Managed Clusters - Get
Gets a managed cluster.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedClusters/{resourceName}?api-version=2025-05-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
resource
|
path | True |
string minLength: 1maxLength: 90 |
The name of the resource group. The name is case insensitive. |
|
resource
|
path | True |
string minLength: 1maxLength: 63 pattern: ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$ |
The name of the managed cluster resource. |
|
subscription
|
path | True |
string (uuid) |
The ID of the target subscription. The value must be an UUID. |
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
OK |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Get Managed Cluster
Sample request
GET https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1?api-version=2025-05-01
Sample response
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1",
"location": "location1",
"name": "clustername1",
"tags": {
"archv2": "",
"tier": "production"
},
"type": "Microsoft.ContainerService/ManagedClusters",
"eTag": "beywbwei",
"properties": {
"provisioningState": "Succeeded",
"maxAgentPools": 1,
"kubernetesVersion": "1.9.6",
"currentKubernetesVersion": "1.9.6",
"dnsPrefix": "dnsprefix1",
"fqdn": "dnsprefix1-abcd1234.hcp.eastus.azmk8s.io",
"azurePortalFQDN": "dnsprefix1-abcd1234.portal.hcp.eastus.azmk8s.io",
"agentPoolProfiles": [
{
"name": "nodepool1",
"count": 3,
"vmSize": "Standard_DS1_v2",
"maxPods": 110,
"osType": "Linux",
"eTag": "nvewbvoi",
"provisioningState": "Succeeded",
"orchestratorVersion": "1.9.6",
"currentOrchestratorVersion": "1.9.6",
"availabilityZones": [
"1",
"2",
"3"
],
"nodeImageVersion": "AKSUbuntu:1604:2020.03.11",
"upgradeSettings": {
"maxSurge": "33%"
}
}
],
"linuxProfile": {
"adminUsername": "azureuser",
"ssh": {
"publicKeys": [
{
"keyData": "keydata"
}
]
}
},
"servicePrincipalProfile": {
"clientId": "clientid"
},
"nodeResourceGroup": "MC_rg1_clustername1_location1",
"enableRBAC": false,
"diskEncryptionSetID": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
"networkProfile": {
"networkPlugin": "kubenet",
"podCidr": "10.244.0.0/16",
"serviceCidr": "10.0.0.0/16",
"dnsServiceIP": "10.0.0.10",
"loadBalancerSku": "standard",
"outboundType": "loadBalancer",
"podCidrs": [
"10.244.0.0/16"
],
"serviceCidrs": [
"10.0.0.0/16"
],
"ipFamilies": [
"IPv4"
],
"loadBalancerProfile": {
"allocatedOutboundPorts": 2000,
"idleTimeoutInMinutes": 10,
"outboundIPs": {
"publicIPs": [
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Network/publicIPAddresses/customeroutboundip1"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.Network/publicIPAddresses/customeroutboundip2"
}
]
},
"effectiveOutboundIPs": [
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/MC_rg1/providers/Microsoft.Network/publicIPAddresses/mgdoutboundip1"
},
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/MC_rg1/providers/Microsoft.Network/publicIPAddresses/mgdoutboundip2"
}
]
}
},
"upgradeSettings": {
"overrideSettings": {
"forceUpgrade": true,
"until": "2022-11-01T13:00:00Z"
}
}
}
}Definitions
| Name | Description |
|---|---|
|
Advanced |
Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. |
|
Advanced |
Observability profile to enable advanced network metrics and flow logs with historical contexts. |
|
Advanced |
Security profile to enable security features on cilium based cluster. |
|
Agent |
Profile of the managed cluster gateway agent pool. |
|
Agent |
The mode of an agent pool. A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: https://docs.microsoft.com/azure/aks/use-system-pools |
|
Agent |
Network settings of an agent pool. |
|
Agent |
The security settings of an agent pool. |
|
Agent |
Contains read-only information about the Agent Pool. |
|
Agent |
The type of Agent Pool. |
|
Agent |
Settings for upgrading an agentpool |
|
Agent |
The Windows agent pool's specific profile. |
|
Artifact |
The artifact source. The source where the artifacts are downloaded from. |
|
Auto |
Parameters to be applied to the cluster-autoscaler when enabled |
|
Azure |
Azure Key Vault key management service settings for the security profile. |
|
Backend |
The type of the managed inbound Load Balancer BackendPool. |
|
Cloud |
An error response from the Container service. |
|
Cloud |
An error response from the Container service. |
|
Cluster |
Settings for upgrading a cluster. |
| code |
Tells whether the cluster is Running or Stopped |
|
Container |
Profile for Linux VMs in the container service cluster. |
|
Container |
Profile of network configuration. |
|
Container |
SSH configuration for Linux-based VMs running on Azure. |
|
Container |
Contains information about SSH certificate public key data. |
|
created |
The type of identity that created the resource. |
|
Creation |
Data used when creating a target resource from a source resource. |
|
Delegated |
Delegated resource properties - internal use only. |
| expander |
The expander to use when scaling up. If not specified, the default is 'random'. See expanders for more information. |
|
Extended |
The complex type of the extended location. |
|
Extended |
The type of the extended location. |
| GPUDriver |
Whether to install GPU drivers. When it's not specified, default is Install. |
|
GPUInstance |
GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. |
| GPUProfile |
GPU settings for the Agent Pool. |
| Identity |
Identity for the resource. |
|
ip |
The IP families used to specify IP versions available to the cluster. IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. |
| IPTag |
Contains the IPTag associated with the object. |
|
Istio |
Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca |
|
Istio |
Istio components configuration. |
|
Istio |
Istio egress gateway configuration. |
|
Istio |
Istio ingress gateway configuration. For now, we support up to one external ingress gateway named |
|
Istio |
Mode of an ingress gateway. |
|
Istio |
Plugin certificates information for Service Mesh. |
|
Istio |
Istio service mesh configuration. |
|
Key |
Network access of the key vault. Network access of key vault. The possible values are |
|
Kubelet |
Kubelet configurations of agent nodes. See AKS custom node configuration for more details. |
|
Kubelet |
Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. |
|
Kubernetes |
Different support tiers for AKS managed clusters |
|
license |
The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. |
|
Linux |
OS configurations of Linux agent nodes. See AKS custom node configuration for more details. |
|
load |
The load balancer sku for the managed cluster. The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. |
|
Managed |
Managed cluster. |
|
Managed |
AADProfile specifies attributes for Azure Active Directory integration. For more details see managed AAD on AKS. |
|
Managed |
A Kubernetes add-on profile for a managed cluster. |
|
Managed |
Profile for the container service agent pool. |
|
Managed |
When enabling the operator, a set of AKS managed CRDs and controllers will be installed in the cluster. The operator automates the deployment of OSS models for inference and/or training purposes. It provides a set of preset models and enables distributed inference against them. |
|
Managed |
Access profile for managed cluster API server. |
|
Managed |
Auto upgrade profile for a managed cluster. |
|
Managed |
Azure Monitor addon profiles for monitoring the managed cluster. |
|
Managed |
Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details. |
|
Managed |
Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview. |
|
Managed |
The bootstrap profile. |
|
Managed |
The cost analysis configuration for the cluster |
|
Managed |
Cluster HTTP proxy configuration. |
|
Managed |
Identity for the managed cluster. |
|
Managed |
Ingress profile for the container service cluster. |
|
Managed |
|
|
Managed |
Application Routing add-on settings for the ingress profile. |
|
Managed |
Profile of the managed cluster load balancer. |
|
Managed |
Profile of the managed outbound IP resources of the managed cluster. |
|
Managed |
The metrics profile for the ManagedCluster. |
|
Managed |
Profile of the managed cluster NAT gateway. |
|
Managed |
|
|
Managed |
Node resource group lockdown profile for a managed cluster. |
|
Managed |
The OIDC issuer profile of the Managed Cluster. |
|
Managed |
Details about the pod identity assigned to the Managed Cluster. |
|
Managed |
A pod identity exception, which allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the node-managed identity (NMI) server. See disable AAD Pod Identity for a specific Pod/Application for more details. |
|
Managed |
The pod identity profile of the Managed Cluster. See use AAD pod identity for more details on pod identity integration. |
|
Managed |
An error response from the pod identity provisioning. |
|
Managed |
An error response from the pod identity provisioning. |
|
Managed |
The current provisioning state of the pod identity. |
|
Managed |
Security profile for the container service cluster. |
|
Managed |
Microsoft Defender settings for the security profile. |
|
Managed |
Microsoft Defender settings for the security profile threat detection. |
|
Managed |
Image Cleaner removes unused images from nodes, freeing up disk space and helping to reduce attack surface area. Here are settings for the security profile. |
|
Managed |
Workload identity settings for the security profile. |
|
Managed |
Information about a service principal identity for the cluster to use for manipulating Azure APIs. |
|
Managed |
The SKU of a Managed Cluster. |
|
Managed |
The name of a managed cluster SKU. |
|
Managed |
The tier of a managed cluster SKU. If not specified, the default is 'Free'. See AKS Pricing Tier for more details. |
|
Managed |
The Static Egress Gateway addon configuration for the cluster. |
|
Managed |
Contains read-only information about the Managed Cluster. |
|
Managed |
Storage profile for the container service cluster. |
|
Managed |
AzureBlob CSI Driver settings for the storage profile. |
|
Managed |
AzureDisk CSI Driver settings for the storage profile. |
|
Managed |
AzureFile CSI Driver settings for the storage profile. |
|
Managed |
Snapshot Controller settings for the storage profile. |
|
Managed |
Profile for Windows VMs in the managed cluster. |
|
Managed |
Workload Auto-scaler profile for the managed cluster. |
|
Managed |
KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. |
|
Managed |
VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile. |
|
Managed |
Desired managed outbound IPs for the cluster load balancer. |
|
Manual |
Specifications on number of machines. |
|
network |
Network dataplane used in the Kubernetes cluster. |
|
network |
The network mode Azure CNI is configured with. This cannot be specified if networkPlugin is anything other than 'azure'. |
|
Network |
Network plugin used for building the Kubernetes network. |
|
Network |
The mode the network plugin should use. |
|
Network |
Network policy used for building the Kubernetes network. |
|
Nginx |
Ingress type for the default NginxIngressController custom resource |
|
node |
Node OS Upgrade Channel. Manner in which the OS on your nodes is updated. The default is NodeImage. |
|
Node |
The set of default Karpenter NodePools (CRDs) configured for node provisioning. This field has no effect unless mode is 'Auto'. Warning: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action. If not specified, the default is Auto. For more information see aka.ms/aks/nap#node-pools. |
|
Node |
The node provisioning mode. If not specified, the default is Manual. |
|
OSDisk |
The OS disk type to be used for machines in the agent pool. The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. |
| OSSKU |
Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. |
| OSType |
The operating system type. The default is Linux. |
|
Outbound |
Desired outbound IP Prefix resources for the cluster load balancer. |
|
Outbound |
Desired outbound IP resources for the cluster load balancer. |
|
outbound |
The outbound (egress) routing method. This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. |
|
Pod |
Pod IP Allocation Mode. The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'. |
|
Port |
The port range. |
|
Power |
Describes the Power State of the cluster |
|
Private |
A private link resource |
| Protocol |
The network protocol of the port. |
|
Provisioning |
|
|
Public |
PublicNetworkAccess of the managedCluster. Allow or deny public network access for AKS |
|
Resource |
The type of identity used for the managed cluster. For more information see use managed identities in AKS. |
|
Resource |
A reference to an Azure resource. |
|
Restriction |
The restriction level applied to the cluster's node resource group. If not specified, the default is 'Unrestricted' |
|
Scale |
Describes how VMs are added to or removed from Agent Pools. See billing states. |
|
Scale |
Specifications on how to scale a VirtualMachines agent pool. |
|
Scale |
The Virtual Machine Scale Set eviction policy. The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs |
|
Scale |
The Virtual Machine Scale Set priority. |
|
Service |
Mode of the service mesh. |
|
Service |
Service mesh profile for a managed cluster. |
|
Sysctl |
Sysctl settings for Linux agent nodes. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
|
Undrainable |
Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes. |
|
upgrade |
The upgrade channel for auto upgrade. The default is 'none'. For more information see setting the AKS cluster auto-upgrade channel. |
|
Upgrade |
Settings for overrides when upgrading a cluster. |
|
User |
The user identity associated with the managed cluster. This identity will be used in control plane. Only one user assigned identity is allowed. The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
|
User |
Details about a user assigned identity. |
|
Virtual |
Current status on a group of nodes of the same vm size. |
|
Virtual |
Specifications on VirtualMachines agent pool. |
|
Windows |
Windows gMSA Profile in the managed cluster. |
|
Workload |
Determines the type of workload a node can run. |
AdvancedNetworking
Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false. |
| observability |
Observability profile to enable advanced network metrics and flow logs with historical contexts. |
|
| security |
Security profile to enable security features on cilium based cluster. |
AdvancedNetworkingObservability
Observability profile to enable advanced network metrics and flow logs with historical contexts.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Indicates the enablement of Advanced Networking observability functionalities on clusters. |
AdvancedNetworkingSecurity
Security profile to enable security features on cilium based cluster.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false. |
AgentPoolGatewayProfile
Profile of the managed cluster gateway agent pool.
| Name | Type | Default value | Description |
|---|---|---|---|
| publicIPPrefixSize |
integer (int32) minimum: 28maximum: 31 |
31 |
The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide public egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with one IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure public IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8 nodes/IPs, /28 = 16 nodes/IPs). The default value is 31. |
AgentPoolMode
The mode of an agent pool. A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: https://docs.microsoft.com/azure/aks/use-system-pools
| Value | Description |
|---|---|
| System |
System agent pools are primarily for hosting critical system pods such as CoreDNS and metrics-server. System agent pools osType must be Linux. System agent pools VM SKU must have at least 2vCPUs and 4GB of memory. |
| User |
User agent pools are primarily for hosting your application pods. |
| Gateway |
Gateway agent pools are dedicated to providing static egress IPs to pods. For more details, see https://aka.ms/aks/static-egress-gateway. |
AgentPoolNetworkProfile
Network settings of an agent pool.
| Name | Type | Description |
|---|---|---|
| allowedHostPorts |
The port ranges that are allowed to access. The specified ranges are allowed to overlap. |
|
| applicationSecurityGroups |
string[] (arm-id) |
The IDs of the application security groups which agent pool will associate when created. |
| nodePublicIPTags |
IPTag[] |
IPTags of instance-level public IPs. |
AgentPoolSecurityProfile
The security settings of an agent pool.
| Name | Type | Description |
|---|---|---|
| enableSecureBoot |
boolean |
Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. |
| enableVTPM |
boolean |
vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. |
AgentPoolStatus
Contains read-only information about the Agent Pool.
| Name | Type | Description |
|---|---|---|
| provisioningError |
The error detail information of the agent pool. Preserves the detailed info of failure. If there was no error, this field is omitted. |
AgentPoolType
The type of Agent Pool.
| Value | Description |
|---|---|
| VirtualMachineScaleSets |
Create an Agent Pool backed by a Virtual Machine Scale Set. |
| AvailabilitySet |
Use of this is strongly discouraged. |
| VirtualMachines |
Create an Agent Pool backed by a Single Instance VM orchestration mode. |
AgentPoolUpgradeSettings
Settings for upgrading an agentpool
| Name | Type | Description |
|---|---|---|
| drainTimeoutInMinutes |
integer (int32) minimum: 1maximum: 1440 |
The drain timeout for a node. The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes. |
| maxSurge |
string |
The maximum number or percentage of nodes that are surged during upgrade. This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 10%. For more information, including best practices, see: https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster |
| maxUnavailable |
string |
The maximum number or percentage of nodes that can be simultaneously unavailable during upgrade. This can either be set to an integer (e.g. '1') or a percentage (e.g. '5%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 0. For more information, including best practices, see: https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster |
| nodeSoakDurationInMinutes |
integer (int32) minimum: 0maximum: 30 |
The soak duration for a node. The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes. |
| undrainableNodeBehavior |
Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes. |
AgentPoolWindowsProfile
The Windows agent pool's specific profile.
| Name | Type | Description |
|---|---|---|
| disableOutboundNat |
boolean |
Whether to disable OutboundNAT in windows nodes. The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled. |
ArtifactSource
The artifact source. The source where the artifacts are downloaded from.
| Value | Description |
|---|---|
| Direct |
pull images from Microsoft Artifact Registry |
| Cache |
pull images from Azure Container Registry with cache |
AutoScalerProfile
Parameters to be applied to the cluster-autoscaler when enabled
| Name | Type | Description |
|---|---|---|
| balance-similar-node-groups |
string |
Detects similar node pools and balances the number of nodes between them. Valid values are 'true' and 'false' |
| daemonset-eviction-for-empty-nodes |
boolean |
DaemonSet pods will be gracefully terminated from empty nodes. If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. |
| daemonset-eviction-for-occupied-nodes |
boolean |
DaemonSet pods will be gracefully terminated from non-empty nodes. If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. |
| expander |
The expander to use when scaling up. If not specified, the default is 'random'. See expanders for more information. |
|
| ignore-daemonsets-utilization |
boolean |
Should CA ignore DaemonSet pods when calculating resource utilization for scaling down. If set to true, the resources used by daemonset will be taken into account when making scaling down decisions. |
| max-empty-bulk-delete |
string |
The maximum number of empty nodes that can be deleted at the same time. This must be a positive integer. The default is 10. |
| max-graceful-termination-sec |
string |
The maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. The default is 600. |
| max-node-provision-time |
string |
The maximum time the autoscaler waits for a node to be provisioned. The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. |
| max-total-unready-percentage |
string |
The maximum percentage of unready nodes in the cluster. After this percentage is exceeded, cluster autoscaler halts operations. The default is 45. The maximum is 100 and the minimum is 0. |
| new-pod-scale-up-delay |
string |
Ignore unscheduled pods before they're a certain age. For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). |
| ok-total-unready-count |
string |
The number of allowed unready nodes, irrespective of max-total-unready-percentage. This must be an integer. The default is 3. |
| scale-down-delay-after-add |
string |
How long after scale up that scale down evaluation resumes. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. |
| scale-down-delay-after-delete |
string |
How long after node deletion that scale down evaluation resumes. The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. |
| scale-down-delay-after-failure |
string |
How long after scale down failure that scale down evaluation resumes. The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. |
| scale-down-unneeded-time |
string |
How long a node should be unneeded before it is eligible for scale down. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. |
| scale-down-unready-time |
string |
How long an unready node should be unneeded before it is eligible for scale down. The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. |
| scale-down-utilization-threshold |
string |
Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. The default is '0.5'. |
| scan-interval |
string |
How often cluster is reevaluated for scale up or down. The default is '10'. Values must be an integer number of seconds. |
| skip-nodes-with-local-storage |
string |
If cluster autoscaler will skip deleting nodes with pods with local storage, for example, EmptyDir or HostPath. The default is true. |
| skip-nodes-with-system-pods |
string |
If cluster autoscaler will skip deleting nodes with pods from kube-system (except for DaemonSet or mirror pods). The default is true. |
AzureKeyVaultKms
Azure Key Vault key management service settings for the security profile.
| Name | Type | Default value | Description |
|---|---|---|---|
| enabled |
boolean |
Whether to enable Azure Key Vault key management service. The default is false. |
|
| keyId |
string |
Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. |
|
| keyVaultNetworkAccess | Public |
Network access of the key vault. Network access of key vault. The possible values are |
|
| keyVaultResourceId |
string (arm-id) |
Resource ID of key vault. When keyVaultNetworkAccess is |
BackendPoolType
The type of the managed inbound Load Balancer BackendPool.
| Value | Description |
|---|---|
| NodeIPConfiguration |
The type of the managed inbound Load Balancer BackendPool. https://cloud-provider-azure.sigs.k8s.io/topics/loadbalancer/#configure-load-balancer-backend. |
| NodeIP |
The type of the managed inbound Load Balancer BackendPool. https://cloud-provider-azure.sigs.k8s.io/topics/loadbalancer/#configure-load-balancer-backend. |
CloudError
An error response from the Container service.
| Name | Type | Description |
|---|---|---|
| error |
Details about the error. |
CloudErrorBody
An error response from the Container service.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| details |
A list of additional details about the error. |
|
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
| target |
string |
The target of the particular error. For example, the name of the property in error. |
ClusterUpgradeSettings
Settings for upgrading a cluster.
| Name | Type | Description |
|---|---|---|
| overrideSettings |
Settings for overrides. |
code
Tells whether the cluster is Running or Stopped
| Value | Description |
|---|---|
| Running |
The cluster is running. |
| Stopped |
The cluster is stopped. |
ContainerServiceLinuxProfile
Profile for Linux VMs in the container service cluster.
| Name | Type | Description |
|---|---|---|
| adminUsername |
string pattern: ^[A-Za-z][-A-Za-z0-9_]*$ |
The administrator username to use for Linux VMs. |
| ssh |
The SSH configuration for Linux-based VMs running on Azure. |
ContainerServiceNetworkProfile
Profile of network configuration.
| Name | Type | Default value | Description |
|---|---|---|---|
| advancedNetworking |
Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. |
||
| dnsServiceIP |
string pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ |
10.0.0.10 |
An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. |
| ipFamilies |
ip |
The IP families used to specify IP versions available to the cluster. IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. |
|
| loadBalancerProfile |
Profile of the cluster load balancer. |
||
| loadBalancerSku |
The load balancer sku for the managed cluster. The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. |
||
| natGatewayProfile |
Profile of the cluster NAT gateway. |
||
| networkDataplane |
Network dataplane used in the Kubernetes cluster. |
||
| networkMode |
The network mode Azure CNI is configured with. This cannot be specified if networkPlugin is anything other than 'azure'. |
||
| networkPlugin |
Network plugin used for building the Kubernetes network. |
||
| networkPluginMode |
The mode the network plugin should use. |
||
| networkPolicy |
Network policy used for building the Kubernetes network. |
||
| outboundType | loadBalancer |
The outbound (egress) routing method. This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. |
|
| podCidr |
string pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ |
10.244.0.0/16 |
A CIDR notation IP range from which to assign pod IPs when kubenet is used. |
| podCidrs |
string[] |
The CIDR notation IP ranges from which to assign pod IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. |
|
| serviceCidr |
string pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ |
10.0.0.0/16 |
A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. |
| serviceCidrs |
string[] |
The CIDR notation IP ranges from which to assign service cluster IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. |
|
| staticEgressGatewayProfile |
The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway. |
ContainerServiceSshConfiguration
SSH configuration for Linux-based VMs running on Azure.
| Name | Type | Description |
|---|---|---|
| publicKeys |
The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. |
ContainerServiceSshPublicKey
Contains information about SSH certificate public key data.
| Name | Type | Description |
|---|---|---|
| keyData |
string |
Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. |
createdByType
The type of identity that created the resource.
| Value | Description |
|---|---|
| User | |
| Application | |
| ManagedIdentity | |
| Key |
CreationData
Data used when creating a target resource from a source resource.
| Name | Type | Description |
|---|---|---|
| sourceResourceId |
string (arm-id) |
This is the ARM ID of the source object to be used to create the target object. |
DelegatedResource
Delegated resource properties - internal use only.
| Name | Type | Description |
|---|---|---|
| location |
string |
The source resource location - internal use only. |
| referralResource |
string |
The delegation id of the referral delegation (optional) - internal use only. |
| resourceId |
string |
The ARM resource id of the delegated resource - internal use only. |
| tenantId |
string (uuid) |
The tenant id of the delegated resource - internal use only. |
expander
The expander to use when scaling up. If not specified, the default is 'random'. See expanders for more information.
| Value | Description |
|---|---|
| least-waste |
Selects the node group that will have the least idle CPU (if tied, unused memory) after scale-up. This is useful when you have different classes of nodes, for example, high CPU or high memory nodes, and only want to expand those when there are pending pods that need a lot of those resources. |
| most-pods |
Selects the node group that would be able to schedule the most pods when scaling up. This is useful when you are using nodeSelector to make sure certain pods land on certain nodes. Note that this won't cause the autoscaler to select bigger nodes vs. smaller, as it can add multiple smaller nodes at once. |
| priority |
Selects the node group that has the highest priority assigned by the user. It's configuration is described in more details here. |
| random |
Used when you don't have a particular need for the node groups to scale differently. |
ExtendedLocation
The complex type of the extended location.
| Name | Type | Description |
|---|---|---|
| name |
string |
The name of the extended location. |
| type |
The type of the extended location. |
ExtendedLocationTypes
The type of the extended location.
| Value | Description |
|---|---|
| EdgeZone |
GPUDriver
Whether to install GPU drivers. When it's not specified, default is Install.
| Value | Description |
|---|---|
| Install |
Install driver. |
| None |
Skip driver install. |
GPUInstanceProfile
GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.
| Value | Description |
|---|---|
| MIG1g | |
| MIG2g | |
| MIG3g | |
| MIG4g | |
| MIG7g |
GPUProfile
GPU settings for the Agent Pool.
| Name | Type | Description |
|---|---|---|
| driver |
Whether to install GPU drivers. When it's not specified, default is Install. |
Identity
Identity for the resource.
| Name | Type | Description |
|---|---|---|
| principalId |
string (uuid) |
The principal ID of resource identity. The value must be an UUID. |
| tenantId |
string (uuid) |
The tenant ID of resource. The value must be an UUID. |
| type |
The identity type. |
ipFamily
The IP families used to specify IP versions available to the cluster. IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6.
| Value | Description |
|---|---|
| IPv4 | |
| IPv6 |
IPTag
Contains the IPTag associated with the object.
| Name | Type | Description |
|---|---|---|
| ipTagType |
string |
The IP tag type. Example: RoutingPreference. |
| tag |
string |
The value of the IP tag associated with the public IP. Example: Internet. |
IstioCertificateAuthority
Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca
| Name | Type | Description |
|---|---|---|
| plugin |
Plugin certificates information for Service Mesh. |
IstioComponents
Istio components configuration.
| Name | Type | Description |
|---|---|---|
| egressGateways |
Istio egress gateways. |
|
| ingressGateways |
Istio ingress gateways. |
IstioEgressGateway
Istio egress gateway configuration.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable the egress gateway. |
IstioIngressGateway
Istio ingress gateway configuration. For now, we support up to one external ingress gateway named aks-istio-ingressgateway-external and one internal ingress gateway named aks-istio-ingressgateway-internal.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable the ingress gateway. |
| mode |
Mode of an ingress gateway. |
IstioIngressGatewayMode
Mode of an ingress gateway.
| Value | Description |
|---|---|
| External |
The ingress gateway is assigned a public IP address and is publicly accessible. |
| Internal |
The ingress gateway is assigned an internal IP address and cannot is accessed publicly. |
IstioPluginCertificateAuthority
Plugin certificates information for Service Mesh.
| Name | Type | Description |
|---|---|---|
| certChainObjectName |
string |
Certificate chain object name in Azure Key Vault. |
| certObjectName |
string |
Intermediate certificate object name in Azure Key Vault. |
| keyObjectName |
string |
Intermediate certificate private key object name in Azure Key Vault. |
| keyVaultId |
string (arm-id) |
The resource ID of the Key Vault. |
| rootCertObjectName |
string |
Root certificate object name in Azure Key Vault. |
IstioServiceMesh
Istio service mesh configuration.
| Name | Type | Description |
|---|---|---|
| certificateAuthority |
Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca |
|
| components |
Istio components configuration. |
|
| revisions |
string[] |
The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: https://learn.microsoft.com/en-us/azure/aks/istio-upgrade |
KeyVaultNetworkAccessTypes
Network access of the key vault. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.
| Value | Description |
|---|---|
| Public | |
| Private |
KubeletConfig
Kubelet configurations of agent nodes. See AKS custom node configuration for more details.
| Name | Type | Description |
|---|---|---|
| allowedUnsafeSysctls |
string[] |
Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in |
| containerLogMaxFiles |
integer (int32) minimum: 2 |
The maximum number of container log files that can be present for a container. The number must be ≥ 2. |
| containerLogMaxSizeMB |
integer (int32) |
The maximum size (e.g. 10Mi) of container log file before it is rotated. |
| cpuCfsQuota |
boolean |
If CPU CFS quota enforcement is enabled for containers that specify CPU limits. The default is true. |
| cpuCfsQuotaPeriod |
string |
The CPU CFS quota period value. The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. |
| cpuManagerPolicy |
string |
The CPU Manager policy to use. The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. |
| failSwapOn |
boolean |
If set to true it will make the Kubelet fail to start if swap is enabled on the node. |
| imageGcHighThreshold |
integer (int32) |
The percent of disk usage after which image garbage collection is always run. To disable image garbage collection, set to 100. The default is 85% |
| imageGcLowThreshold |
integer (int32) |
The percent of disk usage before which image garbage collection is never run. This cannot be set higher than imageGcHighThreshold. The default is 80% |
| podMaxPids |
integer (int32) |
The maximum number of processes per pod. |
| topologyManagerPolicy |
string |
The Topology Manager policy to use. For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. |
KubeletDiskType
Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage.
| Value | Description |
|---|---|
| OS |
Kubelet will use the OS disk for its data. |
| Temporary |
Kubelet will use the temporary disk for its data. |
KubernetesSupportPlan
Different support tiers for AKS managed clusters
| Value | Description |
|---|---|
| KubernetesOfficial |
Support for the version is the same as for the open source Kubernetes offering. Official Kubernetes open source community support versions for 1 year after release. |
| AKSLongTermSupport |
Support for the version extended past the KubernetesOfficial support of 1 year. AKS continues to patch CVEs for another 1 year, for a total of 2 years of support. |
licenseType
The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details.
| Value | Description |
|---|---|
| None |
No additional licensing is applied. |
| Windows_Server |
Enables Azure Hybrid User Benefits for Windows VMs. |
LinuxOSConfig
OS configurations of Linux agent nodes. See AKS custom node configuration for more details.
| Name | Type | Description |
|---|---|---|
| swapFileSizeMB |
integer (int32) |
The size in MB of a swap file that will be created on each node. |
| sysctls |
Sysctl settings for Linux agent nodes. |
|
| transparentHugePageDefrag |
string |
Whether the kernel should make aggressive use of memory compaction to make more hugepages available. Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. |
| transparentHugePageEnabled |
string |
Whether transparent hugepages are enabled. Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. |
loadBalancerSku
The load balancer sku for the managed cluster. The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs.
| Value | Description |
|---|---|
| standard |
Use a a standard Load Balancer. This is the recommended Load Balancer SKU. For more information about on working with the load balancer in the managed cluster, see the standard Load Balancer article. |
| basic |
Use a basic Load Balancer with limited functionality. |
ManagedCluster
Managed cluster.
| Name | Type | Description |
|---|---|---|
| eTag |
string |
Unique read-only string used to implement optimistic concurrency. The eTag value will change when the resource is updated. Specify an if-match or if-none-match header with the eTag value for a subsequent request to enable optimistic concurrency per the normal etag convention. |
| extendedLocation |
The extended location of the Virtual Machine. |
|
| id |
string (arm-id) |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| identity |
The identity of the managed cluster, if configured. |
|
| location |
string |
The geo-location where the resource lives |
| name |
string |
The name of the resource |
| properties.aadProfile |
The Azure Active Directory configuration. |
|
| properties.addonProfiles |
<string,
Managed |
The profile of managed cluster add-on. |
| properties.agentPoolProfiles |
The agent pool properties. |
|
| properties.aiToolchainOperatorProfile |
AI toolchain operator settings that apply to the whole cluster. |
|
| properties.apiServerAccessProfile |
The access profile for managed cluster API server. |
|
| properties.autoScalerProfile |
Parameters to be applied to the cluster-autoscaler when enabled |
|
| properties.autoUpgradeProfile |
The auto upgrade configuration. |
|
| properties.azureMonitorProfile |
Azure Monitor addon profiles for monitoring the managed cluster. |
|
| properties.azurePortalFQDN |
string |
The special FQDN used by the Azure Portal to access the Managed Cluster. This FQDN is for use only by the Azure Portal and should not be used by other clients. The Azure Portal requires certain Cross-Origin Resource Sharing (CORS) headers to be sent in some responses, which Kubernetes APIServer doesn't handle by default. This special FQDN supports CORS, allowing the Azure Portal to function properly. |
| properties.bootstrapProfile |
Profile of the cluster bootstrap configuration. |
|
| properties.currentKubernetesVersion |
string |
The version of Kubernetes the Managed Cluster is running. If kubernetesVersion was a fully specified version <major.minor.patch>, this field will be exactly equal to it. If kubernetesVersion was <major.minor>, this field will contain the full <major.minor.patch> version being used. |
| properties.disableLocalAccounts |
boolean |
If local accounts should be disabled on the Managed Cluster. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts. |
| properties.diskEncryptionSetID |
string (arm-id) |
The Resource ID of the disk encryption set to use for enabling encryption at rest. This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' |
| properties.dnsPrefix |
string |
The DNS prefix of the Managed Cluster. This cannot be updated once the Managed Cluster has been created. |
| properties.enableRBAC |
boolean |
Whether to enable Kubernetes Role-Based Access Control. |
| properties.fqdn |
string |
The FQDN of the master pool. |
| properties.fqdnSubdomain |
string |
The FQDN subdomain of the private cluster with custom private dns zone. This cannot be updated once the Managed Cluster has been created. |
| properties.httpProxyConfig |
Configurations for provisioning the cluster with HTTP proxy servers. |
|
| properties.identityProfile |
<string,
User |
The user identity associated with the managed cluster. This identity will be used by the kubelet. Only one user assigned identity is allowed. The only accepted key is "kubeletidentity", with value of "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}". |
| properties.ingressProfile |
Ingress profile for the managed cluster. |
|
| properties.kubernetesVersion |
string |
The version of Kubernetes specified by the user. Both patch version <major.minor.patch> (e.g. 1.20.13) and <major.minor> (e.g. 1.20) are supported. When <major.minor> is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same <major.minor> once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details. |
| properties.linuxProfile |
The profile for Linux VMs in the Managed Cluster. |
|
| properties.maxAgentPools |
integer (int32) |
The max number of agent pools for the managed cluster. |
| properties.metricsProfile |
Optional cluster metrics configuration. |
|
| properties.networkProfile |
The network configuration profile. |
|
| properties.nodeProvisioningProfile |
Node provisioning settings that apply to the whole cluster. |
|
| properties.nodeResourceGroup |
string |
The name of the resource group containing agent pool nodes. |
| properties.nodeResourceGroupProfile |
Profile of the node resource group configuration. |
|
| properties.oidcIssuerProfile |
The OIDC issuer profile of the Managed Cluster. |
|
| properties.podIdentityProfile |
The pod identity profile of the Managed Cluster. See use AAD pod identity for more details on AAD pod identity integration. |
|
| properties.powerState |
The Power State of the cluster. |
|
| properties.privateFQDN |
string |
The FQDN of private cluster. |
| properties.privateLinkResources |
Private link resources associated with the cluster. |
|
| properties.provisioningState |
string |
The current provisioning state. |
| properties.publicNetworkAccess |
PublicNetworkAccess of the managedCluster. Allow or deny public network access for AKS |
|
| properties.resourceUID |
string |
The resourceUID uniquely identifies ManagedClusters that reuse ARM ResourceIds (i.e: create, delete, create sequence) |
| properties.securityProfile |
Security profile for the managed cluster. |
|
| properties.serviceMeshProfile |
Service mesh profile for a managed cluster. |
|
| properties.servicePrincipalProfile |
Information about a service principal identity for the cluster to use for manipulating Azure APIs. |
|
| properties.status |
Contains read-only information about the Managed Cluster. |
|
| properties.storageProfile |
Storage profile for the managed cluster. |
|
| properties.supportPlan |
The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'. |
|
| properties.upgradeSettings |
Settings for upgrading a cluster. |
|
| properties.windowsProfile |
The profile for Windows VMs in the Managed Cluster. |
|
| properties.workloadAutoScalerProfile |
Workload Auto-scaler profile for the managed cluster. |
|
| sku |
The managed cluster SKU. |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| tags |
object |
Resource tags. |
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
ManagedClusterAADProfile
AADProfile specifies attributes for Azure Active Directory integration. For more details see managed AAD on AKS.
| Name | Type | Description |
|---|---|---|
| adminGroupObjectIDs |
string[] |
The list of AAD group object IDs that will have admin role of the cluster. |
| clientAppID |
string |
(DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. |
| enableAzureRBAC |
boolean |
Whether to enable Azure RBAC for Kubernetes authorization. |
| managed |
boolean |
Whether to enable managed AAD. |
| serverAppID |
string |
(DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. |
| serverAppSecret |
string |
(DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy. |
| tenantID |
string |
The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. |
ManagedClusterAddonProfile
A Kubernetes add-on profile for a managed cluster.
| Name | Type | Description |
|---|---|---|
| config |
object |
Key-value pairs for configuring an add-on. |
| enabled |
boolean |
Whether the add-on is enabled or not. |
| identity |
Information of user assigned identity used by this add-on. |
ManagedClusterAgentPoolProfile
Profile for the container service agent pool.
| Name | Type | Default value | Description |
|---|---|---|---|
| availabilityZones |
string[] |
The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. |
|
| capacityReservationGroupID |
string (arm-id) |
AKS will associate the specified agent pool with the Capacity Reservation Group. |
|
| count |
integer (int32) |
Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. |
|
| creationData |
CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. |
||
| currentOrchestratorVersion |
string |
The version of Kubernetes the Agent Pool is running. If orchestratorVersion is a fully specified version <major.minor.patch>, this field will be exactly equal to it. If orchestratorVersion is <major.minor>, this field will contain the full <major.minor.patch> version being used. |
|
| eTag |
string |
Unique read-only string used to implement optimistic concurrency. The eTag value will change when the resource is updated. Specify an if-match or if-none-match header with the eTag value for a subsequent request to enable optimistic concurrency per the normal etag convention. |
|
| enableAutoScaling |
boolean |
Whether to enable auto-scaler |
|
| enableEncryptionAtHost |
boolean |
Whether to enable host based OS and data drive encryption. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: https://docs.microsoft.com/azure/aks/enable-host-encryption |
|
| enableFIPS |
boolean |
Whether to use a FIPS-enabled OS. See Add a FIPS-enabled node pool for more details. |
|
| enableNodePublicIP |
boolean |
Whether each node is allocated its own public IP. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. |
|
| enableUltraSSD |
boolean |
Whether to enable UltraSSD |
|
| gatewayProfile |
Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is not Gateway. |
||
| gpuInstanceProfile |
GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. |
||
| gpuProfile |
GPU settings for the Agent Pool. |
||
| hostGroupID |
string (arm-id) |
The fully qualified resource ID of the Dedicated Host Group to provision virtual machines from, used only in creation scenario and not allowed to changed once set. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts. |
|
| kubeletConfig |
The Kubelet configuration on the agent pool nodes. |
||
| kubeletDiskType |
Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. |
||
| linuxOSConfig |
The OS configuration of Linux agent nodes. |
||
| maxCount |
integer (int32) |
The maximum number of nodes for auto-scaling |
|
| maxPods |
integer (int32) |
The maximum number of pods that can run on a node. |
|
| messageOfTheDay |
string |
Message of the day for Linux nodes, base64-encoded. A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). |
|
| minCount |
integer (int32) |
The minimum number of nodes for auto-scaling |
|
| mode |
The mode of an agent pool. A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: https://docs.microsoft.com/azure/aks/use-system-pools |
||
| name |
string pattern: ^[a-z][a-z0-9]{0,11}$ |
Unique name of the agent pool profile in the context of the subscription and resource group. Windows agent pool names must be 6 characters or less. |
|
| networkProfile |
Network-related settings of an agent pool. |
||
| nodeImageVersion |
string |
The version of node image |
|
| nodeLabels |
object |
The node labels to be persisted across all nodes in agent pool. |
|
| nodePublicIPPrefixID |
string (arm-id) |
The public IP prefix ID which VM nodes should use IPs from. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} |
|
| nodeTaints |
string[] |
The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. |
|
| orchestratorVersion |
string |
The version of Kubernetes specified by the user. Both patch version <major.minor.patch> (e.g. 1.20.13) and <major.minor> (e.g. 1.20) are supported. When <major.minor> is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same <major.minor> once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. |
|
| osDiskSizeGB |
integer (int32) minimum: 0maximum: 2048 |
OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. |
|
| osDiskType |
The OS disk type to be used for machines in the agent pool. The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. |
||
| osSKU |
Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. |
||
| osType | Linux |
The operating system type. The default is Linux. |
|
| podIPAllocationMode |
Pod IP Allocation Mode. The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'. |
||
| podSubnetID |
string (arm-id) |
The ID of the subnet which pods will join when launched. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} |
|
| powerState |
Whether the Agent Pool is running or stopped. When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded |
||
| provisioningState |
string |
The current deployment or provisioning state. |
|
| proximityPlacementGroupID |
string (arm-id) |
The ID for Proximity Placement Group. |
|
| scaleDownMode |
The scale down mode to use when scaling the Agent Pool. This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. |
||
| scaleSetEvictionPolicy | Delete |
The Virtual Machine Scale Set eviction policy to use. This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. |
|
| scaleSetPriority | Regular |
The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. |
|
| securityProfile |
The security settings of an agent pool. |
||
| spotMaxPrice |
number |
-1 |
The max price (in US Dollars) you are willing to pay for spot instances. Possible values are any decimal value greater than zero or -1 which indicates default price to be up-to on-demand. Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing |
| status |
Contains read-only information about the Agent Pool. |
||
| tags |
object |
The tags to be persisted on the agent pool virtual machine scale set. |
|
| type |
The type of Agent Pool. |
||
| upgradeSettings |
Settings for upgrading the agentpool |
||
| virtualMachineNodesStatus |
The status of nodes in a VirtualMachines agent pool. |
||
| virtualMachinesProfile |
Specifications on VirtualMachines agent pool. |
||
| vmSize |
string |
The size of the agent pool VMs. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: https://docs.microsoft.com/azure/aks/quotas-skus-regions |
|
| vnetSubnetID |
string (arm-id) |
The ID of the subnet which agent pool nodes and optionally pods will join on startup. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} |
|
| windowsProfile |
The Windows agent pool's specific profile. |
||
| workloadRuntime |
Determines the type of workload a node can run. |
ManagedClusterAIToolchainOperatorProfile
When enabling the operator, a set of AKS managed CRDs and controllers will be installed in the cluster. The operator automates the deployment of OSS models for inference and/or training purposes. It provides a set of preset models and enables distributed inference against them.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable AI toolchain operator to the cluster. Indicates if AI toolchain operator enabled or not. |
ManagedClusterAPIServerAccessProfile
Access profile for managed cluster API server.
| Name | Type | Description |
|---|---|---|
| authorizedIPRanges |
string[] |
The IP ranges authorized to access the Kubernetes API server. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges. |
| disableRunCommand |
boolean |
Whether to disable run command for the cluster or not. |
| enablePrivateCluster |
boolean |
Whether to create the cluster as a private cluster or not. For more details, see Creating a private AKS cluster. |
| enablePrivateClusterPublicFQDN |
boolean |
Whether to create additional public FQDN for private cluster or not. |
| enableVnetIntegration |
boolean |
Whether to enable apiserver vnet integration for the cluster or not. See aka.ms/AksVnetIntegration for more details. |
| privateDNSZone |
string |
The private DNS zone mode for the cluster. The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'. |
| subnetId |
string (arm-id) |
The subnet to be used when apiserver vnet integration is enabled. It is required when creating a new cluster with BYO Vnet, or when updating an existing cluster to enable apiserver vnet integration. |
ManagedClusterAutoUpgradeProfile
Auto upgrade profile for a managed cluster.
| Name | Type | Description |
|---|---|---|
| nodeOSUpgradeChannel |
Node OS Upgrade Channel. Manner in which the OS on your nodes is updated. The default is NodeImage. |
|
| upgradeChannel |
The upgrade channel for auto upgrade. The default is 'none'. For more information see setting the AKS cluster auto-upgrade channel. |
ManagedClusterAzureMonitorProfile
Azure Monitor addon profiles for monitoring the managed cluster.
| Name | Type | Description |
|---|---|---|
| metrics |
Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview. |
ManagedClusterAzureMonitorProfileKubeStateMetrics
Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details.
| Name | Type | Description |
|---|---|---|
| metricAnnotationsAllowList |
string |
Comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric (Example: 'namespaces=[kubernetes.io/team,...],pods=[kubernetes.io/team],...'). By default the metric contains only resource name and namespace labels. |
| metricLabelsAllowlist |
string |
Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric (Example: 'namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...'). By default the metric contains only resource name and namespace labels. |
ManagedClusterAzureMonitorProfileMetrics
Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable or disable the Azure Managed Prometheus addon for Prometheus monitoring. See aka.ms/AzureManagedPrometheus-aks-enable for details on enabling and disabling. |
| kubeStateMetrics |
Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details. |
ManagedClusterBootstrapProfile
The bootstrap profile.
| Name | Type | Default value | Description |
|---|---|---|---|
| artifactSource | Direct |
The artifact source. The source where the artifacts are downloaded from. |
|
| containerRegistryId |
string (arm-id) |
The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy. |
ManagedClusterCostAnalysis
The cost analysis configuration for the cluster
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable cost analysis. The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis. |
ManagedClusterHTTPProxyConfig
Cluster HTTP proxy configuration.
| Name | Type | Description |
|---|---|---|
| httpProxy |
string |
The HTTP proxy server endpoint to use. |
| httpsProxy |
string |
The HTTPS proxy server endpoint to use. |
| noProxy |
string[] |
The endpoints that should not go through proxy. |
| trustedCa |
string |
Alternative CA cert to use for connecting to proxy servers. |
ManagedClusterIdentity
Identity for the managed cluster.
| Name | Type | Description |
|---|---|---|
| delegatedResources |
<string,
Delegated |
The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only. |
| principalId |
string |
The principal id of the system assigned identity which is used by master components. |
| tenantId |
string |
The tenant id of the system assigned identity which is used by master components. |
| type |
The type of identity used for the managed cluster. For more information see use managed identities in AKS. |
|
| userAssignedIdentities |
The user identity associated with the managed cluster. This identity will be used in control plane. Only one user assigned identity is allowed. The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
ManagedClusterIngressProfile
Ingress profile for the container service cluster.
| Name | Type | Description |
|---|---|---|
| webAppRouting |
App Routing settings for the ingress profile. You can find an overview and onboarding guide for this feature at https://learn.microsoft.com/en-us/azure/aks/app-routing?tabs=default%2Cdeploy-app-default. |
ManagedClusterIngressProfileNginx
| Name | Type | Description |
|---|---|---|
| defaultIngressControllerType |
Ingress type for the default NginxIngressController custom resource |
ManagedClusterIngressProfileWebAppRouting
Application Routing add-on settings for the ingress profile.
| Name | Type | Description |
|---|---|---|
| dnsZoneResourceIds |
string[] (arm-id) |
Resource IDs of the DNS zones to be associated with the Application Routing add-on. Used only when Application Routing add-on is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group. |
| enabled |
boolean |
Whether to enable the Application Routing add-on. |
| identity |
Managed identity of the Application Routing add-on. This is the identity that should be granted permissions, for example, to manage the associated Azure DNS resource and get certificates from Azure Key Vault. See this overview of the add-on for more instructions. |
|
| nginx |
Configuration for the default NginxIngressController. See more at https://learn.microsoft.com/en-us/azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller. |
ManagedClusterLoadBalancerProfile
Profile of the managed cluster load balancer.
| Name | Type | Default value | Description |
|---|---|---|---|
| allocatedOutboundPorts |
integer (int32) minimum: 0maximum: 64000 |
0 |
The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. |
| backendPoolType | NodeIPConfiguration |
The type of the managed inbound Load Balancer BackendPool. |
|
| effectiveOutboundIPs |
The effective outbound IP resources of the cluster load balancer. |
||
| enableMultipleStandardLoadBalancers |
boolean |
Enable multiple standard load balancers per AKS cluster or not. |
|
| idleTimeoutInMinutes |
integer (int32) minimum: 4maximum: 120 |
30 |
Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. |
| managedOutboundIPs |
Desired managed outbound IPs for the cluster load balancer. |
||
| outboundIPPrefixes |
Desired outbound IP Prefix resources for the cluster load balancer. |
||
| outboundIPs |
Desired outbound IP resources for the cluster load balancer. |
ManagedClusterManagedOutboundIPProfile
Profile of the managed outbound IP resources of the managed cluster.
| Name | Type | Default value | Description |
|---|---|---|---|
| count |
integer (int32) minimum: 1maximum: 16 |
1 |
The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. |
ManagedClusterMetricsProfile
The metrics profile for the ManagedCluster.
| Name | Type | Description |
|---|---|---|
| costAnalysis |
The configuration for detailed per-Kubernetes resource cost analysis. |
ManagedClusterNATGatewayProfile
Profile of the managed cluster NAT gateway.
| Name | Type | Default value | Description |
|---|---|---|---|
| effectiveOutboundIPs |
The effective outbound IP resources of the cluster NAT gateway. |
||
| idleTimeoutInMinutes |
integer (int32) minimum: 4maximum: 120 |
4 |
Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. |
| managedOutboundIPProfile |
Profile of the managed outbound IP resources of the cluster NAT gateway. |
ManagedClusterNodeProvisioningProfile
| Name | Type | Default value | Description |
|---|---|---|---|
| defaultNodePools | Auto |
The set of default Karpenter NodePools (CRDs) configured for node provisioning. This field has no effect unless mode is 'Auto'. Warning: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action. If not specified, the default is Auto. For more information see aka.ms/aks/nap#node-pools. |
|
| mode |
The node provisioning mode. If not specified, the default is Manual. |
ManagedClusterNodeResourceGroupProfile
Node resource group lockdown profile for a managed cluster.
| Name | Type | Description |
|---|---|---|
| restrictionLevel |
The restriction level applied to the cluster's node resource group. If not specified, the default is 'Unrestricted' |
ManagedClusterOIDCIssuerProfile
The OIDC issuer profile of the Managed Cluster.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether the OIDC issuer is enabled. |
| issuerURL |
string |
The OIDC issuer url of the Managed Cluster. |
ManagedClusterPodIdentity
Details about the pod identity assigned to the Managed Cluster.
| Name | Type | Description |
|---|---|---|
| bindingSelector |
string |
The binding selector to use for the AzureIdentityBinding resource. |
| identity |
The user assigned identity details. |
|
| name |
string |
The name of the pod identity. |
| namespace |
string |
The namespace of the pod identity. |
| provisioningInfo | ||
| provisioningState |
The current provisioning state of the pod identity. |
ManagedClusterPodIdentityException
A pod identity exception, which allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the node-managed identity (NMI) server. See disable AAD Pod Identity for a specific Pod/Application for more details.
| Name | Type | Description |
|---|---|---|
| name |
string |
The name of the pod identity exception. |
| namespace |
string |
The namespace of the pod identity exception. |
| podLabels |
object |
The pod labels to match. |
ManagedClusterPodIdentityProfile
The pod identity profile of the Managed Cluster. See use AAD pod identity for more details on pod identity integration.
| Name | Type | Description |
|---|---|---|
| allowNetworkPluginKubenet |
boolean |
Whether pod identity is allowed to run on clusters with Kubenet networking. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information. |
| enabled |
boolean |
Whether the pod identity addon is enabled. |
| userAssignedIdentities |
The pod identities to use in the cluster. |
|
| userAssignedIdentityExceptions |
The pod identity exceptions to allow. |
ManagedClusterPodIdentityProvisioningError
An error response from the pod identity provisioning.
| Name | Type | Description |
|---|---|---|
| error |
Details about the error. |
ManagedClusterPodIdentityProvisioningErrorBody
An error response from the pod identity provisioning.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| details |
A list of additional details about the error. |
|
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
| target |
string |
The target of the particular error. For example, the name of the property in error. |
ManagedClusterPodIdentityProvisioningState
The current provisioning state of the pod identity.
| Value | Description |
|---|---|
| Assigned | |
| Canceled | |
| Deleting | |
| Failed | |
| Succeeded | |
| Updating |
ManagedClusterSecurityProfile
Security profile for the container service cluster.
| Name | Type | Description |
|---|---|---|
| azureKeyVaultKms |
Azure Key Vault key management service settings for the security profile. |
|
| customCATrustCertificates |
string[] (byte) |
A list of up to 10 base64 encoded CAs that will be added to the trust store on all nodes in the cluster. For more information see Custom CA Trust Certificates. |
| defender |
Microsoft Defender settings for the security profile. |
|
| imageCleaner |
Image Cleaner settings for the security profile. |
|
| workloadIdentity |
Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details. |
ManagedClusterSecurityProfileDefender
Microsoft Defender settings for the security profile.
| Name | Type | Description |
|---|---|---|
| logAnalyticsWorkspaceResourceId |
string (arm-id) |
Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty. |
| securityMonitoring |
Microsoft Defender threat detection for Cloud settings for the security profile. |
ManagedClusterSecurityProfileDefenderSecurityMonitoring
Microsoft Defender settings for the security profile threat detection.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable Defender threat detection |
ManagedClusterSecurityProfileImageCleaner
Image Cleaner removes unused images from nodes, freeing up disk space and helping to reduce attack surface area. Here are settings for the security profile.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable Image Cleaner on AKS cluster. |
| intervalHours |
integer (int32) |
Image Cleaner scanning interval in hours. |
ManagedClusterSecurityProfileWorkloadIdentity
Workload identity settings for the security profile.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable workload identity. |
ManagedClusterServicePrincipalProfile
Information about a service principal identity for the cluster to use for manipulating Azure APIs.
| Name | Type | Description |
|---|---|---|
| clientId |
string |
The ID for the service principal. |
| secret |
string |
The secret password associated with the service principal in plain text. |
ManagedClusterSKU
The SKU of a Managed Cluster.
| Name | Type | Description |
|---|---|---|
| name |
The name of a managed cluster SKU. |
|
| tier |
The tier of a managed cluster SKU. If not specified, the default is 'Free'. See AKS Pricing Tier for more details. |
ManagedClusterSKUName
The name of a managed cluster SKU.
| Value | Description |
|---|---|
| Base |
Base option for the AKS control plane. |
ManagedClusterSKUTier
The tier of a managed cluster SKU. If not specified, the default is 'Free'. See AKS Pricing Tier for more details.
| Value | Description |
|---|---|
| Standard |
Recommended for mission-critical and production workloads. Includes Kubernetes control plane autoscaling, workload-intensive testing, and up to 5,000 nodes per cluster. Guarantees 99.95% availability of the Kubernetes API server endpoint for clusters that use Availability Zones and 99.9% of availability for clusters that don't use Availability Zones. |
| Free |
The cluster management is free, but charged for VM, storage, and networking usage. Best for experimenting, learning, simple testing, or workloads with fewer than 10 nodes. Not recommended for production use cases. |
| Premium |
Cluster has premium capabilities in addition to all of the capabilities included in 'Standard'. Premium enables selection of LongTermSupport (aka.ms/aks/lts) for certain Kubernetes versions. |
ManagedClusterStaticEgressGatewayProfile
The Static Egress Gateway addon configuration for the cluster.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Enable Static Egress Gateway addon. Indicates if Static Egress Gateway addon is enabled or not. |
ManagedClusterStatus
Contains read-only information about the Managed Cluster.
| Name | Type | Description |
|---|---|---|
| provisioningError |
The error details information of the managed cluster. Preserves the detailed info of failure. If there was no error, this field is omitted. |
ManagedClusterStorageProfile
Storage profile for the container service cluster.
| Name | Type | Description |
|---|---|---|
| blobCSIDriver |
AzureBlob CSI Driver settings for the storage profile. |
|
| diskCSIDriver |
AzureDisk CSI Driver settings for the storage profile. |
|
| fileCSIDriver |
AzureFile CSI Driver settings for the storage profile. |
|
| snapshotController |
Snapshot Controller settings for the storage profile. |
ManagedClusterStorageProfileBlobCSIDriver
AzureBlob CSI Driver settings for the storage profile.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable AzureBlob CSI Driver. The default value is false. |
ManagedClusterStorageProfileDiskCSIDriver
AzureDisk CSI Driver settings for the storage profile.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable AzureDisk CSI Driver. The default value is true. |
ManagedClusterStorageProfileFileCSIDriver
AzureFile CSI Driver settings for the storage profile.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable AzureFile CSI Driver. The default value is true. |
ManagedClusterStorageProfileSnapshotController
Snapshot Controller settings for the storage profile.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable Snapshot Controller. The default value is true. |
ManagedClusterWindowsProfile
Profile for Windows VMs in the managed cluster.
| Name | Type | Description |
|---|---|---|
| adminPassword |
string |
Specifies the password of the administrator account. |
| adminUsername |
string |
Specifies the name of the administrator account. |
| enableCSIProxy |
boolean |
Whether to enable CSI proxy. For more details on CSI proxy, see the CSI proxy GitHub repo. |
| gmsaProfile |
The Windows gMSA Profile in the Managed Cluster. |
|
| licenseType |
The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. |
ManagedClusterWorkloadAutoScalerProfile
Workload Auto-scaler profile for the managed cluster.
| Name | Type | Description |
|---|---|---|
| keda |
KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. |
|
| verticalPodAutoscaler |
Managed |
VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile. |
ManagedClusterWorkloadAutoScalerProfileKeda
KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile.
| Name | Type | Description |
|---|---|---|
| enabled |
boolean |
Whether to enable KEDA. |
ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler
VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile.
| Name | Type | Default value | Description |
|---|---|---|---|
| enabled |
boolean |
False |
Whether to enable VPA. Default value is false. |
ManagedOutboundIPs
Desired managed outbound IPs for the cluster load balancer.
| Name | Type | Default value | Description |
|---|---|---|---|
| count |
integer (int32) minimum: 1maximum: 100 |
1 |
The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. |
| countIPv6 |
integer (int32) minimum: 0maximum: 100 |
0 |
The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. |
ManualScaleProfile
Specifications on number of machines.
| Name | Type | Description |
|---|---|---|
| count |
integer (int32) |
Number of nodes. |
| size |
string |
VM size that AKS will use when creating and scaling e.g. 'Standard_E4s_v3', 'Standard_E16s_v3' or 'Standard_D16s_v5'. |
networkDataplane
Network dataplane used in the Kubernetes cluster.
| Value | Description |
|---|---|
| azure |
Use Azure network dataplane. |
| cilium |
Use Cilium network dataplane. See Azure CNI Powered by Cilium for more information. |
networkMode
The network mode Azure CNI is configured with. This cannot be specified if networkPlugin is anything other than 'azure'.
| Value | Description |
|---|---|
| transparent |
No bridge is created. Intra-VM Pod to Pod communication is through IP routes created by Azure CNI. See Transparent Mode for more information. |
| bridge |
This is no longer supported |
NetworkPlugin
Network plugin used for building the Kubernetes network.
| Value | Description |
|---|---|
| azure |
Use the Azure CNI network plugin. See Azure CNI (advanced) networking for more information. |
| kubenet |
Use the Kubenet network plugin. See Kubenet (basic) networking for more information. |
| none |
No CNI plugin is pre-installed. See BYO CNI for more information. |
NetworkPluginMode
The mode the network plugin should use.
| Value | Description |
|---|---|
| overlay |
Used with networkPlugin=azure, pods are given IPs from the PodCIDR address space but use Azure Routing Domains rather than Kubenet's method of route tables. For more information visit https://aka.ms/aks/azure-cni-overlay. |
NetworkPolicy
Network policy used for building the Kubernetes network.
| Value | Description |
|---|---|
| none |
Network policies will not be enforced. This is the default value when NetworkPolicy is not specified. |
| calico |
Use Calico network policies. See differences between Azure and Calico policies for more information. |
| azure |
Use Azure network policies. See differences between Azure and Calico policies for more information. |
| cilium |
Use Cilium to enforce network policies. This requires networkDataplane to be 'cilium'. |
NginxIngressControllerType
Ingress type for the default NginxIngressController custom resource
| Value | Description |
|---|---|
| AnnotationControlled |
The default NginxIngressController will be created. Users can edit the default NginxIngressController Custom Resource to configure load balancer annotations. |
| External |
The default NginxIngressController will be created and the operator will provision an external loadbalancer with it. Any annotation to make the default loadbalancer internal will be overwritten. |
| Internal |
The default NginxIngressController will be created and the operator will provision an internal loadbalancer with it. Any annotation to make the default loadbalancer external will be overwritten. |
| None |
The default Ingress Controller will not be created. It will not be deleted by the system if it exists. Users should delete the default NginxIngressController Custom Resource manually if desired. |
nodeOSUpgradeChannel
Node OS Upgrade Channel. Manner in which the OS on your nodes is updated. The default is NodeImage.
| Value | Description |
|---|---|
| Unmanaged |
OS updates will be applied automatically through the OS built-in patching infrastructure. Newly scaled in machines will be unpatched initially and will be patched at some point by the OS's infrastructure. Behavior of this option depends on the OS in question. Ubuntu and Mariner apply security patches through unattended upgrade roughly once a day around 06:00 UTC. Windows does not apply security patches automatically and so for them this option is equivalent to None till further notice |
| None |
No attempt to update your machines OS will be made either by OS or by rolling VHDs. This means you are responsible for your security updates |
| NodeImage |
AKS will update the nodes with a newly patched VHD containing security fixes and bugfixes on a weekly cadence. With the VHD update machines will be rolling reimaged to that VHD following maintenance windows and surge settings. No extra VHD cost is incurred when choosing this option as AKS hosts the images. |
| SecurityPatch |
AKS downloads and updates the nodes with tested security updates. These updates honor the maintenance window settings and produce a new VHD that is used on new nodes. On some occasions it's not possible to apply the updates in place, in such cases the existing nodes will also be re-imaged to the newly produced VHD in order to apply the changes. This option incurs an extra cost of hosting the new Security Patch VHDs in your resource group for just in time consumption. |
NodeProvisioningDefaultNodePools
The set of default Karpenter NodePools (CRDs) configured for node provisioning. This field has no effect unless mode is 'Auto'. Warning: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action. If not specified, the default is Auto. For more information see aka.ms/aks/nap#node-pools.
| Value | Description |
|---|---|
| None |
No Karpenter NodePools are provisioned automatically. Automatic scaling will not happen unless the user creates one or more NodePool CRD instances. |
| Auto |
A standard set of Karpenter NodePools are provisioned |
NodeProvisioningMode
The node provisioning mode. If not specified, the default is Manual.
| Value | Description |
|---|---|
| Manual |
Nodes are provisioned manually by the user |
| Auto |
Nodes are provisioned automatically by AKS using Karpenter (See aka.ms/aks/nap for more details). Fixed size Node Pools can still be created, but autoscaling Node Pools cannot be. (See aka.ms/aks/nap for more details). |
OSDiskType
The OS disk type to be used for machines in the agent pool. The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS.
| Value | Description |
|---|---|
| Managed |
Azure replicates the operating system disk for a virtual machine to Azure storage to avoid data loss should the VM need to be relocated to another host. Since containers aren't designed to have local state persisted, this behavior offers limited value while providing some drawbacks, including slower node provisioning and higher read/write latency. |
| Ephemeral |
Ephemeral OS disks are stored only on the host machine, just like a temporary disk. This provides lower read/write latency, along with faster node scaling and cluster upgrades. |
OSSKU
Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows.
| Value | Description |
|---|---|
| Ubuntu |
Use Ubuntu as the OS for node images. |
| CBLMariner |
Deprecated OSSKU. Microsoft recommends that new deployments choose 'AzureLinux' instead. |
| AzureLinux |
Use AzureLinux as the OS for node images. Azure Linux is a container-optimized Linux distro built by Microsoft, visit https://aka.ms/azurelinux for more information. |
| Windows2019 |
Use Windows2019 as the OS for node images. Unsupported for system node pools. Windows2019 only supports Windows2019 containers; it cannot run Windows2022 containers and vice versa. |
| Windows2022 |
Use Windows2022 as the OS for node images. Unsupported for system node pools. Windows2022 only supports Windows2022 containers; it cannot run Windows2019 containers and vice versa. |
| Ubuntu2204 |
Use Ubuntu2204 as the OS for node images, however, Ubuntu 22.04 may not be supported for all nodepools. For limitations and supported kubernetes versions, see see https://aka.ms/aks/supported-ubuntu-versions |
OSType
The operating system type. The default is Linux.
| Value | Description |
|---|---|
| Linux |
Use Linux. |
| Windows |
Use Windows. |
OutboundIPPrefixes
Desired outbound IP Prefix resources for the cluster load balancer.
| Name | Type | Description |
|---|---|---|
| publicIPPrefixes |
A list of public IP prefix resources. |
OutboundIPs
Desired outbound IP resources for the cluster load balancer.
| Name | Type | Description |
|---|---|---|
| publicIPs |
A list of public IP resources. |
outboundType
The outbound (egress) routing method. This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type.
| Value | Description |
|---|---|
| loadBalancer |
The load balancer is used for egress through an AKS assigned public IP. This supports Kubernetes services of type 'loadBalancer'. For more information see outbound type loadbalancer. |
| userDefinedRouting |
Egress paths must be defined by the user. This is an advanced scenario and requires proper network configuration. For more information see outbound type userDefinedRouting. |
| managedNATGateway |
The AKS-managed NAT gateway is used for egress. |
| userAssignedNATGateway |
The user-assigned NAT gateway associated to the cluster subnet is used for egress. This is an advanced scenario and requires proper network configuration. |
| none |
The AKS cluster is not set with any outbound-type. All AKS nodes follows Azure VM default outbound behavior. Please refer to https://azure.microsoft.com/en-us/updates/default-outbound-access-for-vms-in-azure-will-be-retired-transition-to-a-new-method-of-internet-access/ |
PodIPAllocationMode
Pod IP Allocation Mode. The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'.
| Value | Description |
|---|---|
| DynamicIndividual |
Each node gets allocated with a non-contiguous list of IP addresses assignable to pods. This is better for maximizing a small to medium subnet of size /16 or smaller. The Azure CNI cluster with dynamic IP allocation defaults to this mode if the customer does not explicitly specify a podIPAllocationMode |
| StaticBlock |
Each node is statically allocated CIDR block(s) of size /28 = 16 IPs per block to satisfy the maxPods per node. Number of CIDR blocks >= (maxPods / 16). The block, rather than a single IP, counts against the Azure Vnet Private IP limit of 65K. Therefore block mode is suitable for running larger workloads with more than the current limit of 65K pods in a cluster. This mode is better suited to scale with larger subnets of /15 or bigger |
PortRange
The port range.
| Name | Type | Description |
|---|---|---|
| portEnd |
integer (int32) minimum: 1maximum: 65535 |
The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart. |
| portStart |
integer (int32) minimum: 1maximum: 65535 |
The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd. |
| protocol |
The network protocol of the port. |
PowerState
Describes the Power State of the cluster
| Name | Type | Description |
|---|---|---|
| code |
Tells whether the cluster is Running or Stopped |
PrivateLinkResource
A private link resource
| Name | Type | Description |
|---|---|---|
| groupId |
string |
The group ID of the resource. |
| id |
string |
The ID of the private link resource. |
| name |
string |
The name of the private link resource. |
| privateLinkServiceID |
string (arm-id) |
The private link service ID of the resource, this field is exposed only to NRP internally. |
| requiredMembers |
string[] |
The RequiredMembers of the resource |
| type |
string |
The resource type. |
Protocol
The network protocol of the port.
| Value | Description |
|---|---|
| TCP |
TCP protocol. |
| UDP |
UDP protocol. |
ProvisioningInfo
| Name | Type | Description |
|---|---|---|
| error |
Pod identity assignment error (if any). |
PublicNetworkAccess
PublicNetworkAccess of the managedCluster. Allow or deny public network access for AKS
| Value | Description |
|---|---|
| Enabled | |
| Disabled |
ResourceIdentityType
The type of identity used for the managed cluster. For more information see use managed identities in AKS.
| Value | Description |
|---|---|
| SystemAssigned |
Use an implicitly created system assigned managed identity to manage cluster resources. Master components in the control plane such as kube-controller-manager will use the system assigned managed identity to manipulate Azure resources. |
| UserAssigned |
Use a user-specified identity to manage cluster resources. Master components in the control plane such as kube-controller-manager will use the specified user assigned managed identity to manipulate Azure resources. |
| None |
Do not use a managed identity for the Managed Cluster, service principal will be used instead. |
ResourceReference
A reference to an Azure resource.
| Name | Type | Description |
|---|---|---|
| id |
string (arm-id) |
The fully qualified Azure resource id. |
RestrictionLevel
The restriction level applied to the cluster's node resource group. If not specified, the default is 'Unrestricted'
| Value | Description |
|---|---|
| Unrestricted |
All RBAC permissions are allowed on the managed node resource group |
| ReadOnly |
Only */read RBAC permissions allowed on the managed node resource group |
ScaleDownMode
Describes how VMs are added to or removed from Agent Pools. See billing states.
| Value | Description |
|---|---|
| Delete |
Create new instances during scale up and remove instances during scale down. |
| Deallocate |
Attempt to start deallocated instances (if they exist) during scale up and deallocate instances during scale down. |
ScaleProfile
Specifications on how to scale a VirtualMachines agent pool.
| Name | Type | Description |
|---|---|---|
| manual |
Specifications on how to scale the VirtualMachines agent pool to a fixed size. |
ScaleSetEvictionPolicy
The Virtual Machine Scale Set eviction policy. The eviction policy specifies what to do with the VM when it is evicted. The default is Delete. For more information about eviction see spot VMs
| Value | Description |
|---|---|
| Delete |
Nodes in the underlying Scale Set of the node pool are deleted when they're evicted. |
| Deallocate |
Nodes in the underlying Scale Set of the node pool are set to the stopped-deallocated state upon eviction. Nodes in the stopped-deallocated state count against your compute quota and can cause issues with cluster scaling or upgrading. |
ScaleSetPriority
The Virtual Machine Scale Set priority.
| Value | Description |
|---|---|
| Spot |
Spot priority VMs will be used. There is no SLA for spot nodes. See spot on AKS for more information. |
| Regular |
Regular VMs will be used. |
ServiceMeshMode
Mode of the service mesh.
| Value | Description |
|---|---|
| Istio |
Istio deployed as an AKS addon. |
| Disabled |
Mesh is disabled. |
ServiceMeshProfile
Service mesh profile for a managed cluster.
| Name | Type | Description |
|---|---|---|
| istio |
Istio service mesh configuration. |
|
| mode |
Mode of the service mesh. |
SysctlConfig
Sysctl settings for Linux agent nodes.
| Name | Type | Description |
|---|---|---|
| fsAioMaxNr |
integer (int32) |
Sysctl setting fs.aio-max-nr. |
| fsFileMax |
integer (int32) |
Sysctl setting fs.file-max. |
| fsInotifyMaxUserWatches |
integer (int32) |
Sysctl setting fs.inotify.max_user_watches. |
| fsNrOpen |
integer (int32) |
Sysctl setting fs.nr_open. |
| kernelThreadsMax |
integer (int32) |
Sysctl setting kernel.threads-max. |
| netCoreNetdevMaxBacklog |
integer (int32) |
Sysctl setting net.core.netdev_max_backlog. |
| netCoreOptmemMax |
integer (int32) |
Sysctl setting net.core.optmem_max. |
| netCoreRmemDefault |
integer (int32) |
Sysctl setting net.core.rmem_default. |
| netCoreRmemMax |
integer (int32) |
Sysctl setting net.core.rmem_max. |
| netCoreSomaxconn |
integer (int32) |
Sysctl setting net.core.somaxconn. |
| netCoreWmemDefault |
integer (int32) |
Sysctl setting net.core.wmem_default. |
| netCoreWmemMax |
integer (int32) |
Sysctl setting net.core.wmem_max. |
| netIpv4IpLocalPortRange |
string |
Sysctl setting net.ipv4.ip_local_port_range. |
| netIpv4NeighDefaultGcThresh1 |
integer (int32) |
Sysctl setting net.ipv4.neigh.default.gc_thresh1. |
| netIpv4NeighDefaultGcThresh2 |
integer (int32) |
Sysctl setting net.ipv4.neigh.default.gc_thresh2. |
| netIpv4NeighDefaultGcThresh3 |
integer (int32) |
Sysctl setting net.ipv4.neigh.default.gc_thresh3. |
| netIpv4TcpFinTimeout |
integer (int32) |
Sysctl setting net.ipv4.tcp_fin_timeout. |
| netIpv4TcpKeepaliveProbes |
integer (int32) |
Sysctl setting net.ipv4.tcp_keepalive_probes. |
| netIpv4TcpKeepaliveTime |
integer (int32) |
Sysctl setting net.ipv4.tcp_keepalive_time. |
| netIpv4TcpMaxSynBacklog |
integer (int32) |
Sysctl setting net.ipv4.tcp_max_syn_backlog. |
| netIpv4TcpMaxTwBuckets |
integer (int32) |
Sysctl setting net.ipv4.tcp_max_tw_buckets. |
| netIpv4TcpTwReuse |
boolean |
Sysctl setting net.ipv4.tcp_tw_reuse. |
| netIpv4TcpkeepaliveIntvl |
integer (int32) minimum: 10maximum: 90 |
Sysctl setting net.ipv4.tcp_keepalive_intvl. |
| netNetfilterNfConntrackBuckets |
integer (int32) minimum: 65536maximum: 524288 |
Sysctl setting net.netfilter.nf_conntrack_buckets. |
| netNetfilterNfConntrackMax |
integer (int32) minimum: 131072maximum: 2097152 |
Sysctl setting net.netfilter.nf_conntrack_max. |
| vmMaxMapCount |
integer (int32) |
Sysctl setting vm.max_map_count. |
| vmSwappiness |
integer (int32) |
Sysctl setting vm.swappiness. |
| vmVfsCachePressure |
integer (int32) |
Sysctl setting vm.vfs_cache_pressure. |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string (date-time) |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string (date-time) |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |
UndrainableNodeBehavior
Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes.
| Value | Description |
|---|---|
| Schedule |
AKS will mark the blocked nodes schedulable, but the blocked nodes are not upgraded. A best-effort attempt will be made to delete all surge nodes. The upgrade operation and the managed cluster will be in failed state if there are any blocked nodes. |
| Cordon |
AKS will cordon the blocked nodes and replace them with surge nodes during upgrade. The blocked nodes will be cordoned and replaced by surge nodes. The blocked nodes will have label 'kubernetes.azure.com/upgrade-status:Quarantined'. A surge node will be retained for each blocked node. A best-effort attempt will be made to delete all other surge nodes. If there are enough surge nodes to replace blocked nodes, then the upgrade operation and the managed cluster will be in failed state. Otherwise, the upgrade operation and the managed cluster will be in canceled state. |
upgradeChannel
The upgrade channel for auto upgrade. The default is 'none'. For more information see setting the AKS cluster auto-upgrade channel.
| Value | Description |
|---|---|
| rapid |
Automatically upgrade the cluster to the latest supported patch release on the latest supported minor version. In cases where the cluster is at a version of Kubernetes that is at an N-2 minor version where N is the latest supported minor version, the cluster first upgrades to the latest supported patch version on N-1 minor version. For example, if a cluster is running version 1.17.7 and versions 1.17.9, 1.18.4, 1.18.6, and 1.19.1 are available, your cluster first is upgraded to 1.18.6, then is upgraded to 1.19.1. |
| stable |
Automatically upgrade the cluster to the latest supported patch release on minor version N-1, where N is the latest supported minor version. For example, if a cluster is running version 1.17.7 and versions 1.17.9, 1.18.4, 1.18.6, and 1.19.1 are available, your cluster is upgraded to 1.18.6. |
| patch |
Automatically upgrade the cluster to the latest supported patch version when it becomes available while keeping the minor version the same. For example, if a cluster is running version 1.17.7 and versions 1.17.9, 1.18.4, 1.18.6, and 1.19.1 are available, your cluster is upgraded to 1.17.9. |
| node-image |
Automatically upgrade the node image to the latest version available. Consider using nodeOSUpgradeChannel instead as that allows you to configure node OS patching separate from Kubernetes version patching |
| none |
Disables auto-upgrades and keeps the cluster at its current version of Kubernetes. |
UpgradeOverrideSettings
Settings for overrides when upgrading a cluster.
| Name | Type | Description |
|---|---|---|
| forceUpgrade |
boolean |
Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution. |
| until |
string (date-time) |
Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the |
UserAssignedIdentities
The user identity associated with the managed cluster. This identity will be used in control plane. Only one user assigned identity is allowed. The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
| Name | Type | Description |
|---|---|---|
|
|
UserAssignedIdentity
Details about a user assigned identity.
| Name | Type | Description |
|---|---|---|
| clientId |
string |
The client ID of the user assigned identity. |
| objectId |
string |
The object ID of the user assigned identity. |
| resourceId |
string (arm-id) |
The resource ID of the user assigned identity. |
VirtualMachineNodes
Current status on a group of nodes of the same vm size.
| Name | Type | Description |
|---|---|---|
| count |
integer (int32) |
Number of nodes. |
| size |
string |
The VM size of the agents used to host this group of nodes. |
VirtualMachinesProfile
Specifications on VirtualMachines agent pool.
| Name | Type | Description |
|---|---|---|
| scale |
Specifications on how to scale a VirtualMachines agent pool. |
WindowsGmsaProfile
Windows gMSA Profile in the managed cluster.
| Name | Type | Description |
|---|---|---|
| dnsServer |
string |
Specifies the DNS server for Windows gMSA. |
| enabled |
boolean |
Whether to enable Windows gMSA. Specifies whether to enable Windows gMSA in the managed cluster. |
| rootDomainName |
string |
Specifies the root domain name for Windows gMSA. |
WorkloadRuntime
Determines the type of workload a node can run.
| Value | Description |
|---|---|
| OCIContainer |
Nodes will use Kubelet to run standard OCI container workloads. |
| WasmWasi |
Nodes will use Krustlet to run WASM workloads using the WASI provider (Preview). |