Deploy and manage cluster extensions for Azure Kubernetes Service (AKS)
Cluster extensions provide an Azure Resource Manager driven experience for installation and lifecycle management of services like Azure Machine Learning (ML) on an AKS cluster. This feature enables:
- Azure Resource Manager-based deployment of extensions, including at-scale deployments across AKS clusters.
- Lifecycle management of the extension (Update, Delete) from Azure Resource Manager.
In this article, you'll learn about:
- How to create an extension instance.
- Available cluster extensions on AKS.
- How to view, list, update, and delete extension instances.
For a conceptual overview of cluster extensions, see Cluster extensions - Azure Arc-enabled Kubernetes.
Prerequisites
Important
Ensure that your AKS cluster is created with a managed identity, as cluster extensions won't work with service principal-based clusters.
For new clusters created with az aks create
, managed identity is configured by default. For existing service principal-based clusters that need to be switched over to managed identity, it can be enabled by running az aks update
with the --enable-managed-identity
flag. For more information, see Use managed identity.
- An Azure subscription. If you don't have an Azure subscription, you can create a free account.
- Azure CLI version >= 2.16.0 installed.
Note
If you have enabled Azure AD pod-managed identity on your AKS cluster or are considering implementing it, we recommend you first review Workload identity overview to understand our recommendations and options to set up your cluster to use an Azure AD workload identity (preview). This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities to federate with any external identity providers.
The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
Set up the Azure CLI extension for cluster extensions
Note
The minimum supported version for the k8s-extension
Azure CLI extension is 1.0.0
. If you are unsure what version you have installed, run az extension show --name k8s-extension
and look for the version
field. We recommend using the latest version.
You'll also need the k8s-extension
Azure CLI extension. Install the extension by running the following command:
az extension add --name k8s-extension
If the k8s-extension
extension is already installed, you can update it to the latest version using the following command:
az extension update --name k8s-extension
Currently available extensions
Note
Cluster extensions provides a platform for different extensions to be installed and managed on an AKS cluster. If you are facing issues while using any of these extensions, please open a support ticket with the respective service.
Extension | Description |
---|---|
Dapr | Dapr is a portable, event-driven runtime that makes it easy for any developer to build resilient, stateless and stateful applications that run on cloud and edge. |
Azure ML | Use Azure Kubernetes Service clusters to train, inference, and manage machine learning models in Azure Machine Learning. |
Flux (GitOps) | Use GitOps with Flux to manage cluster configuration and application deployment. See also supported versions of Flux (GitOps) and Tutorial: Deploy applications using GitOps with Flux v2. |
Supported regions and Kubernetes versions
Cluster extensions can be used on AKS clusters in the regions listed in Azure Arc enabled Kubernetes region support.
For supported Kubernetes versions, refer to the corresponding documentation for each extension.
Usage of cluster extensions
Note
The samples provided in this article are not complete, and are only meant to showcase functionality. For a comprehensive list of commands and their parameters, please see the az k8s-extension CLI reference.
Create extensions instance
Create a new extension instance with k8s-extension create
, passing in values for the mandatory parameters. The below command creates an Azure Machine Learning extension instance on your AKS cluster:
az k8s-extension create --name aml-compute --extension-type Microsoft.AzureML.Kubernetes --scope cluster --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type managedClusters --configuration-settings enableInference=True allowInsecureConnections=True
Note
The Cluster Extensions service is unable to retain sensitive information for more than 48 hours. If the cluster extension agents don't have network connectivity for more than 48 hours and can't determine whether to create an extension on the cluster, then the extension transitions to Failed
state. Once in Failed
state, you will need to run k8s-extension create
again to create a fresh extension instance.
Required parameters
Parameter name | Description |
---|---|
--name |
Name of the extension instance |
--extension-type |
The type of extension you want to install on the cluster. For example: Microsoft.AzureML.Kubernetes |
--cluster-name |
Name of the AKS cluster on which the extension instance has to be created |
--resource-group |
The resource group containing the AKS cluster |
--cluster-type |
The cluster type on which the extension instance has to be created. Specify managedClusters as it maps to AKS clusters |
Optional parameters
Parameter name | Description |
---|---|
--auto-upgrade-minor-version |
Boolean property that specifies if the extension minor version will be upgraded automatically or not. Default: true . If this parameter is set to true, you can't set version parameter, as the version will be dynamically updated. If set to false , extension won't be auto-upgraded even for patch versions. |
--version |
Version of the extension to be installed (specific version to pin the extension instance to). Must not be supplied if auto-upgrade-minor-version is set to true . |
--configuration-settings |
Settings that can be passed into the extension to control its functionality. Pass values as space separated key=value pairs after the parameter name. If this parameter is used in the command, then --configuration-settings-file can't be used in the same command. |
--configuration-settings-file |
Path to the JSON file having key value pairs to be used for passing in configuration settings to the extension. If this parameter is used in the command, then --configuration-settings can't be used in the same command. |
--configuration-protected-settings |
These settings are not retrievable using GET API calls or az k8s-extension show commands, and are thus used to pass in sensitive settings. Pass values as space separated key=value pairs after the parameter name. If this parameter is used in the command, then --configuration-protected-settings-file can't be used in the same command. |
--configuration-protected-settings-file |
Path to the JSON file having key value pairs to be used for passing in sensitive settings to the extension. If this parameter is used in the command, then --configuration-protected-settings can't be used in the same command. |
--scope |
Scope of installation for the extension - cluster or namespace |
--release-namespace |
This parameter indicates the namespace within which the release is to be created. This parameter is only relevant if scope parameter is set to cluster . |
--release-train |
Extension authors can publish versions in different release trains such as Stable , Preview , etc. If this parameter isn't set explicitly, Stable is used as default. This parameter can't be used when --auto-upgrade-minor-version parameter is set to false . |
--target-namespace |
This parameter indicates the namespace within which the release will be created. Permission of the system account created for this extension instance will be restricted to this namespace. This parameter is only relevant if the scope parameter is set to namespace . |
Show details of an extension instance
View details of a currently installed extension instance with k8s-extension show
, passing in values for the mandatory parameters:
az k8s-extension show --name azureml --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type managedClusters
List all extensions installed on the cluster
List all extensions installed on a cluster with k8s-extension list
, passing in values for the mandatory parameters.
az k8s-extension list --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type managedClusters
Update extension instance
Note
Refer to documentation of the extension type (Eg: Azure ML) to learn about the specific settings under ConfigurationSetting and ConfigurationProtectedSettings that are allowed to be updated. For ConfigurationProtectedSettings, all settings are expected to be provided during an update of a single setting. If some settings are omitted, those settings would be considered obsolete and deleted.
Update an existing extension instance with k8s-extension update
, passing in values for the mandatory parameters. The below command updates the auto-upgrade setting for an Azure Machine Learning extension instance:
az k8s-extension update --name azureml --extension-type Microsoft.AzureML.Kubernetes --scope cluster --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type managedClusters
Required parameters
Parameter name | Description |
---|---|
--name |
Name of the extension instance |
--extension-type |
The type of extension you want to install on the cluster. For example: Microsoft.AzureML.Kubernetes |
--cluster-name |
Name of the AKS cluster on which the extension instance has to be created |
--resource-group |
The resource group containing the AKS cluster |
--cluster-type |
The cluster type on which the extension instance has to be created. Specify managedClusters as it maps to AKS clusters |
Optional parameters
Parameter name | Description |
---|---|
--auto-upgrade-minor-version |
Boolean property that specifies if the extension minor version will be upgraded automatically or not. Default: true . If this parameter is set to true, you cannot set version parameter, as the version will be dynamically updated. If set to false , extension won't be auto-upgraded even for patch versions. |
--version |
Version of the extension to be installed (specific version to pin the extension instance to). Must not be supplied if auto-upgrade-minor-version is set to true . |
--configuration-settings |
Settings that can be passed into the extension to control its functionality. Only the settings that require an update need to be provided. The provided settings would be replaced with the provided values. Pass values as space separated key=value pairs after the parameter name. If this parameter is used in the command, then --configuration-settings-file can't be used in the same command. |
--configuration-settings-file |
Path to the JSON file having key value pairs to be used for passing in configuration settings to the extension. If this parameter is used in the command, then --configuration-settings can't be used in the same command. |
--configuration-protected-settings |
These settings are not retrievable using GET API calls or az k8s-extension show commands, and are thus used to pass in sensitive settings. When you update a setting, all settings are expected to be specified. If some settings are omitted, those settings would be considered obsolete and deleted. Pass values as space separated key=value pairs after the parameter name. If this parameter is used in the command, then --configuration-protected-settings-file can't be used in the same command. |
--configuration-protected-settings-file |
Path to the JSON file having key value pairs to be used for passing in sensitive settings to the extension. If this parameter is used in the command, then --configuration-protected-settings can't be used in the same command. |
--scope |
Scope of installation for the extension - cluster or namespace |
--release-train |
Extension authors can publish versions in different release trains such as Stable , Preview , etc. If this parameter isn't set explicitly, Stable is used as default. This parameter can't be used when autoUpgradeMinorVersion parameter is set to false . |
Delete extension instance
Note
The Azure resource representing this extension gets deleted immediately. The Helm release on the cluster associated with this extension is only deleted when the agents running on the Kubernetes cluster have network connectivity and can reach out to Azure services again to fetch the desired state.
Delete an extension instance on a cluster with k8s-extension delete
, passing in values for the mandatory parameters.
az k8s-extension delete --name azureml --cluster-name <clusterName> --resource-group <resourceGroupName> --cluster-type managedClusters
Feedback
Submit and view feedback for