az aks

  • Reference

Manage Azure Kubernetes Services.

Commands

az aks addon

Commands to manage and view single addon conditions.
az aks addon disable

Disable an enabled Kubernetes addon in a cluster.
az aks addon enable

Enable a Kubernetes addon.
az aks addon list

List status of all Kubernetes addons in given cluster.
az aks addon list-available

List available Kubernetes addons.
az aks addon show

Show status and configuration for an enabled Kubernetes addon in a given cluster.
az aks addon update

Update an already enabled Kubernetes addon.
az aks app

Commands to manage AKS app.
az aks app up

Deploy to AKS via GitHub actions.
az aks browse

Show the dashboard for a Kubernetes cluster in a web browser.
az aks check-acr

Validate an ACR is accessible from an AKS cluster.
az aks command

See detail usage in 'az aks command invoke', 'az aks command result'.
az aks command invoke

Run a shell command (with kubectl, helm) on your aks cluster, support attaching files as well.
az aks command result

Fetch result from previously triggered 'aks command invoke'.
az aks create

Create a new managed Kubernetes cluster.
az aks delete

Delete a managed Kubernetes cluster.
az aks disable-addons

Disable Kubernetes addons.
az aks draft

Commands to build deployment files in a project directory and deploy to an AKS cluster.
az aks draft create

Generate a Dockerfile and the minimum required Kubernetes deployment files (helm, kustomize, manifests) for your project directory.
az aks draft generate-workflow

Generate a GitHub workflow for automatic build and deploy to AKS.
az aks draft setup-gh

Set up GitHub OIDC for your application.
az aks draft up

Set up GitHub OIDC and generate a GitHub workflow for automatic build and deploy to AKS.
az aks draft update

Update your application to be internet accessible.
az aks egress-endpoints

Commands to manage egress endpoints in managed Kubernetes cluster.
az aks egress-endpoints list

List egress endpoints that are required or recommended to be whitelisted for a cluster.
az aks enable-addons

Enable Kubernetes addons.
az aks get-credentials

Get access credentials for a managed Kubernetes cluster.
az aks get-os-options

Get the OS options available for creating a managed Kubernetes cluster.
az aks get-upgrades

Get the upgrade versions available for a managed Kubernetes cluster.
az aks get-versions

Get the versions available for creating a managed Kubernetes cluster.
az aks install-cli

Download and install kubectl, the Kubernetes command-line tool. Download and install kubelogin, a client-go credential (exec) plugin implementing azure authentication.
az aks kanalyze

Display diagnostic results for the Kubernetes cluster after kollect is done.
az aks kollect

Collecting diagnostic information for the Kubernetes cluster.
az aks list

List managed Kubernetes clusters.
az aks maintenanceconfiguration

Commands to manage maintenance configurations in managed Kubernetes cluster.
az aks maintenanceconfiguration add

Add a maintenance configuration in managed Kubernetes cluster.
az aks maintenanceconfiguration delete

Delete a maintenance configuration in managed Kubernetes cluster.
az aks maintenanceconfiguration list

List maintenance configurations in managed Kubernetes cluster.
az aks maintenanceconfiguration show

Show the details of a maintenance configuration in managed Kubernetes cluster.
az aks maintenanceconfiguration update

Update a maintenance configuration of a managed Kubernetes cluster.
az aks mesh

Commands to manage Azure Service Mesh.
az aks mesh disable

Disable Azure Service Mesh.
az aks mesh disable-ingress-gateway

Disable an Azure Service Mesh ingress gateway.
az aks mesh enable

Enable Azure Service Mesh.
az aks mesh enable-ingress-gateway

Enable an Azure Service Mesh ingress gateway.
az aks nodepool

Commands to manage node pools in Kubernetes kubernetes cluster.
az aks nodepool add

Add a node pool to the managed Kubernetes cluster.
az aks nodepool delete

Delete the agent pool in the managed Kubernetes cluster.
az aks nodepool get-upgrades

Get the available upgrade versions for an agent pool of the managed Kubernetes cluster.
az aks nodepool list

List node pools in the managed Kubernetes cluster. To get list of nodes in the cluster run kubectl get nodes command.
az aks nodepool operation-abort

Abort last running operation on nodepool.
az aks nodepool scale

Scale the node pool in a managed Kubernetes cluster.
az aks nodepool show

Show the details for a node pool in the managed Kubernetes cluster.
az aks nodepool snapshot

Commands to manage nodepool snapshots.
az aks nodepool snapshot create

Create a nodepool snapshot.
az aks nodepool snapshot delete

Delete a nodepool snapshot.
az aks nodepool snapshot list

List nodepool snapshots.
az aks nodepool snapshot show

Show the details of a nodepool snapshot.
az aks nodepool snapshot wait

Wait for a nodepool snapshot to reach a desired state.
az aks nodepool start

Start stopped agent pool in the managed Kubernetes cluster.
az aks nodepool stop

Stop running agent pool in the managed Kubernetes cluster.
az aks nodepool update

Update a node pool properties.
az aks nodepool upgrade

Upgrade the node pool in a managed Kubernetes cluster.
az aks nodepool wait

Wait for a node pool to reach a desired state.
az aks oidc-issuer

Oidc issuer related commands.
az aks oidc-issuer rotate-signing-keys

Rotate oidc issuer service account signing keys.
az aks operation-abort

Abort last running operation on managed cluster.
az aks pod-identity

Commands to manage pod identities in managed Kubernetes cluster.
az aks pod-identity add

Add a pod identity to a managed Kubernetes cluster.
az aks pod-identity delete

Remove a pod identity from a managed Kubernetes cluster.
az aks pod-identity exception

Commands to manage pod identity exceptions in managed Kubernetes cluster.
az aks pod-identity exception add

Add a pod identity exception to a managed Kubernetes cluster.
az aks pod-identity exception delete

Remove a pod identity exception from a managed Kubernetes cluster.
az aks pod-identity exception list

List pod identity exceptions in a managed Kubernetes cluster.
az aks pod-identity exception update

Update a pod identity exception in a managed Kubernetes cluster.
az aks pod-identity list

List pod identities in a managed Kubernetes cluster.
az aks remove-dev-spaces

Remove Azure Dev Spaces from a managed Kubernetes cluster.
az aks rotate-certs

Rotate certificates and keys on a managed Kubernetes cluster.
az aks scale

Scale the node pool in a managed Kubernetes cluster.
az aks show

Show the details for a managed Kubernetes cluster.
az aks snapshot

Commands to manage nodepool snapshots.
az aks snapshot create

Create a nodepool snapshot.
az aks snapshot delete

Delete a nodepool snapshot.
az aks snapshot list

List nodepool snapshots.
az aks snapshot show

Show the details of a nodepool snapshot.
az aks snapshot wait

Wait for a nodepool snapshot to reach a desired state.
az aks start

Starts a previously stopped Managed Cluster.
az aks stop

Stops a Managed Cluster.
az aks trustedaccess

Commands to manage trusted access security features.
az aks trustedaccess role

Commands to manage trusted access roles.
az aks trustedaccess role list

List trusted access roles.
az aks trustedaccess rolebinding

Commands to manage trusted access role bindings.
az aks trustedaccess rolebinding create

Create a new trusted access role binding.
az aks trustedaccess rolebinding delete

Delete a trusted access role binding according to name.
az aks trustedaccess rolebinding list

List all the trusted access role bindings.
az aks trustedaccess rolebinding show

Get the specific trusted access role binding according to binding name.
az aks trustedaccess rolebinding update

Update a trusted access role binding.
az aks update

Update a managed Kubernetes cluster. When called with no optional arguments this attempts to move the cluster to its goal state without changing the current cluster configuration. This can be used to move out of a non succeeded state.
az aks update-credentials

Update credentials for a managed Kubernetes cluster, like service principal.
az aks upgrade

Upgrade a managed Kubernetes cluster to a newer version.
az aks use-dev-spaces

Use Azure Dev Spaces with a managed Kubernetes cluster.
az aks wait

Wait for a managed Kubernetes cluster to reach a desired state.

az aks browse

Edit

Show the dashboard for a Kubernetes cluster in a web browser.

az aks browse --name
              --resource-group
              [--disable-browser]
              [--listen-address]
              [--listen-port]

Examples

Show the dashboard for a Kubernetes cluster in a web browser. (autogenerated)

az aks browse --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--disable-browser

Don't launch a web browser after establishing port-forwarding.

default value: False
--listen-address

The listening address for the dashboard.

default value: 127.0.0.1
--listen-port

The listening port for the dashboard.

default value: 8001

az aks check-acr

Edit

Validate an ACR is accessible from an AKS cluster.

az aks check-acr --acr
                 --name
                 --resource-group
                 [--node-name]

Examples

Validate the ACR is accessible from the AKS cluster.

az aks check-acr --name MyManagedCluster --resource-group MyResourceGroup --acr myacr.azurecr.io

Required Parameters

--acr

The FQDN of the ACR.

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--node-name

The name of a specific node to perform acr pull test checks. If not specified, it will be checked on a random node.

az aks create

Edit

Create a new managed Kubernetes cluster.

az aks create --name
              --resource-group
              [--aad-admin-group-object-ids]
              [--aad-tenant-id]
              [--aci-subnet-name]
              [--admin-username]
              [--aks-custom-headers]
              [--api-server-authorized-ip-ranges]
              [--appgw-id]
              [--appgw-name]
              [--appgw-subnet-cidr]
              [--appgw-subnet-id]
              [--appgw-watch-namespace]
              [--assign-identity]
              [--assign-kubelet-identity]
              [--attach-acr]
              [--auto-upgrade-channel {node-image, none, patch, rapid, stable}]
              [--azure-keyvault-kms-key-id]
              [--azure-keyvault-kms-key-vault-network-access {Private, Public}]
              [--azure-keyvault-kms-key-vault-resource-id]
              [--azure-monitor-workspace-resource-id]
              [--ca-profile]
              [--client-secret]
              [--data-collection-settings]
              [--defender-config]
              [--disable-disk-driver]
              [--disable-file-driver]
              [--disable-local-accounts]
              [--disable-public-fqdn]
              [--disable-rbac]
              [--disable-snapshot-controller]
              [--dns-name-prefix]
              [--dns-service-ip]
              [--edge-zone]
              [--enable-aad]
              [--enable-addons]
              [--enable-ahub]
              [--enable-azure-keyvault-kms]
              [--enable-azure-monitor-metrics]
              [--enable-azure-rbac]
              [--enable-blob-driver]
              [--enable-cluster-autoscaler]
              [--enable-defender]
              [--enable-encryption-at-host]
              [--enable-fips-image]
              [--enable-image-cleaner]
              [--enable-keda]
              [--enable-managed-identity]
              [--enable-msi-auth-for-monitoring {false, true}]
              [--enable-node-public-ip]
              [--enable-oidc-issuer]
              [--enable-private-cluster]
              [--enable-secret-rotation]
              [--enable-sgxquotehelper]
              [--enable-syslog {false, true}]
              [--enable-ultra-ssd]
              [--enable-windows-gmsa]
              [--enable-windows-recording-rules]
              [--enable-workload-identity]
              [--fqdn-subdomain]
              [--generate-ssh-keys]
              [--gmsa-dns-server]
              [--gmsa-root-domain-name]
              [--gpu-instance-profile {MIG1g, MIG2g, MIG3g, MIG4g, MIG7g}]
              [--grafana-resource-id]
              [--host-group-id]
              [--http-proxy-config]
              [--image-cleaner-interval-hours]
              [--ip-families]
              [--ksm-metric-annotations-allow-list]
              [--ksm-metric-labels-allow-list]
              [--kubelet-config]
              [--kubernetes-version]
              [--linux-os-config]
              [--load-balancer-idle-timeout]
              [--load-balancer-managed-outbound-ip-count]
              [--load-balancer-managed-outbound-ipv6-count]
              [--load-balancer-outbound-ip-prefixes]
              [--load-balancer-outbound-ips]
              [--load-balancer-outbound-ports]
              [--load-balancer-sku {basic, standard}]
              [--location]
              [--max-count]
              [--max-pods]
              [--min-count]
              [--nat-gateway-idle-timeout]
              [--nat-gateway-managed-outbound-ip-count]
              [--network-dataplane {azure, cilium}]
              [--network-plugin {azure, kubenet, none}]
              [--network-plugin-mode {overlay}]
              [--network-policy]
              [--no-ssh-key]
              [--no-wait]
              [--node-count]
              [--node-osdisk-diskencryptionset-id]
              [--node-osdisk-size]
              [--node-osdisk-type {Ephemeral, Managed}]
              [--node-public-ip-prefix-id]
              [--node-resource-group]
              [--node-vm-size]
              [--nodepool-labels]
              [--nodepool-name]
              [--nodepool-tags]
              [--os-sku {AzureLinux, CBLMariner, Mariner, Ubuntu}]
              [--outbound-type {loadBalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting}]
              [--pod-cidr]
              [--pod-cidrs]
              [--pod-subnet-id]
              [--ppg]
              [--private-dns-zone]
              [--rotation-poll-interval]
              [--service-cidr]
              [--service-cidrs]
              [--service-principal]
              [--skip-subnet-role-assignment]
              [--snapshot-id]
              [--ssh-key-value]
              [--tags]
              [--tier {free, standard}]
              [--vm-set-type]
              [--vnet-subnet-id]
              [--windows-admin-password]
              [--windows-admin-username]
              [--workspace-resource-id]
              [--yes]
              [--zones {1, 2, 3}]

Examples

Create a Kubernetes cluster with an existing SSH public key.

az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey

Create a Kubernetes cluster with a specific version.

az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.16.9

Create a Kubernetes cluster with a larger node pool.

az aks create -g MyResourceGroup -n MyManagedCluster --node-count 7

Create a kubernetes cluster with k8s 1.13.9 but use vmas.

az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.16.9 --vm-set-type AvailabilitySet

Create a kubernetes cluster with default kubernetes version, default SKU load balancer (Standard) and default vm set type (VirtualMachineScaleSets).

az aks create -g MyResourceGroup -n MyManagedCluster

Create a kubernetes cluster with standard SKU load balancer and two AKS created IPs for the load balancer outbound connection usage.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2

Create a kubernetes cluster with a standard SKU load balancer, with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000

Create a kubernetes cluster with standard SKU load balancer and use the provided public IPs for the load balancer outbound connection usage.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ips <ip-resource-id-1,ip-resource-id-2>

Create a kubernetes cluster with standard SKU load balancer and use the provided public IP prefixes for the load balancer outbound connection usage.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>

Create a kubernetes cluster with a AKS managed NAT gateway, with two outbound AKS managed IPs an idle flow timeout of 4 minutes

az aks create -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4 --outbound-type managedNATGateway --generate-ssh-keys

Create a kubernetes cluster with basic SKU load balancer and AvailabilitySet vm set type.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku basic --vm-set-type AvailabilitySet

Create a kubernetes cluster with authorized apiserver IP ranges.

az aks create -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24,195.168.1.0

Create a kubernetes cluster which enables managed identity.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-managed-identity

Create a kubernetes cluster with userDefinedRouting, standard load balancer SKU and a custom subnet preconfigured with a route table

az aks create -g MyResourceGroup -n MyManagedCluster --outbound-type userDefinedRouting --load-balancer-sku standard --vnet-subnet-id customUserSubnetVnetID

Create a kubernetes cluster with supporting Windows agent pools.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$'

Create a kubernetes cluster with supporting Windows agent pools with AHUB enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-ahub

Create a kubernetes cluster with managed AAD enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>

Create a kubernetes cluster with server side encryption using your owned key.

az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-diskencryptionset-id <disk-encryption-set-resource-id>

Create a kubernetes cluster with ephemeral OS enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-type Ephemeral --node-osdisk-size 48

Create a kubernetes cluster with EncryptionAtHost enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-encryption-at-host

Create a kubernetes cluster with UltraSSD enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-ultra-ssd

Create a kubernetes cluster with Azure RBAC enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac

Create a kubernetes cluster with custom control plane identity and kubelet identity.

az aks create -g MyResourceGroup -n MyManagedCluster --assign-identity <control-plane-identity-resource-id> --assign-kubelet-identity <kubelet-identity-resource-id>

Create a kubernetes cluster in the Edge Zone.

az aks create -g MyResourceGroup -n MyManagedCluster --location <location> --kubernetes-version 1.20.7 --edge-zone <edge-zone-name>

Create a kubernetes cluster with a specific OS SKU

az aks create -g MyResourceGroup -n MyManagedCluster --os-sku Ubuntu

Create a kubernetes cluster with custom tags

az aks create -g MyResourceGroup -n MyManagedCluster --tags "foo=bar" "baz=qux"

Create a kubernetes cluster with custom headers

az aks create -g MyResourceGroup -n MyManagedCluster --aks-custom-headers WindowsContainerRuntime=containerd

Create a kubernetes cluster with FIPS-enabled OS

az aks create -g MyResourceGroup -n MyManagedCluster --enable-fips-image

Create a kubernetes cluster with enabling Windows gmsa and with setting DNS server in the vnet used by the cluster.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa

Create a kubernetes cluster with enabling Windows gmsa but without setting DNS server in the vnet used by the cluster.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"

create a kubernetes cluster with a snapshot id.

az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.20.9 --snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/snapshots/mysnapshot1"

create a kubernetes cluster with support of hostgroup id.

az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.13 --location westus2 --host-group-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/hostGroups/myHostGroup --node-vm-size VMSize --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>

Create a kubernetes cluster with no CNI installed.

az aks create -g MyResourceGroup -n MyManagedCluster --network-plugin none

Create a kubernetes cluster with KEDA workload autoscaler enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-keda

Create a kubernetes cluster with Azure Monitor Metrics enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-monitor-metrics

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aad-admin-group-object-ids

Comma seperated list of aad group object IDs that will be set as cluster admin.

--aad-tenant-id

The ID of an Azure Active Directory tenant.

--aci-subnet-name

The name of a subnet in an existing VNet into which to deploy the virtual nodes.

--admin-username -u

User account to create on node VMs for SSH access.

default value: azureuser
--aks-custom-headers

Comma-separated key-value pairs to specify custom headers.

--api-server-authorized-ip-ranges

Comma seperated list of authorized apiserver IP ranges. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.

--appgw-id

Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.

--appgw-name

Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.

--appgw-subnet-cidr

Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-subnet-id

Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-watch-namespace

Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces.

--assign-identity

Specify an existing user assigned identity for control plane's usage in order to manage cluster resource group.

--assign-kubelet-identity

Specify an existing user assigned identity for kubelet's usage, which is typically used to pull image from ACR.

--attach-acr

Grant the 'acrpull' role assignment to the ACR specified by name or resource ID.

--auto-upgrade-channel

Specify the upgrade channel for autoupgrade.

accepted values: node-image, none, patch, rapid, stable
--azure-keyvault-kms-key-id

Identifier of Azure Key Vault key.

--azure-keyvault-kms-key-vault-network-access

Network Access of Azure Key Vault.

accepted values: Private, Public
--azure-keyvault-kms-key-vault-resource-id

Resource ID of Azure Key Vault.

--azure-monitor-workspace-resource-id

Resource ID of the Azure Monitor Workspace.

--ca-profile --cluster-autoscaler-profile

Space-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.

--client-secret

Secret associated with the service principal. This argument is required if --service-principal is specified.

--data-collection-settings

Path to JSON file containing data collection settings for Monitoring addon.

--defender-config

Path to JSON file containing Microsoft Defender profile configurations.

--disable-disk-driver

Disable AzureDisk CSI Driver.

default value: False
--disable-file-driver

Disable AzureFile CSI Driver.

default value: False
--disable-local-accounts

If set to true, getting static credential will be disabled for this cluster.

default value: False
--disable-public-fqdn

Disable public fqdn feature for private cluster.

default value: False
--disable-rbac

Disable Kubernetes Role-Based Access Control.

--disable-snapshot-controller

Disable CSI Snapshot Controller.

default value: False
--dns-name-prefix -p

Prefix for hostnames that are created. If not specified, generate a hostname using the managed cluster and resource group names.

--dns-service-ip

An IP address assigned to the Kubernetes DNS service.

--edge-zone

The name of the Edge Zone.

--enable-aad

Enable managed AAD feature for cluster.

default value: False
--enable-addons -a

Enable the Kubernetes addons in a comma-separated list.

--enable-ahub

Enable Azure Hybrid User Benefits (AHUB) for Windows VMs.

default value: False
--enable-azure-keyvault-kms

Enable Azure KeyVault Key Management Service.

default value: False
--enable-azure-monitor-metrics

Enable Azure Monitor Metrics Profile.

default value: False
--enable-azure-rbac

Enable Azure RBAC to control authorization checks on cluster.

default value: False
--enable-blob-driver

Enable AzureBlob CSI Driver.

--enable-cluster-autoscaler

Enable cluster autoscaler, default value is false.

default value: False
--enable-defender

Enable Microsoft Defender security profile.

default value: False
--enable-encryption-at-host

Enable EncryptionAtHost, default value is false.

default value: False
--enable-fips-image

Use FIPS-enabled OS on agent nodes.

default value: False
--enable-image-cleaner

Enable ImageCleaner Service.

default value: False
--enable-keda

Enable KEDA workload auto-scaler.

default value: False
--enable-managed-identity

Using a system assigned managed identity to manage cluster resource group.

default value: 1
--enable-msi-auth-for-monitoring

Enable Managed Identity Auth for Monitoring addon.

accepted values: false, true
default value: 1
--enable-node-public-ip

Enable VMSS node public IP.

default value: False
--enable-oidc-issuer

Enable OIDC issuer.

default value: False
--enable-private-cluster

Enable private cluster.

default value: False
--enable-secret-rotation

Enable secret rotation. Use with azure-keyvault-secrets-provider addon.

default value: False
--enable-sgxquotehelper

Enable SGX quote helper for confcom addon.

default value: False
--enable-syslog

Enable syslog data collection for Monitoring addon.

accepted values: false, true
default value: False
--enable-ultra-ssd

Enable UltraSSD, default value is false.

default value: False
--enable-windows-gmsa

Enable Windows gmsa.

default value: False
--enable-windows-recording-rules

Enable Windows Recording Rules when enabling the Azure Monitor Metrics addon.

default value: False
--enable-workload-identity

Enable workload identity addon.

default value: False
--fqdn-subdomain

Prefix for FQDN that is created for private cluster with custom private dns zone scenario.

--generate-ssh-keys

Generate SSH public and private key files if missing. The keys will be stored in the ~/.ssh directory.

default value: False
--gmsa-dns-server

Specify DNS server for Windows gmsa for this cluster.

--gmsa-root-domain-name

Specify root domain name for Windows gmsa for this cluster.

--gpu-instance-profile

GPU instance profile to partition multi-gpu Nvidia GPUs.

accepted values: MIG1g, MIG2g, MIG3g, MIG4g, MIG7g
--grafana-resource-id

Resource ID of the Azure Managed Grafana Workspace.

--host-group-id

The fully qualified dedicated host group id used to provision agent node pool.

--http-proxy-config

HTTP Proxy configuration for this cluster.

--image-cleaner-interval-hours

ImageCleaner scanning interval.

--ip-families

A comma separated list of IP versions to use for cluster networking.

--ksm-metric-annotations-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g.'=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--ksm-metric-labels-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g. '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--kubelet-config

Path to JSON file containing Kubelet configurations for agent nodes. https://aka.ms/aks/custom-node-config.

--kubernetes-version -k

Version of Kubernetes to use for creating the cluster, such as "1.16.9".

value from: `az aks get-versions`
--linux-os-config

Path to JSON file containing OS configurations for Linux agent nodes. https://aka.ms/aks/custom-node-config.

--load-balancer-idle-timeout

Load balancer idle timeout in minutes.

--load-balancer-managed-outbound-ip-count

Load balancer managed outbound IP count.

--load-balancer-managed-outbound-ipv6-count

Load balancer managed outbound IPv6 IP count.

--load-balancer-outbound-ip-prefixes

Load balancer outbound IP prefix resource IDs.

--load-balancer-outbound-ips

Load balancer outbound IP resource IDs.

--load-balancer-outbound-ports

Load balancer outbound allocated ports.

--load-balancer-sku

Azure Load Balancer SKU selection for your cluster. basic or standard. Defaults to 'standard'.

accepted values: basic, standard
--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--max-count

Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--max-pods -m

The maximum number of pods deployable to a node.

default value: 0
--min-count

Minimum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--nat-gateway-idle-timeout

NAT gateway idle timeout in minutes.

--nat-gateway-managed-outbound-ip-count

NAT gateway managed outbound IP count.

--network-dataplane

The network dataplane to use.

accepted values: azure, cilium
--network-plugin

The Kubernetes network plugin to use.

accepted values: azure, kubenet, none
--network-plugin-mode

The network plugin mode to use.

accepted values: overlay
--network-policy

The Kubernetes network policy to use.

--no-ssh-key -x

Do not use or create a local SSH key.

default value: False
--no-wait

Do not wait for the long-running operation to finish.

default value: False
--node-count -c

Number of nodes in the Kubernetes node pool. After creating a cluster, you can change the size of its node pool with az aks scale.

default value: 3
--node-osdisk-diskencryptionset-id -d

ResourceId of the disk encryption set to use for enabling encryption at rest on agent node os disk.

--node-osdisk-size

Size in GB of the OS disk for each node in the node pool. Minimum 30 GB.

default value: 0
--node-osdisk-type

OS disk type to be used for machines in a given agent pool: Ephemeral or Managed. Defaults to 'Ephemeral' when possible in conjunction with VM size and OS disk size. May not be changed for this pool after creation.

accepted values: Ephemeral, Managed
--node-public-ip-prefix-id

Public IP prefix ID used to assign public IPs to VMSS nodes.

--node-resource-group

The node resource group is the resource group where all customer's resources will be created in, such as virtual machines.

--node-vm-size -s

Size of Virtual Machines to create as Kubernetes nodes.

--nodepool-labels

Space-separated labels: key[=value] [key[=value] ...]. See https://aka.ms/node-labels for syntax of labels.

--nodepool-name

Node pool name, up to 12 alphanumeric characters.

default value: nodepool1
--nodepool-tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--os-sku

The OS SKU of the agent node pool. Ubuntu or CBLMariner.

accepted values: AzureLinux, CBLMariner, Mariner, Ubuntu
--outbound-type

How outbound traffic will be configured for a cluster.

accepted values: loadBalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting
--pod-cidr

A CIDR notation IP range from which to assign pod IPs when kubenet is used.

--pod-cidrs

A comma separated list of CIDR notation IP ranges from which to assign pod IPs when kubenet is used.

--pod-subnet-id

The ID of a subnet in an existing VNet into which to assign pods in the cluster (requires azure network-plugin).

--ppg

The ID of a PPG.

--private-dns-zone

Private dns zone mode for private cluster.

--rotation-poll-interval

Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.

--service-cidr

A CIDR notation IP range from which to assign service cluster IPs.

--service-cidrs

A comma separated list of CIDR notation IP ranges from which to assign service cluster IPs.

--service-principal

Service principal used for authentication to Azure APIs.

--skip-subnet-role-assignment

Skip role assignment for subnet (advanced networking).

default value: False
--snapshot-id

The source snapshot id used to create this cluster.

--ssh-key-value

Public key path or key contents to install on node VMs for SSH access. For example, 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'.

default value: ~\.ssh\id_rsa.pub
--tags

The tags of the managed cluster. The managed cluster instance and all resources managed by the cloud provider will be tagged.

--tier

Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' does not have a financially backed SLA.

accepted values: free, standard
--vm-set-type

Agent pool vm set type. VirtualMachineScaleSets or AvailabilitySet. Defaults to 'VirtualMachineScaleSets'.

--vnet-subnet-id

The ID of a subnet in an existing VNet into which to deploy the cluster.

--windows-admin-password

User account password to use on windows node VMs.

--windows-admin-username

User account to create on windows node VMs.

--workspace-resource-id

The resource ID of an existing Log Analytics Workspace to use for storing monitoring data. If not specified, uses the default Log Analytics Workspace if it exists, otherwise creates one.

--yes -y

Do not prompt for confirmation.

default value: False
--zones -z

Availability zones where agent nodes will be placed. Also, to install agent nodes to more than one zones you need to pass zone numbers (1,2 or 3) separated by blanks. For example - To have all 3 zones, you are expected to enter --zones 1 2 3.

accepted values: 1, 2, 3

az aks delete

Edit

Delete a managed Kubernetes cluster.

az aks delete --name
              --resource-group
              [--no-wait]
              [--yes]

Examples

Delete a managed Kubernetes cluster. (autogenerated)

az aks delete --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

default value: False
--yes -y

Do not prompt for confirmation.

default value: False

az aks disable-addons

Edit

Disable Kubernetes addons.

az aks disable-addons --addons
                      --name
                      --resource-group
                      [--no-wait]

Examples

Disable Kubernetes addons. (autogenerated)

az aks disable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--addons -a

Disable the Kubernetes addons in a comma-separated list.

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

default value: False

az aks enable-addons

Edit

Enable Kubernetes addons.

These addons are available: - http_application_routing : configure ingress with automatic public DNS name creation. - monitoring : turn on Log Analytics monitoring. Requires "--workspace-resource-id". Requires "--enable-msi-auth-for-monitoring" for managed identity auth. Requires "--enable-syslog" to enable syslog data collection from nodes. Note MSI must be enabled If monitoring addon is enabled --no-wait argument will have no effect - virtual-node : enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use. - azure-policy : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Learn more at aka.ms/aks/policy. - ingress-appgw : enable Application Gateway Ingress Controller addon. - open-service-mesh : enable Open Service Mesh addon. - azure-keyvault-secrets-provider : enable Azure Keyvault Secrets Provider addon.

az aks enable-addons --addons
                     --name
                     --resource-group
                     [--appgw-id]
                     [--appgw-name]
                     [--appgw-subnet-cidr]
                     [--appgw-subnet-id]
                     [--appgw-watch-namespace]
                     [--data-collection-settings]
                     [--enable-msi-auth-for-monitoring]
                     [--enable-secret-rotation]
                     [--enable-sgxquotehelper]
                     [--enable-syslog]
                     [--no-wait]
                     [--rotation-poll-interval]
                     [--subnet-name]
                     [--workspace-resource-id]

Examples

Enable Kubernetes addons. (autogenerated)

az aks enable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup --subnet MySubnetName

Enable ingress-appgw addon with subnet prefix.

az aks enable-addons --name MyManagedCluster --resource-group MyResourceGroup --addons ingress-appgw --appgw-subnet-cidr 10.225.0.0/16 --appgw-name gateway

Enable open-service-mesh addon.

az aks enable-addons --name MyManagedCluster --resource-group MyResourceGroup --addons open-service-mesh

Required Parameters

--addons -a

Enable the Kubernetes addons in a comma-separated list.

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--appgw-id

Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.

--appgw-name

Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.

--appgw-subnet-cidr

Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-subnet-id

Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-watch-namespace

Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces.

--data-collection-settings

Path to JSON file containing data collection settings for Monitoring addon.

--enable-msi-auth-for-monitoring

Enable Managed Identity Auth for Monitoring addon.

default value: 1
--enable-secret-rotation

Enable secret rotation. Use with azure-keyvault-secrets-provider addon.

default value: False
--enable-sgxquotehelper

Enable SGX quote helper for confcom addon.

default value: False
--enable-syslog

Enable syslog data collection for Monitoring addon.

default value: False
--no-wait

Do not wait for the long-running operation to finish.

default value: False
--rotation-poll-interval

Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.

--subnet-name -s

Name of an existing subnet to use with the virtual-node add-on.

--workspace-resource-id

The resource ID of an existing Log Analytics Workspace to use for storing monitoring data.

az aks get-credentials

Edit

Get access credentials for a managed Kubernetes cluster.

By default, the credentials are merged into the .kube/config file so kubectl can use them. See -f parameter for details.

az aks get-credentials --name
                       --resource-group
                       [--admin]
                       [--context]
                       [--file]
                       [--format]
                       [--overwrite-existing]
                       [--public-fqdn]

Examples

Get access credentials for a managed Kubernetes cluster. (autogenerated)

az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--admin -a

Get cluster administrator credentials. Default: cluster user credentials.

default value: False
--context

If specified, overwrite the default context name. The --admin parameter takes precedence over --context.

--file -f

Kubernetes configuration file to update. Use "-" to print YAML to stdout instead.

default value: ~\.kube\config
--format

Specify the format of the returned credential. Available values are ["exec", "azure"]. Only take effect when requesting clusterUser credential of AAD clusters.

--overwrite-existing

Overwrite any existing cluster entry with the same name.

default value: False
--public-fqdn

Get private cluster credential with server address to be public fqdn.

default value: False

az aks get-os-options

Get the OS options available for creating a managed Kubernetes cluster.

az aks get-os-options --location

Examples

Get the OS options available for creating a managed Kubernetes cluster

az aks get-os-options --location westus2

Required Parameters

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

az aks get-upgrades

Edit

Get the upgrade versions available for a managed Kubernetes cluster.

az aks get-upgrades --name
                    --resource-group

Examples

Get the upgrade versions available for a managed Kubernetes cluster

az aks get-upgrades --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az aks get-versions

Edit

Get the versions available for creating a managed Kubernetes cluster.

az aks get-versions --location

Examples

Get the versions available for creating a managed Kubernetes cluster

az aks get-versions --location westus2

Required Parameters

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

az aks install-cli

Edit

Download and install kubectl, the Kubernetes command-line tool. Download and install kubelogin, a client-go credential (exec) plugin implementing azure authentication.

az aks install-cli [--base-src-url]
                   [--client-version]
                   [--install-location]
                   [--kubelogin-base-src-url]
                   [--kubelogin-install-location]
                   [--kubelogin-version]

Optional Parameters

--base-src-url

Base download source URL for kubectl releases.

--client-version

Version of kubectl to install.

default value: latest
--install-location

Path at which to install kubectl. Note: the path should contain the binary filename.

default value: ~\.azure-kubectl\kubectl.exe
--kubelogin-base-src-url -l

Base download source URL for kubelogin releases.

--kubelogin-install-location

Path at which to install kubelogin. Note: the path should contain the binary filename.

default value: ~\.azure-kubelogin\kubelogin.exe
--kubelogin-version

Version of kubelogin to install.

default value: latest

az aks kanalyze

Display diagnostic results for the Kubernetes cluster after kollect is done.

az aks kanalyze --name
                --resource-group

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az aks kollect

Collecting diagnostic information for the Kubernetes cluster.

Collect diagnostic information for the Kubernetes cluster and store it in the specified storage account. You can provide the storage account in three ways: storage account name and a shared access signature with write permission. resource Id to a storage account you own. the storagea account in diagnostics settings for your managed cluster.

az aks kollect --name
               --resource-group
               [--container-logs]
               [--kube-objects]
               [--node-logs]
               [--node-logs-windows]
               [--sas-token]
               [--storage-account]

Examples

using storage account name and a shared access signature token with write permission

az aks kollect -g MyResourceGroup -n MyManagedCluster --storage-account MyStorageAccount --sas-token "MySasToken"

using the resource id of a storagea account resource you own.

az aks kollect -g MyResourceGroup -n MyManagedCluster --storage-account "MyStoreageAccountResourceId"

using the storagea account in diagnostics settings for your managed cluster.

az aks kollect -g MyResourceGroup -n MyManagedCluster

customize the container logs to collect.

az aks kollect -g MyResourceGroup -n MyManagedCluster --container-logs "mynamespace1/mypod1 myns2"

customize the kubernetes objects to collect.

az aks kollect -g MyResourceGroup -n MyManagedCluster --kube-objects "mynamespace1/service myns2/deployment/deployment1"

customize the node log files to collect.

az aks kollect -g MyResourceGroup -n MyManagedCluster --node-logs "/var/log/azure-vnet.log /var/log/azure-vnet-ipam.log"

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--container-logs

The list of container logs to collect.

--kube-objects

The list of kubernetes objects to describe.

--node-logs

The list of node logs to collect for Linux nodes. For example, /var/log/cloud-init.log.

--node-logs-windows

The list of node logs to collect for Windows nodes. For example, C:\AzureData\CustomDataSetupScript.log.

--sas-token

The SAS token with writable permission for the storage account.

--storage-account

Name or ID of the storage account to save the diagnostic information.

az aks list

Edit

List managed Kubernetes clusters.

az aks list [--resource-group]

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az aks operation-abort

Edit

Abort last running operation on managed cluster.

az aks operation-abort --name
                       --resource-group
                       [--no-wait]

Examples

Abort operation on managed cluster

az aks operation-abort -g myResourceGroup -n myAKSCluster

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

default value: False

az aks remove-dev-spaces

Edit

Remove Azure Dev Spaces from a managed Kubernetes cluster.

az aks remove-dev-spaces --name
                         --resource-group
                         [--yes]

Examples

Remove Azure Dev Spaces from a managed Kubernetes cluster.

az aks remove-dev-spaces -g my-aks-group -n my-aks

Remove Azure Dev Spaces from a managed Kubernetes cluster without prompting.

az aks remove-dev-spaces -g my-aks-group -n my-aks --yes

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--yes -y

Do not prompt for confirmation.

default value: False

az aks rotate-certs

Edit

Rotate certificates and keys on a managed Kubernetes cluster.

Kubernetes will be unavailable during cluster certificate rotation.

az aks rotate-certs --name
                    --resource-group
                    [--no-wait]
                    [--yes]

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

default value: False
--yes -y

Do not prompt for confirmation.

default value: False

az aks scale

Edit

Scale the node pool in a managed Kubernetes cluster.

az aks scale --name
             --node-count
             --resource-group
             [--no-wait]
             [--nodepool-name]

Examples

Scale the node pool in a managed Kubernetes cluster. (autogenerated)

az aks scale --name MyManagedCluster --node-count 3 --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--node-count -c

Number of nodes in the Kubernetes node pool.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

default value: False
--nodepool-name

Node pool name, up to 12 alphanumeric characters.

az aks show

Edit

Show the details for a managed Kubernetes cluster.

az aks show --name
            --resource-group

Examples

Show the details for a managed Kubernetes cluster

az aks show --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az aks start

Edit

Starts a previously stopped Managed Cluster.

See starting a cluster <https://docs.microsoft.com/azure/aks/start-stop-cluster>_ for more details about starting a cluster.

az aks start --name
             --resource-group
             [--no-wait]

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

default value: False

az aks stop

Edit

Stops a Managed Cluster.

This can only be performed on Azure Virtual Machine Scale set backed clusters. Stopping a cluster stops the control plane and agent nodes entirely, while maintaining all object and cluster state. A cluster does not accrue charges while it is stopped. See stopping a cluster <https://docs.microsoft.com/azure/aks/start-stop-cluster>_ for more details about stopping a cluster.

az aks stop --name
            --resource-group
            [--no-wait]

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

default value: False

az aks update

Edit

Update a managed Kubernetes cluster. When called with no optional arguments this attempts to move the cluster to its goal state without changing the current cluster configuration. This can be used to move out of a non succeeded state.

az aks update --name
              --resource-group
              [--aad-admin-group-object-ids]
              [--aad-tenant-id]
              [--aks-custom-headers]
              [--api-server-authorized-ip-ranges]
              [--assign-identity]
              [--assign-kubelet-identity]
              [--attach-acr]
              [--auto-upgrade-channel {node-image, none, patch, rapid, stable}]
              [--azure-keyvault-kms-key-id]
              [--azure-keyvault-kms-key-vault-network-access {Private, Public}]
              [--azure-keyvault-kms-key-vault-resource-id]
              [--azure-monitor-workspace-resource-id]
              [--ca-profile]
              [--defender-config]
              [--detach-acr]
              [--disable-ahub]
              [--disable-azure-keyvault-kms]
              [--disable-azure-monitor-metrics]
              [--disable-azure-rbac]
              [--disable-blob-driver]
              [--disable-cluster-autoscaler]
              [--disable-defender]
              [--disable-disk-driver]
              [--disable-file-driver]
              [--disable-image-cleaner]
              [--disable-keda]
              [--disable-local-accounts]
              [--disable-public-fqdn]
              [--disable-secret-rotation]
              [--disable-snapshot-controller]
              [--disable-workload-identity]
              [--enable-aad]
              [--enable-ahub]
              [--enable-azure-keyvault-kms]
              [--enable-azure-monitor-metrics]
              [--enable-azure-rbac]
              [--enable-blob-driver]
              [--enable-cluster-autoscaler]
              [--enable-defender]
              [--enable-disk-driver]
              [--enable-file-driver]
              [--enable-image-cleaner]
              [--enable-keda]
              [--enable-local-accounts]
              [--enable-managed-identity]
              [--enable-oidc-issuer]
              [--enable-public-fqdn]
              [--enable-secret-rotation]
              [--enable-snapshot-controller]
              [--enable-windows-gmsa]
              [--enable-windows-recording-rules]
              [--enable-workload-identity]
              [--gmsa-dns-server]
              [--gmsa-root-domain-name]
              [--grafana-resource-id]
              [--http-proxy-config]
              [--image-cleaner-interval-hours]
              [--ksm-metric-annotations-allow-list]
              [--ksm-metric-labels-allow-list]
              [--load-balancer-idle-timeout]
              [--load-balancer-managed-outbound-ip-count]
              [--load-balancer-managed-outbound-ipv6-count]
              [--load-balancer-outbound-ip-prefixes]
              [--load-balancer-outbound-ips]
              [--load-balancer-outbound-ports]
              [--max-count]
              [--min-count]
              [--nat-gateway-idle-timeout]
              [--nat-gateway-managed-outbound-ip-count]
              [--network-plugin-mode]
              [--no-wait]
              [--nodepool-labels]
              [--pod-cidr]
              [--rotation-poll-interval]
              [--tags]
              [--tier {free, standard}]
              [--update-cluster-autoscaler]
              [--windows-admin-password]
              [--yes]

Examples

Reconcile the cluster back to its current state.

az aks update -g MyResourceGroup -n MyManagedCluster

Update a kubernetes cluster with standard SKU load balancer to use two AKS created IPs for the load balancer outbound connection usage.

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2

Update a kubernetes cluster with standard SKU load balancer to use the provided public IPs for the load balancer outbound connection usage.

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ips <ip-resource-id-1,ip-resource-id-2>

Update a kubernetes cluster with a standard SKU load balancer, with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000

Update a kubernetes cluster with standard SKU load balancer to use the provided public IP prefixes for the load balancer outbound connection usage.

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>

Update a kubernetes cluster of managedNATGateway outbound type with two outbound AKS managed IPs an idle flow timeout of 4 minutes

az aks update -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4

Attach AKS cluster to ACR by name "acrName"

az aks update -g MyResourceGroup -n MyManagedCluster --attach-acr acrName

Update a kubernetes cluster with authorized apiserver ip ranges.

az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24

Disable authorized apiserver ip ranges feature for a kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges ""

Restrict apiserver traffic in a kubernetes cluster to agentpool nodes.

az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 0.0.0.0/32

Update a AKS-managed AAD cluster with tenant ID or admin group object IDs.

az aks update -g MyResourceGroup -n MyManagedCluster --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>

Migrate a AKS AAD-Integrated cluster or a non-AAD cluster to a AKS-managed AAD cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>

Enable Azure Hybrid User Benefits featture for a kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-ahub

Disable Azure Hybrid User Benefits featture for a kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --disable-ahub

Update Windows password of a kubernetes cluster

az aks update -g MyResourceGroup -n MyManagedCLuster --windows-admin-password "Repl@cePassw0rd12345678"

Update the cluster to use system assigned managed identity in control plane.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity

Update the cluster to use user assigned managed identity in control plane.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>

Update a non managed AAD AKS cluster to use Azure RBAC

az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac

Update a managed AAD AKS cluster to use Azure RBAC

az aks update -g MyResourceGroup -n MyManagedCluster --enable-azure-rbac

Disable Azure RBAC in a managed AAD AKS cluster

az aks update -g MyResourceGroup -n MyManagedCluster --disable-azure-rbac

Update the tags of a kubernetes cluster

az aks update -g MyResourceGroup -n MyManagedCLuster --tags "foo=bar" "baz=qux"

Update a kubernetes cluster with custom headers

az aks update -g MyResourceGroup -n MyManagedCluster --aks-custom-headers WindowsContainerRuntime=containerd,AKSHTTPCustomFeatures=Microsoft.ContainerService/CustomNodeConfigPreview

Enable Windows gmsa for a kubernetes cluster with setting DNS server in the vnet used by the cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa

Enable Windows gmsa for a kubernetes cluster without setting DNS server in the vnet used by the cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"

Enable KEDA workload autoscaler for an existing kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-keda

Disable KEDA workload autoscaler for an existing kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --disable-keda

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aad-admin-group-object-ids

Comma seperated list of aad group object IDs that will be set as cluster admin.

--aad-tenant-id

The ID of an Azure Active Directory tenant.

--aks-custom-headers

Comma-separated key-value pairs to specify custom headers.

--api-server-authorized-ip-ranges

Comma seperated list of authorized apiserver IP ranges. Set to "" to allow all traffic on a previously restricted cluster. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.

--assign-identity

Specify an existing user assigned identity to manage cluster resource group.

--assign-kubelet-identity

Update cluster's kubelet identity to an existing user assigned identity. Please note this operation will recreate all agent nodes in the cluster.

--attach-acr

Grant the 'acrpull' role assignment to the ACR specified by name or resource ID.

--auto-upgrade-channel

Specify the upgrade channel for autoupgrade.

accepted values: node-image, none, patch, rapid, stable
--azure-keyvault-kms-key-id

Identifier of Azure Key Vault key.

--azure-keyvault-kms-key-vault-network-access

Network Access of Azure Key Vault.

accepted values: Private, Public
--azure-keyvault-kms-key-vault-resource-id

Resource ID of Azure Key Vault.

--azure-monitor-workspace-resource-id

Resource ID of the Azure Monitor Workspace.

--ca-profile --cluster-autoscaler-profile

Space-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.

--defender-config

Path to JSON file containing Microsoft Defender profile configurations.

--detach-acr

Disable the 'acrpull' role assignment to the ACR specified by name or resource ID.

--disable-ahub

Disable Azure Hybrid User Benefits (AHUB) feature for cluster.

default value: False
--disable-azure-keyvault-kms

Disable Azure KeyVault Key Management Service.

default value: False
--disable-azure-monitor-metrics

Disable Azure Monitor Metrics Profile. This will delete all DCRA's associated with the cluster, any linked DCRs with the data stream = prometheus-stream and the recording rule groups created by the addon for this AKS cluster.

default value: False
--disable-azure-rbac

Disable Azure RBAC to control authorization checks on cluster.

default value: False
--disable-blob-driver

Disable AzureBlob CSI Driver.

--disable-cluster-autoscaler -d

Disable cluster autoscaler.

default value: False
--disable-defender

Disable defender profile.

default value: False
--disable-disk-driver

Disable AzureDisk CSI Driver.

default value: False
--disable-file-driver

Disable AzureFile CSI Driver.

default value: False
--disable-image-cleaner

Disable ImageCleaner Service.

default value: False
--disable-keda

Disable KEDA workload auto-scaler.

default value: False
--disable-local-accounts

If set to true, getting static credential will be disabled for this cluster.

default value: False
--disable-public-fqdn

Disable public fqdn feature for private cluster.

default value: False
--disable-secret-rotation

Disable secret rotation. Use with azure-keyvault-secrets-provider addon.

default value: False
--disable-snapshot-controller

Disable CSI Snapshot Controller.

default value: False
--disable-workload-identity

Disable workload identity addon.

default value: False
--enable-aad

Enable managed AAD feature for cluster.

default value: False
--enable-ahub

Enable Azure Hybrid User Benefits (AHUB) feature for cluster.

default value: False
--enable-azure-keyvault-kms

Enable Azure KeyVault Key Management Service.

default value: False
--enable-azure-monitor-metrics

Enable Azure Monitor Metrics Profile.

default value: False
--enable-azure-rbac

Enable Azure RBAC to control authorization checks on cluster.

default value: False
--enable-blob-driver

Enable AzureBlob CSI Driver.

--enable-cluster-autoscaler -e

Enable cluster autoscaler.

default value: False
--enable-defender

Enable Microsoft Defender security profile.

default value: False
--enable-disk-driver

Enable AzureDisk CSI Driver.

default value: False
--enable-file-driver

Enable AzureFile CSI Driver.

default value: False
--enable-image-cleaner

Enable ImageCleaner Service.

default value: False
--enable-keda

Enable KEDA workload auto-scaler.

default value: False
--enable-local-accounts

If set to true, will enable getting static credential for this cluster.

default value: False
--enable-managed-identity

Update current cluster to use managed identity to manage cluster resource group.

default value: False
--enable-oidc-issuer

Enable OIDC issuer.

default value: False
--enable-public-fqdn

Enable public fqdn feature for private cluster.

default value: False
--enable-secret-rotation

Enable secret rotation. Use with azure-keyvault-secrets-provider addon.

default value: False
--enable-snapshot-controller

Enable Snapshot Controller.

default value: False
--enable-windows-gmsa

Enable Windows gmsa on cluster.

default value: False
--enable-windows-recording-rules

Enable Windows Recording Rules when enabling the Azure Monitor Metrics addon.

default value: False
--enable-workload-identity

Enable workload identity addon.

default value: False
--gmsa-dns-server

Specify DNS server for Windows gmsa on cluster.

--gmsa-root-domain-name

Specify root domain name for Windows gmsa on cluster.

--grafana-resource-id

Resource ID of the Azure Managed Grafana Workspace.

--http-proxy-config

HTTP Proxy configuration for this cluster.

--image-cleaner-interval-hours

ImageCleaner scanning interval.

--ksm-metric-annotations-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g.'=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--ksm-metric-labels-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g. '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--load-balancer-idle-timeout

Load balancer idle timeout in minutes.

--load-balancer-managed-outbound-ip-count

Load balancer managed outbound IP count.

--load-balancer-managed-outbound-ipv6-count

Load balancer managed outbound IPv6 IP count.

--load-balancer-outbound-ip-prefixes

Load balancer outbound IP prefix resource IDs.

--load-balancer-outbound-ips

Load balancer outbound IP resource IDs.

--load-balancer-outbound-ports

Load balancer outbound allocated ports.

--max-count

Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--min-count

Minimum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--nat-gateway-idle-timeout

NAT gateway idle timeout in minutes.

--nat-gateway-managed-outbound-ip-count

NAT gateway managed outbound IP count.

--network-plugin-mode

Update the mode of a network plugin to migrate to a different pod networking setup.

--no-wait

Do not wait for the long-running operation to finish.

default value: False
--nodepool-labels

Space-separated labels: key[=value] [key[=value] ...]. See https://aka.ms/node-labels for syntax of labels.

--pod-cidr

Update the pod CIDR for a cluster. Used when updating a cluster from Azure CNI to Azure CNI Overlay.

--rotation-poll-interval

Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.

--tags

The tags of the managed cluster. The managed cluster instance and all resources managed by the cloud provider will be tagged.

--tier

Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' changes a standard managed cluster to a free one.

accepted values: free, standard
--update-cluster-autoscaler -u

Update min-count or max-count for cluster autoscaler.

default value: False
--windows-admin-password

User account password to use on windows node VMs.

--yes -y

Do not prompt for confirmation.

default value: False

az aks update-credentials

Edit

Update credentials for a managed Kubernetes cluster, like service principal.

az aks update-credentials --name
                          --resource-group
                          [--client-secret]
                          [--no-wait]
                          [--reset-service-principal]
                          [--service-principal]

Examples

Update an existing Kubernetes cluster with new service principal.

az aks update-credentials -g MyResourceGroup -n MyManagedCluster --reset-service-principal --service-principal MyNewServicePrincipalID --client-secret MyNewServicePrincipalSecret

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--client-secret

Secret associated with the service principal. This argument is required if --service-principal is specified.

--no-wait

Do not wait for the long-running operation to finish.

default value: False
--reset-service-principal

Reset service principal for a managed cluster.

default value: False
--service-principal

Service principal used for authentication to Azure APIs. This argument is required if --reset-service-principal is specified.

az aks upgrade

Edit

Upgrade a managed Kubernetes cluster to a newer version.

Kubernetes will be unavailable during cluster upgrades.

az aks upgrade --name
               --resource-group
               [--control-plane-only]
               [--kubernetes-version]
               [--no-wait]
               [--node-image-only]
               [--yes]

Examples

Upgrade a managed Kubernetes cluster to a newer version. (autogenerated)

az aks upgrade --kubernetes-version 1.12.6 --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--control-plane-only

Upgrade the cluster control plane only. If not specified, both control plane AND all node pools will be upgraded.

default value: False
--kubernetes-version -k

Version of Kubernetes to upgrade the cluster to, such as "1.16.9".

value from: `az aks get-upgrades`
--no-wait

Do not wait for the long-running operation to finish.

default value: False
--node-image-only

Only upgrade node image for agent pools.

default value: False
--yes -y

Do not prompt for confirmation.

default value: False

az aks use-dev-spaces

Edit

Use Azure Dev Spaces with a managed Kubernetes cluster.

az aks use-dev-spaces --name
                      --resource-group
                      [--endpoint {None, Private, Public}]
                      [--space]
                      [--update]
                      [--yes]

Examples

Use Azure Dev Spaces with a managed Kubernetes cluster, interactively selecting a dev space.

az aks use-dev-spaces -g my-aks-group -n my-aks

Use Azure Dev Spaces with a managed Kubernetes cluster, updating to the latest Azure Dev Spaces client components and selecting a new or existing dev space 'my-space'.

az aks use-dev-spaces -g my-aks-group -n my-aks --update --space my-space

Use Azure Dev Spaces with a managed Kubernetes cluster, selecting a new or existing dev space 'develop/my-space' without prompting for confirmation.

az aks use-dev-spaces -g my-aks-group -n my-aks -s develop/my-space -y

Use Azure Dev Spaces with a managed Kubernetes cluster with a private endpoint.

az aks use-dev-spaces -g my-aks-group -n my-aks -e private

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--endpoint -e

The endpoint type to be used for a Azure Dev Spaces controller. See https://aka.ms/azds-networking for more information.

accepted values: None, Private, Public
default value: Public
--space -s

Name of the new or existing dev space to select. Defaults to an interactive selection experience.

--update

Update to the latest Azure Dev Spaces client components.

default value: False
--yes -y

Do not prompt for confirmation. Requires --space.

default value: False

az aks wait

Edit

Wait for a managed Kubernetes cluster to reach a desired state.

If an operation on a cluster was interrupted or was started with --no-wait, use this command to wait for it to complete.

az aks wait --name
            --resource-group
            [--created]
            [--custom]
            [--deleted]
            [--exists]
            [--interval]
            [--timeout]
            [--updated]

Examples

Wait for a cluster to be upgraded, polling every minute for up to thirty minutes.

az aks wait -g MyResourceGroup -n MyManagedCluster --updated --interval 60 --timeout 1800

Wait for a managed Kubernetes cluster to reach a desired state (autogenerated)

az aks wait --created --interval 60 --name MyManagedCluster --resource-group MyResourceGroup --timeout 1800

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--created

Wait until created with 'provisioningState' at 'Succeeded'.

default value: False
--custom

Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].

--deleted

Wait until deleted.

default value: False
--exists

Wait until the resource exists.

default value: False
--interval

Polling interval in seconds.

default value: 30
--timeout

Maximum wait in seconds.

default value: 3600
--updated

Wait until updated with provisioningState at 'Succeeded'.

default value: False