AzureFunctionOnKubernetes@1 - Azure Function on Kubernetes v1 task
Deploy Azure function to Kubernetes cluster.
Syntax
# Azure Function on Kubernetes v1
# Deploy Azure function to Kubernetes cluster.
- task: AzureFunctionOnKubernetes@1
inputs:
# Service Connections
connectionType: 'Kubernetes Service Connection' # 'Azure Resource Manager' | 'Kubernetes Service Connection'. Required. Service connection type. Default: Kubernetes Service Connection.
dockerRegistryServiceConnection: # string. Required. Docker registry service connection.
#kubernetesServiceConnection: # string. Alias: kubernetesServiceEndpoint. Required when connectionType = Kubernetes Service Connection. Kubernetes service connection.
#azureSubscriptionConnection: # string. Alias: azureSubscriptionEndpoint. Required when connectionType = Azure Resource Manager. Azure subscription.
#azureResourceGroup: # string. Required when connectionType = Azure Resource Manager. Resource group.
#kubernetesCluster: # string. Required when connectionType = Azure Resource Manager. Kubernetes cluster.
# Commands
#namespace: # string. Kubernetes namespace.
#secretName: # string. Secret Name.
#dockerHubNamespace: # string. Docker Hub namespace.
appName: # string. Required. Application Name.
#functionRootDirectory: # string. Function root directory.
#waitForStability: true # boolean. Wait for stability. Default: true.
#arguments: # string. Arguments.
Inputs
connectionType - Service connection type
string. Required. Allowed values: Azure Resource Manager, Kubernetes Service Connection. Default value: Kubernetes Service Connection.
Select a Kubernetes service connection type.
Kubernetes Service Connection- Allows you to provide a KubeConfig file, specify a Service Account, or import an AKS instance with the Azure Subscription option. Importing an AKS instance with the Azure Subscription option requires Kubernetes cluster access at Service Connection configuration time.Azure Resource Manager- Lets you select an AKS instance. Does not access Kubernetes cluster at Service Connection configuration time.
For more information, see Remarks.
dockerRegistryServiceConnection - Docker registry service connection
string. Required.
Select a Docker registry service connection.
kubernetesServiceConnection - Kubernetes service connection
Input alias: kubernetesServiceEndpoint. string. Required when connectionType = Kubernetes Service Connection.
Select a Kubernetes service connection.
azureSubscriptionConnection - Azure subscription
Input alias: azureSubscriptionEndpoint. string. Required when connectionType = Azure Resource Manager.
Select the Azure Resource Manager subscription, which contains Azure Container Registry.Note: To configure new service connection, select the Azure subscription from the list and click 'Authorize'. If your subscription is not listed or if you want to use an existing Service Principal, you can setup an Azure service connection using 'Add' or 'Manage' button.
azureResourceGroup - Resource group
string. Required when connectionType = Azure Resource Manager.
Select an Azure resource group.
kubernetesCluster - Kubernetes cluster
string. Required when connectionType = Azure Resource Manager.
Select an Azure managed cluster.
namespace - Kubernetes namespace
string.
Kubernetes namespace.
secretName - Secret Name
string.
Kubernetes secret containing function config data (for ex. AzureWebJobsStorage: Azure storage connection string).
dockerHubNamespace - Docker Hub namespace
string.
Docker Hub namespace. Required for private Docker Hub repository.
appName - Application Name
string. Required.
Application Name. The Kubernetes objects created use this name. This should follow Kubernetes naming conventions for resource names.
functionRootDirectory - Function root directory
string.
Function root directory. Should contain host.json. Docker build and push is performed from this directory.
waitForStability - Wait for stability
boolean. Default value: true.
Wait for the Kubernetes objects to reach the desired state.
arguments - Arguments
string.
Pass arguments to command. Ex:
--no-docker --service-type NodePort.
Task control options
All tasks have control options in addition to their task inputs. For more information, see Control options and common task properties.
Output variables
None.
Remarks
Kubernetes Service Connection considerations when accessing AKS
You can create a Kubernetes service connection with any of the following options.
- KubeConfig
- Service Account
- Azure Subscription
When selecting the Azure Subscription option, Kubernetes needs to be accessible to Azure DevOps at service connection configuration time. There may be various reasons a service connection cannot be created, for example you created a private cluster or the cluster has local accounts disabled. In these cases, Azure DevOps can't connect to your cluster at service connection configuration time and you'll see a stuck Loading namespaces screen.
Starting with Kubernetes 1.24, long-lived tokens are no longer created by default. Kubernetes recommends not using long-lived tokens. As a result, tasks using a Kubernetes service connection created with the Azure Subscription option don't have access to the permanent token required to authenticate and can’t access your Kubernetes cluster. This also results in the frozen Loading namespaces dialog.
Use the Azure Resource Manager Service Connection to access AKS
For AKS customers, the Azure Resource Manager service connection type provides the best method to connect to a private cluster, or a cluster that has local accounts disabled. This method is not dependent on cluster connectivity at the time you create a service connection. Access to AKS is deferred to pipeline runtime, which has the following advantages:
- Access to a (private) AKS cluster can be performed from a self-hosted or scale set agent with line of sight to the cluster.
- A token is created for every task that uses an Azure Resource Manager service connection. This ensures you are connecting to Kubernetes with a short-lived token, which is the Kubernetes recommendation.
- AKS can be accessed even when local accounts are disabled.
Service connection FAQ
I receive the following error message: Could not find any secret associated with the service account. What is happening?
You are using the Kubernetes service connection with Azure Subscription option. We are updating this method to create long-lived tokens. This is expected to be available mid-May. However, it is recommended to start using the Azure service connection type and not o use long-lived tokens as per Kubernetes guidance.
I'm using AKS and don't want to change anything, can I continue to use tasks with the Kubernetes service connection?
We are updating this method to create long-lived tokens. This is expected to be available mid-May. However, please be aware that this approach is against Kubernetes guidance.
I'm using the Kubernetes tasks and Kubernetes service connection but not AKS. Should I be concerned?
You tasks will continue to work as before.
Will the Kubernetes service connection type be removed?
Our Kubernetes tasks work with any Kubernetes cluster, regardless where they are running. The Kubernetes service connection will continue to exist.
I’m an AKS customer and everything is running fine, should I act?
There is no need to change anything. If you are using the Kubernetes service connection and selected Azure Subscription during creation, you should be aware of the Kubernetes guidance on using long-lived tokens.
I'm creating a Kubernetes Environment, and have no option to use service connections
In case you can’t access your AKS during environment creation time, you can use an empty environment and set the connectionType input to an Azure Resource Manager service connection.
I have AKS configured with Azure Active Directory RBAC, and my pipeline doesn’t work. Will these updates resolve that?
Accessing Kubernetes when AAD RBAC is enabled is unrelated to token creation. To prevent an interactive prompt, we will support kubelogin in a future update.
Requirements
| Requirement | Description |
|---|---|
| Pipeline types | YAML, Classic build, Classic release |
| Runs on | Agent, DeploymentGroup |
| Demands | None |
| Capabilities | This task does not satisfy any demands for subsequent tasks in the job. |
| Command restrictions | Any |
| Settable variables | Any |
| Agent version | All supported agent versions. |
| Task category | Deploy |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for