints
The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule.
string[]
orchestratorVersion
Both patch version {major.minor.patch} and {major.minor} are supported. When {major.minor} is specified, the latest supported patch version is chosen automatically. Updating the agent pool with the same {major.minor} once it has been created will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool.
string
osDiskSizeGB
OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.
int
Constraints:
Min value = 0
Max value = 2048
osDiskType
The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS.
"Ephemeral"
"Managed"
osSKU
Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated.
"AzureLinux"
"CBLMariner"
"Mariner"
"Ubuntu"
"Windows2019"
"Windows2022"
"WindowsAnnual"
osType
The operating system type. The default is Linux.
"Linux"
"Windows"
podIPAllocationMode
The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'.
"DynamicIndividual"
"StaticBlock"
podSubnetID
If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}
string
powerState
When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded
PowerState
proximityPlacementGroupID
The ID for Proximity Placement Group.
string
scaleDownMode
This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete.
"Deallocate"
"Delete"
scaleSetEvictionPolicy
This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'.
"Deallocate"
"Delete"
scaleSetPriority
The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'.
"Regular"
"Spot"
securityProfile
The security settings of an agent pool.
AgentPoolSecurityProfile
spotMaxPrice
Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing Specify a decimal value as a string.
int or json decimal
The tags to be persisted on the agent pool virtual machine scale set.
object
The type of Agent Pool.
"AvailabilitySet"
"VirtualMachineScaleSets"
"VirtualMachines"
upgradeSettings
Settings for upgrading the agentpool
AgentPoolUpgradeSettings
virtualMachineNodesStatus
The status of nodes in a VirtualMachines agent pool.
VirtualMachineNodes[]
virtualMachinesProfile
Specifications on VirtualMachines agent pool.
VirtualMachinesProfile
vmSize
VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions
string
vnetSubnetID
If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}
string
windowsProfile
The Windows agent pool's specific profile.
AgentPoolWindowsProfile
workloadRuntime
Determines the type of workload a node can run.
"KataMshvVmIsolation"
"OCIContainer"
"WasmWasi"
AgentPoolArtifactStreamingProfile
Description
Value
enabled
Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use this feature, container images must also enable artifact streaming on ACR. If not specified, the default is false.
CreationData
Description
Value
sourceResourceId
This is the ARM ID of the source object to be used to create the target object.
string
AgentPoolGatewayProfile
Description
Value
publicIPPrefixSize
The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide public egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with one IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure public IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8 nodes/IPs, /28 = 16 nodes/IPs). The default value is 31.
int
Constraints:
Min value = 28
Max value = 31
AgentPoolGPUProfile
Description
Value
installGPUDriver
The default value is true when the vmSize of the agent pool contains a GPU, false otherwise. GPU Driver Installation can only be set true when VM has an associated GPU resource. Setting this field to false prevents automatic GPU driver installation. In that case, in order for the GPU to be usable, the user must perform GPU driver installation themselves.
KubeletConfig
Description
Value
allowedUnsafeSysctls
Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *).
string[]
containerLogMaxFiles
The maximum number of container log files that can be present for a container. The number must be ≥ 2.
int
Constraints:
Min value = 2
containerLogMaxSizeMB
The maximum size (e.g. 10Mi) of container log file before it is rotated.
cpuCfsQuota
The default is true.
cpuCfsQuotaPeriod
The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'.
string
cpuManagerPolicy
The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'.
string
failSwapOn
If set to true it will make the Kubelet fail to start if swap is enabled on the node.
imageGcHighThreshold
To disable image garbage collection, set to 100. The default is 85%
imageGcLowThreshold
This cannot be set higher than imageGcHighThreshold. The default is 80%
podMaxPids
The maximum number of processes per pod.
topologyManagerPolicy
For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'.
string
LinuxOSConfig
Description
Value
transparentHugePageDefrag
Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages.
string
transparentHugePageEnabled
Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages.
string
SysctlConfig
Description
Value
netIpv4TcpkeepaliveIntvl
Sysctl setting net.ipv4.tcp_keepalive_intvl.
int
Constraints:
Min value = 10
Max value = 90
netIpv4TcpKeepaliveProbes
Sysctl setting net.ipv4.tcp_keepalive_probes.
netIpv4TcpKeepaliveTime
Sysctl setting net.ipv4.tcp_keepalive_time.
netIpv4TcpMaxSynBacklog
Sysctl setting net.ipv4.tcp_max_syn_backlog.
netIpv4TcpMaxTwBuckets
Sysctl setting net.ipv4.tcp_max_tw_buckets.
netIpv4TcpTwReuse
Sysctl setting net.ipv4.tcp_tw_reuse.
netNetfilterNfConntrackBuckets
Sysctl setting net.netfilter.nf_conntrack_buckets.
int
Constraints:
Min value = 65536
Max value = 524288
netNetfilterNfConntrackMax
Sysctl setting net.netfilter.nf_conntrack_max.
int
Constraints:
Min value = 131072
Max value = 2097152
vmMaxMapCount
Sysctl setting vm.max_map_count.
vmSwappiness
Sysctl setting vm.swappiness.
vmVfsCachePressure
Sysctl setting vm.vfs_cache_pressure.
AgentPoolNetworkProfile
Description
Value
allowedHostPorts
The port ranges that are allowed to access. The specified ranges are allowed to overlap.
PortRange[]
applicationSecurityGroups
The IDs of the application security groups which agent pool will associate when created.
string[]
nodePublicIPTags
IPTags of instance-level public IPs.
IPTag[]
PortRange
Description
Value
portEnd
The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart.
int
Constraints:
Min value = 1
Max value = 65535
portStart
The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd.
int
Constraints:
Min value = 1
Max value = 65535
protocol
The network protocol of the port.
"TCP"
"UDP"
IPTag
Description
Value
enableSecureBoot
Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.
enableVTPM
vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.
sshAccess
SSH access method of an agent pool.
"Disabled"
"LocalUser"
AgentPoolUpgradeSettings
Description
Value
drainTimeoutInMinutes
The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes.
int
Constraints:
Min value = 1
Max value = 1440
maxSurge
This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade
string
nodeSoakDurationInMinutes
The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes.
int
Constraints:
Min value = 0
Max value = 30
undrainableNodeBehavior
Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes.
"Cordon"
"Schedule"
VirtualMachineNodes
Description
Value
autoscale
Specifications on how to auto-scale the VirtualMachines agent pool within a predefined size range. Currently, at most one AutoScaleProfile is allowed.
AutoScaleProfile[]
manual
Specifications on how to scale the VirtualMachines agent pool to a fixed size. Currently, at most one ManualScaleProfile is allowed.
ManualScaleProfile[]
AutoScaleProfile
Description
Value
sizes
The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when auto scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size.
string[]
ManualScaleProfile
Description
Value
sizes
The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the first available one when scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will use the next size.
string[]
AgentPoolWindowsProfile
Description
Value
disableOutboundNat
The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled.
ManagedClusterAIToolchainOperatorProfile
Description
Value
authorizedIPRanges
IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges.
string[]
disableRunCommand
Whether to disable run command for the cluster or not.
enablePrivateCluster
For more details, see Creating a private AKS cluster.
enablePrivateClusterPublicFQDN
Whether to create additional public FQDN for private cluster or not.
enableVnetIntegration
Whether to enable apiserver vnet integration for the cluster or not.
privateDNSZone
The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'.
string
subnetId
It is required when: 1. creating a new cluster with BYO Vnet; 2. updating an existing cluster to enable apiserver vnet integration.
string
ManagedClusterPropertiesAutoScalerProfile
Description
Value
daemonset-eviction-for-empty-nodes
If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.
daemonset-eviction-for-occupied-nodes
If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.
expander
Available values are: 'least-waste', 'most-pods', 'priority', 'random'.
"least-waste"
"most-pods"
"priority"
"random"
ignore-daemonsets-utilization
If set to true, the resources used by daemonset will be taken into account when making scaling down decisions.
max-empty-bulk-delete
The default is 10.
string
max-graceful-termination-sec
The default is 600.
string
max-node-provision-time
The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
max-total-unready-percentage
The default is 45. The maximum is 100 and the minimum is 0.
string
new-pod-scale-up-delay
For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc).
string
ok-total-unready-count
This must be an integer. The default is 3.
string
scale-down-delay-after-add
The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-delay-after-delete
The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-delay-after-failure
The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-unneeded-time
The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-unready-time
The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
string
scale-down-utilization-threshold
The default is '0.5'.
string
scan-interval
The default is '10'. Values must be an integer number of seconds.
string
skip-nodes-with-local-storage
The default is true.
string
skip-nodes-with-system-pods
The default is true.
string
ManagedClusterAutoUpgradeProfile
Description
Value
nodeOSUpgradeChannel
The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA.
"NodeImage"
"None"
"SecurityPatch"
"Unmanaged"
upgradeChannel
For more information see setting the AKS cluster auto-upgrade channel.
"node-image"
"none"
"patch"
"rapid"
"stable"
ManagedClusterAzureMonitorProfile
Description
Value
appMonitoring
Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics and traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoring
containerInsights
Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout & stderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview.
ManagedClusterAzureMonitorProfileContainerInsights
metrics
Metrics profile for the prometheus service addon
ManagedClusterAzureMonitorProfileMetrics
ManagedClusterAzureMonitorProfileAppMonitoring
Description
Value
autoInstrumentation
Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook to auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the application. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoringAutoIn...
openTelemetryLogs
Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and Traces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoringOpenTe...
openTelemetryMetrics
Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Metrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
ManagedClusterAzureMonitorProfileAppMonitoringOpenTe...
enabled
Indicates if Application Monitoring Open Telemetry Logs and traces is enabled or not.
The Open Telemetry host port for Open Telemetry logs and traces. If not specified, the default port is 28331.
The Open Telemetry host port for Open Telemetry metrics. If not specified, the default port is 28333.
ManagedClusterAzureMonitorProfileContainerInsights
Description
Value
disableCustomMetrics
Indicates whether custom metrics collection has to be disabled or not. If not specified the default is false. No custom metrics will be emitted if this field is false but the container insights enabled field is false
disablePrometheusMetricsScraping
Indicates whether prometheus metrics scraping is disabled or not. If not specified the default is false. No prometheus metrics will be emitted if this field is false but the container insights enabled field is false
enabled
Indicates if Azure Monitor Container Insights Logs Addon is enabled or not.
logAnalyticsWorkspaceResourceId
Fully Qualified ARM Resource Id of Azure Log Analytics Workspace for storing Azure Monitor Container Insights Logs.
string
syslogPort
The syslog host port. If not specified, the default port is 28330.
ManagedClusterAzureMonitorProfileMetrics
Description
Value
kubeStateMetrics
Kube State Metrics for prometheus addon profile for the container service cluster
ManagedClusterAzureMonitorProfileKubeStateMetrics
ManagedClusterAzureMonitorProfileKubeStateMetrics
Description
Value
metricAnnotationsAllowList
Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric.
string
metricLabelsAllowlist
Comma-separated list of Kubernetes annotations keys that will be used in the resource's labels metric.
string
ManagedClusterBootstrapProfile
Description
Value
containerRegistryId
The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy.
string
ManagedClusterHttpProxyConfig
Description
Value
dnsZoneResourceIds
Resource IDs of the DNS zones to be associated with the Web App Routing add-on. Used only when Web App Routing is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group.
string[]
Constraints:
Max length = 5
enabled
Whether to enable Web App Routing.
nginx
Configuration for the default NginxIngressController. See more at /azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller.
ManagedClusterIngressProfileNginx
ManagedClusterIngressProfileNginx
Description
Value
defaultIngressControllerType
Ingress type for the default NginxIngressController custom resource
"AnnotationControlled"
"External"
"Internal"
"None"
ContainerServiceLinuxProfile
Description
Value
adminUsername
The administrator username to use for Linux VMs.
string (required)
Constraints:
Pattern = ^[A-Za-z][-A-Za-z0-9_]*$
The SSH configuration for Linux-based VMs running on Azure.
ContainerServiceSshConfiguration (required)
ContainerServiceSshConfiguration
Description
Value
publicKeys
The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified.
ContainerServiceSshPublicKey[] (required)
ContainerServiceSshPublicKey
Description
Value
keyData
Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers.
string (required)
ManagedClusterMetricsProfile
Description
Value
enabled
The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis.
ContainerServiceNetworkProfile
Description
Value
advancedNetworking
Advanced Networking profile for enabling observability on a cluster. Note that enabling advanced networking features may incur additional costs. For more information see aka.ms/aksadvancednetworking.
AdvancedNetworking
dnsServiceIP
An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr.
string
Constraints:
Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
ipFamilies
IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6.
String array containing any of:
"IPv4"
"IPv6"
kubeProxyConfig
Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy defaulting behavior. See https://v{version}.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ where {version} is represented by a {major version}-{minor version} string. Kubernetes version 1.23 would be '1-23'.
ContainerServiceNetworkProfileKubeProxyConfig
loadBalancerProfile
Profile of the cluster load balancer.
ManagedClusterLoadBalancerProfile
loadBalancerSku
The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs.
"basic"
"standard"
natGatewayProfile
Profile of the cluster NAT gateway.
ManagedClusterNATGatewayProfile
networkDataplane
Network dataplane used in the Kubernetes cluster.
"azure"
"cilium"
networkMode
This cannot be specified if networkPlugin is anything other than 'azure'.
"bridge"
"transparent"
networkPlugin
Network plugin used for building the Kubernetes network.
"azure"
"kubenet"
"none"
networkPluginMode
Network plugin mode used for building the Kubernetes network.
"overlay"
networkPolicy
Network policy used for building the Kubernetes network.
"azure"
"calico"
"cilium"
"none"
outboundType
This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type.
"loadBalancer"
"managedNATGateway"
"none"
"userAssignedNATGateway"
"userDefinedRouting"
podCidr
A CIDR notation IP range from which to assign pod IPs when kubenet is used.
string
Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
podCidrs
One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking.
string[]
podLinkLocalAccess
Defines access to special link local addresses (Azure Instance Metadata Service, aka IMDS) for pods with hostNetwork=false. if not specified, the default is 'IMDS'.
"IMDS"
"None"
serviceCidr
A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges.
string
Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
serviceCidrs
One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges.
string[]
staticEgressGatewayProfile
The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway.
ManagedClusterStaticEgressGatewayProfile
AdvancedNetworking
Description
Value
observability
Observability profile to enable advanced network metrics and flow logs with historical contexts.
AdvancedNetworkingObservability
security
Security profile to enable security features on cilium based cluster.
AdvancedNetworkingSecurity
AdvancedNetworkingObservability
Description
Value
enabled
Indicates the enablement of Advanced Networking observability functionalities on clusters.
tlsManagement
Management of TLS certificates for querying network flow logs via the flow log endpoint for Advanced Networking observability clusters. If not specified, the default is Managed. For more information see aka.ms/acnstls.
"Managed"
"None"
AdvancedNetworkingSecurity
Description
Value
enabled
This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false.
ContainerServiceNetworkProfileKubeProxyConfig
Description
Value
enabled
Whether to enable on kube-proxy on the cluster (if no 'kubeProxyConfig' exists, kube-proxy is enabled in AKS by default without these customizations).
ipvsConfig
Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'.
ContainerServiceNetworkProfileKubeProxyConfigIpvsCon...
Specify which proxy mode to use ('IPTABLES' or 'IPVS')
"IPTABLES"
"IPVS"
scheduler
IPVS scheduler, for more information please see http://www.linuxvirtualserver.org/docs/scheduling.html.
"LeastConnection"
"RoundRobin"
tcpFinTimeoutSeconds
The timeout value used for IPVS TCP sessions after receiving a FIN in seconds. Must be a positive integer value.
tcpTimeoutSeconds
The timeout value used for idle IPVS TCP sessions in seconds. Must be a positive integer value.
udpTimeoutSeconds
The timeout value used for IPVS UDP packets in seconds. Must be a positive integer value.
ManagedClusterLoadBalancerProfile
Description
Value
allocatedOutboundPorts
The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports.
int
Constraints:
Min value = 0
Max value = 64000
backendPoolType
The type of the managed inbound Load Balancer BackendPool.
"NodeIP"
"NodeIPConfiguration"
clusterServiceLoadBalancerHealthProbeMode
The health probing behavior for External Traffic Policy Cluster services.
"ServiceNodePort"
"Shared"
effectiveOutboundIPs
The effective outbound IP resources of the cluster load balancer.
ResourceReference[]
enableMultipleStandardLoadBalancers
Enable multiple standard load balancers per AKS cluster or not.
idleTimeoutInMinutes
Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes.
int
Constraints:
Min value = 4
Max value = 120
managedOutboundIPs
Desired managed outbound IPs for the cluster load balancer.
ManagedClusterLoadBalancerProfileManagedOutboundIPs
outboundIPPrefixes
Desired outbound IP Prefix resources for the cluster load balancer.
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
outboundIPs
Desired outbound IP resources for the cluster load balancer.
ManagedClusterLoadBalancerProfileOutboundIPs
ResourceReference
Description
Value
count
The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1.
int
Constraints:
Min value = 1
Max value = 100
countIPv6
The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.
int
Constraints:
Min value = 0
Max value = 100
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
Description
Value
effectiveOutboundIPs
The effective outbound IP resources of the cluster NAT gateway.
ResourceReference[]
idleTimeoutInMinutes
Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes.
int
Constraints:
Min value = 4
Max value = 120
managedOutboundIPProfile
Profile of the managed outbound IP resources of the cluster NAT gateway.
ManagedClusterManagedOutboundIPProfile
ManagedClusterManagedOutboundIPProfile
Description
Value
count
The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1.
int
Constraints:
Min value = 1
Max value = 16
ManagedClusterStaticEgressGatewayProfile
Description
Value
allowNetworkPluginKubenet
Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information.
enabled
Whether the pod identity addon is enabled.
userAssignedIdentities
The pod identities to use in the cluster.
ManagedClusterPodIdentity[]
userAssignedIdentityExceptions
The pod identity exceptions to allow.
ManagedClusterPodIdentityException[]
ManagedClusterPodIdentity
Description
Value
level
The Safeguards level to be used. By default, Safeguards is enabled for all namespaces except those that AKS excludes via systemExcludedNamespaces
"Enforcement"
"Off"
"Warning" (required)
version
The version of constraints to use
string
ManagedClusterSecurityProfile
Description
Value
azureKeyVaultKms
Azure Key Vault key management service settings for the security profile.
AzureKeyVaultKms
customCATrustCertificates
A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the Custom CA Trust feature enabled. For more information see Custom CA Trust Certificates
any[]
Constraints:
Max length = 10
defender
Microsoft Defender settings for the security profile.
ManagedClusterSecurityProfileDefender
imageCleaner
Image Cleaner settings for the security profile.
ManagedClusterSecurityProfileImageCleaner
imageIntegrity
Image integrity is a feature that works with Azure Policy to verify image integrity by signature. This will not have any effect unless Azure Policy is applied to enforce image signatures. See https://aka.ms/aks/image-integrity for how to use this feature via policy.
ManagedClusterSecurityProfileImageIntegrity
nodeRestriction
Node Restriction settings for the security profile.
ManagedClusterSecurityProfileNodeRestriction
workloadIdentity
Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details.
ManagedClusterSecurityProfileWorkloadIdentity
AzureKeyVaultKms
Description
Value
enabled
Whether to enable Azure Key Vault key management service. The default is false.
keyId
Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty.
string
keyVaultNetworkAccess
Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.
"Private"
"Public"
keyVaultResourceId
Resource ID of key vault. When keyVaultNetworkAccess is Private, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public, leave the field empty.
string
ManagedClusterSecurityProfileDefender
Description
Value
logAnalyticsWorkspaceResourceId
Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty.
string
securityMonitoring
Microsoft Defender threat detection for Cloud settings for the security profile.
ManagedClusterSecurityProfileDefenderSecurityMonitor...
certificateAuthority
Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca
IstioCertificateAuthority
components
Istio components configuration.
IstioComponents
revisions
The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: /azure/aks/istio-upgrade
string[]
Constraints:
Max length = 2
IstioCertificateAuthority
Description
Value
blobCSIDriver
AzureBlob CSI Driver settings for the storage profile.
ManagedClusterStorageProfileBlobCSIDriver
diskCSIDriver
AzureDisk CSI Driver settings for the storage profile.
ManagedClusterStorageProfileDiskCSIDriver
fileCSIDriver
AzureFile CSI Driver settings for the storage profile.
ManagedClusterStorageProfileFileCSIDriver
snapshotController
Snapshot Controller settings for the storage profile.
ManagedClusterStorageProfileSnapshotController
ManagedClusterStorageProfileBlobCSIDriver
Description
Value
forceUpgrade
Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution.
until
Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the until expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect.
string
ManagedClusterWindowsProfile
Description
Value
adminPassword
Specifies the password of the administrator account.
Minimum-length: 8 characters
Max-length: 123 characters
Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])
Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
string
adminUsername
Specifies the name of the administrator account.
Restriction: Cannot end in "."
Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".
Minimum-length: 1 character
Max-length: 20 characters
string (required)
enableCSIProxy
For more details on CSI proxy, see the CSI proxy GitHub repo.
gmsaProfile
The Windows gMSA Profile in the Managed Cluster.
WindowsGmsaProfile
licenseType
The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details.
"None"
"Windows_Server"
WindowsGmsaProfile
Description
Value
dnsServer
Specifies the DNS server for Windows gMSA.
Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string
enabled
Specifies whether to enable Windows gMSA in the managed cluster.
rootDomainName
Specifies the root domain name for Windows gMSA.
Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string
ManagedClusterWorkloadAutoScalerProfile
Description
Value
KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile.
ManagedClusterWorkloadAutoScalerProfileKeda
verticalPodAutoscaler
ManagedClusterWorkloadAutoScalerProfileVerticalPodAu...
ManagedClusterWorkloadAutoScalerProfileKeda
Description
Value
addonAutoscaling
Whether VPA add-on is enabled and configured to scale AKS-managed add-ons.
"Disabled"
"Enabled"
enabled
Whether to enable VPA add-on in cluster. Default value is false.
bool (required)
ManagedClusterSKU
Description
Value
推荐文章
|
|
没有腹肌的开水瓶 · Exception in thread “main“ org.apache.spark.sql.AnalysisException: Cannot write incompatible data to 4 周前 |
|
|
近视的鸡蛋 · C#使用Resources资源文件_C#教程_脚本之家 1 年前 |
|
|
着急的回锅肉 · java比较两个list元素是否有相等_百度知道 1 年前 |