Pastaba.
Prieigai prie šio puslapio reikalingas įgaliojimas. Galite bandyti prisijungti arba pakeisti katalogus.
Prieigai prie šio puslapio reikalingas įgaliojimas. Galite bandyti pakeisti katalogus.
In this article, you learn about the managed system node pools (preview) feature for Azure Kubernetes Service (AKS) Automatic clusters. With this feature, AKS automatically manages system node pools in your cluster, including configuration, scaling, and maintenance.
To create an AKS Automatic cluster with managed system node pools, see the Create an Azure Kubernetes Service (AKS) Automatic cluster with managed system node pools (preview) quickstart.
Important
AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:
Key features and benefits
The managed system node pools feature allows you to focus on your applications while AKS Automatic ensures that the underlying infrastructure is optimized for performance and reliability. Key features and benefits include:
- No operational overhead: AKS provisions, upgrades, and scales the system node pools automatically, eliminating the need for manual intervention.
- Simplified cluster creation: You don't need to track or allocate compute quotas for system node pools, as AKS handles this for you.
- Cost efficiency: Virtual machines (VMs) running on system node pools aren't charged to customer subscriptions, allowing you to optimize costs while maintaining high performance.
- Enhanced performance: Isolating system workloads from customer applications improves reliability and ensures consistent performance backed by Services Level Agreements (SLAs).
Components of managed system node pools
The following table outlines the components managed by AKS in managed system node pools. AKS handles the creation, upgrading, and scaling of the system nodes where these components run.
| Component | Namespace | Deployment(s) |
|---|---|---|
| Azure Monitor | kube-system |
ama-logs, ama-metrics, ama-metrics-ksm, ama-metrics-operator-targets |
| Workload identity | kube-system |
azure-wi-webhook-controller-manager |
| CoreDNS | kube-system |
coredns, coredns-autoscaler |
| Eraser | kube-system |
eraser-controller-manager |
| Kubernetes Event-driven Autoscaling (KEDA) | kube-system |
keda-admission-webhooks, keda-operator, keda-operator-metrics-apiserver |
| Konnectivity | kube-system |
konnectivity-agent, konnectivity-agent-autoscaler |
| Metrics Server | kube-system |
metrics-server |
| Vertical Pod Autoscaling (VPA) | kube-system |
vpa-admission-controller, vpa-recommender, vpa-updater |
Other add-ons and extensions run on an aks-system-surge node, with scaling handled by node auto-provisioning (NAP). DaemonSets run on both managed system node pools and nodes in your subscription, including the aks-system-surge nodes.
Security restrictions for managed system node pools
Since AKS manages the system node pool on your behalf, AKS applies multiple layers of security restrictions through built-in policies, baseline pod security standards, and admission time policies. These restrictions help protect managed system components and preserve the boundary between customer workloads and AKS-managed infrastructure.
| Restriction | What AKS prevents | Why it matters |
|---|---|---|
| Managed system resource changes | Creating, updating, or deleting resources in AKS-managed system namespaces. | Helps protect AKS-managed components from customer-initiated changes. |
| Interactive access to system pods | Using pod exec, attach, or port-forward against AKS-managed system pods. |
Helps prevent direct access to system workloads running on managed system node pools. |
| Managed system node changes | Modifying managed system nodes or labeling regular nodes as managed system nodes. | Helps maintain the boundary between customer-managed nodes and AKS-managed system nodes. |
| Workload placement on managed system nodes | Scheduling or running customer workloads on AKS-managed system nodes, including workloads with reserved tolerations, broad wildcard tolerations, or custom schedulers. | Helps prevent customer workloads from running on dedicated system nodes. |
| Privileged cluster access paths | Granting access to sensitive node proxy permissions. | Reduces paths that could bypass normal controls or escalate access to cluster resources. |
| Protected identity impersonation | Impersonating protected AKS, Kubernetes, or system service account identities. | Helps prevent callers from assuming identities used by trusted system components. |
| AKS-managed security control changes | Modifying AKS-managed security policies and admission controls. | Helps prevent weakening or disabling the controls that protect managed system node pools. |
Unsupported AKS API operations
The following AKS API operations are unsupported:
- Upgrading a managed system node pool.
- Deleting a managed system node pool.
- Stopping a cluster with a managed system node pool.
- Listing agent pools on a cluster doesn't include managed system node pools.