az connectedk8s
Note
This reference is part of the connectedk8s extension for the Azure CLI (version 2.64.0 or higher). The extension will automatically install the first time you run an az connectedk8s command. Learn more about extensions.
Commands to manage connected kubernetes clusters.
Commands
Name | Description | Type | Status |
---|---|---|---|
az connectedk8s connect |
Onboard a connected kubernetes cluster to azure. |
Extension | GA |
az connectedk8s delete |
Delete a connected kubernetes cluster along with connected cluster agents. |
Extension | GA |
az connectedk8s disable-features |
Disables the selective features on the connected cluster. |
Extension | Preview |
az connectedk8s enable-features |
Enables the selective features on the connected cluster. |
Extension | Preview |
az connectedk8s list |
List connected kubernetes clusters. |
Extension | GA |
az connectedk8s proxy |
Get access to a connected kubernetes cluster. |
Extension | GA |
az connectedk8s show |
Show details of a connected kubernetes cluster. |
Extension | GA |
az connectedk8s troubleshoot |
Perform diagnostic checks on an Arc enabled Kubernetes cluster. |
Extension | Preview |
az connectedk8s update |
Update properties of the arc onboarded kubernetes cluster. |
Extension | GA |
az connectedk8s upgrade |
Atomically upgrade onboarded agents to the specific version or default to the latest version. |
Extension | GA |
az connectedk8s connect
Onboard a connected kubernetes cluster to azure.
az connectedk8s connect --name
--resource-group
[--azure-hybrid-benefit {False, NotApplicable, True}]
[--config]
[--config-protected]
[--container-log-path]
[--correlation-id]
[--custom-ca-cert]
[--custom-locations-oid]
[--disable-auto-upgrade]
[--distribution {aks, aks_edge_k3s, aks_edge_k8s, aks_engine, aks_management, aks_workload, canonical, capz, eks, generic, gke, k3s, karbon, kind, minikube, openshift, rancher_rke, tkg}]
[--distribution-version]
[--enable-oidc-issuer {false, true}]
[--enable-private-link {false, true}]
[--enable-wi {false, true}]
[--gateway-resource-id]
[--infrastructure {LTSCWindows 10 Enterprise LTSC, Windows 10 Enterprise, Windows 10 Enterprise LTSC 2019, Windows 10 Enterprise LTSC 2021, Windows 10 Enterprise N, Windows 10 Enterprise N LTSC 2019, Windows 10 Enterprise N LTSC 2021, Windows 10 IoT Enterprise, Windows 10 IoT Enterprise LTSC 2019, Windows 10 IoT Enterprise LTSC 2021, Windows 10 Pro, Windows 11 Enterprise, Windows 11 Enterprise N, Windows 11 IoT Enterprise, Windows 11 Pro, Windows Server 2019, Windows Server 2019 Datacenter, Windows Server 2019 Standard, Windows Server 2022, Windows Server 2022 Datacenter, Windows Server 2022 Standard, aws, azure, azure_stack_edge, azure_stack_hci, azure_stack_hub, gcp, generic, vsphere, windows_server}]
[--kube-config]
[--kube-context]
[--location]
[--no-wait]
[--onboarding-timeout]
[--pls-arm-id]
[--proxy-http]
[--proxy-https]
[--proxy-skip-range]
[--self-hosted-issuer]
[--skip-ssl-verification]
[--tags]
[--yes]
Examples
Onboard a connected kubernetes cluster with default kube config and kube context.
az connectedk8s connect -g resourceGroupName -n connectedClusterName
Onboard a connected kubernetes cluster with default kube config and kube context and disabling auto upgrade of arc agents.
az connectedk8s connect -g resourceGroupName -n connectedClusterName --disable-auto-upgrade
Onboard a connected kubernetes cluster by specifying the kubeconfig and kubecontext.
az connectedk8s connect -g resourceGroupName -n connectedClusterName --kube-config /path/to/kubeconfig --kube-context kubeContextName
Onboard a connected kubernetes cluster by specifying the https proxy, http proxy, no proxy settings.
az connectedk8s connect -g resourceGroupName -n connectedClusterName --proxy-https https://proxy-url --proxy-http http://proxy-url --proxy-skip-range excludedIP,excludedCIDR,exampleCIDRfollowed,10.0.0.0/24
Onboard a connected kubernetes cluster by specifying the https proxy, http proxy, no proxy with cert settings.
az connectedk8s connect -g resourceGroupName -n connectedClusterName --proxy-cert /path/to/crt --proxy-https https://proxy-url --proxy-http http://proxy-url --proxy-skip-range excludedIP,excludedCIDR,exampleCIDRfollowed,10.0.0.0/24
Onboard a connected kubernetes cluster with private link feature enabled by specifying private link parameters.
az connectedk8s connect -g resourceGroupName -n connectedClusterName --enable-private-link true --private-link-scope-resource-id pls/resource/arm/id
Onboard a connected kubernetes cluster with custom onboarding timeout.
az connectedk8s connect -g resourceGroupName -n connectedClusterName --onboarding-timeout 600
Onboard a connected kubernetes cluster with oidc issuer and the workload identity webhook enabled.
az connectedk8s connect -g resourceGroupName -n connectedClusterName --enable-oidc-issuer --enable-workload-identity
Onboard a connected kubernetes cluster with oidc issuer enabled using a self hosted issuer url for public cloud cluster.
az connectedk8s connect -g resourceGroupName -n connectedClusterName --enable-oidc-issuer --self-hosted-issuer aksissuerurl
Onboard a connected kubernetes cluster with azure gateway feature enabled.
az connectedk8s connect -g resourceGroupName -n connectedClusterName --gateway-resource-id gatewayResourceId
Required Parameters
The name of the connected cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Flag to enable/disable Azure Hybrid Benefit feature.
Configuration Settings as key=value pair. Repeat parameter for each setting. Do not use this for secrets, as this value is returned in response.
Configuration Protected Settings as key=value pair. Repeat parameter for each setting. Only the key is returned in response, the value is not.
Override the default container log path to enable fluent-bit logging.
A guid that is used to internally track the source of cluster onboarding. Please do not modify it unless advised.
Path to the certificate file for proxy or custom Certificate Authority.
OID of 'custom-locations' app.
Flag to disable auto upgrade of arc agents.
The Kubernetes distribution which will be running on this connected cluster.
The Kubernetes distribution version of the connected cluster.
Enable creation of OIDC issuer url used for workload identity federation.
Flag to enable/disable private link support on a connected cluster resource. Allowed values: false, true.
Enable workload identity webhook.
ArmID of the Arc Gateway resource.
The infrastructure on which the Kubernetes cluster represented by this connected cluster will be running on.
Path to the kube config file.
Kubconfig context from current machine.
Location. Values from: az account list-locations
. You can configure the default location using az configure --defaults location=<location>
.
Do not wait for the long-running operation to finish.
Time required (in seconds) for the arc-agent pods to be installed on the kubernetes cluster. Override this value if the hardware/network constraints on your cluster requires more time for installing the arc-agent pods.
ARM resource id of the private link scope resource to which this connected cluster is associated.
Http proxy URL to be used.
Https proxy URL to be used.
List of URLs/CIDRs for which proxy should not to be used.
Self hosted issuer url for public cloud clusters - AKS, GKE, EKS.
Skip SSL verification for any cluster connection.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az connectedk8s delete
Delete a connected kubernetes cluster along with connected cluster agents.
az connectedk8s delete [--force]
[--ids]
[--kube-config]
[--kube-context]
[--name]
[--no-wait]
[--resource-group]
[--skip-ssl-verification]
[--subscription]
[--yes]
Examples
Delete a connected kubernetes cluster and connected cluster agents with default kubeconfig and kubecontext.
az connectedk8s delete -g resourceGroupName -n connectedClusterName
Delete a connected kubernetes cluster by specifying the kubeconfig and kubecontext for connected cluster agents deletion.
az connectedk8s delete -g resourceGroupName -n connectedClusterName --kube-config /path/to/kubeconfig --kube-context kubeContextName
Optional Parameters
Force delete to remove all azure-arc resources from the cluster.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Path to the kube config file.
Kubconfig context from current machine.
The name of the connected cluster.
Do not wait for the long-running operation to finish.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Skip SSL verification for any cluster connection.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az connectedk8s disable-features
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Disables the selective features on the connected cluster.
az connectedk8s disable-features --features {azure-rbac, cluster-connect, custom-locations}
[--ids]
[--kube-config]
[--kube-context]
[--name]
[--resource-group]
[--skip-ssl-verification]
[--subscription]
[--yes]
Examples
Disables the azure-rbac feature.
az connectedk8s disable-features -n clusterName -g resourceGroupName --features azure-rbac
Disable multiple features.
az connectedk8s disable-features -n clusterName -g resourceGroupName --features custom-locations azure-rbac
Required Parameters
Space-separated list of features you want to disable.
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Path to the kube config file.
Kubconfig context from current machine.
The name of the connected cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Skip SSL verification for any cluster connection.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az connectedk8s enable-features
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Enables the selective features on the connected cluster.
az connectedk8s enable-features --features {azure-rbac, cluster-connect, custom-locations}
[--app-id]
[--app-secret]
[--custom-locations-oid]
[--ids]
[--kube-config]
[--kube-context]
[--name]
[--resource-group]
[--skip-azure-rbac-list]
[--skip-ssl-verification]
[--subscription]
Examples
Enables the Cluster-Connect feature.
az connectedk8s enable-features -n clusterName -g resourceGroupName --features cluster-connect
Enable Azure RBAC feature.
az connectedk8s enable-features -n clusterName -g resourceGroupName --features azure-rbac --skip-azure-rbac-list "user1@domain.com,spn_oid"
Enable multiple features.
az connectedk8s enable-features -n clusterName -g resourceGroupName --features cluster-connect custom-locations
Required Parameters
Space-separated list of features you want to enable.
Optional Parameters
Argument 'azrbac_client_id' has been deprecated and will be removed in a future release.
Application ID for enabling Azure RBAC.
Argument 'azrbac_client_secret' has been deprecated and will be removed in a future release.
Application secret for enabling Azure RBAC.
OID of 'custom-locations' app.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Path to the kube config file.
Kubconfig context from current machine.
The name of the connected cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Comma separated list of names of usernames/email/oid. Azure RBAC will be skipped for these users. Specify when enabling azure-rbac.
Skip SSL verification for any cluster connection.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az connectedk8s list
List connected kubernetes clusters.
az connectedk8s list [--resource-group]
Examples
List all connected kubernetes clusters in a resource group.
az connectedk8s list -g resourceGroupName --subscription subscriptionName
List all connected kubernetes clusters in a subscription.
az connectedk8s list --subscription subscriptionName
Optional Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az connectedk8s proxy
Get access to a connected kubernetes cluster.
az connectedk8s proxy [--file]
[--ids]
[--kube-context]
[--name]
[--port]
[--resource-group]
[--subscription]
[--token]
Examples
Get access to a connected kubernetes cluster.
az connectedk8s proxy -n clusterName -g resourceGroupName
Get access to a connected kubernetes cluster with custom port
az connectedk8s proxy -n clusterName -g resourceGroupName --port portValue
Get access to a connected kubernetes cluster with service account token
az connectedk8s proxy -n clusterName -g resourceGroupName --token tokenValue
Get access to a connected kubernetes cluster by specifying custom kubeconfig location
az connectedk8s proxy -n clusterName -g resourceGroupName -f path/to/kubeconfig
Get access to a connected kubernetes cluster by specifying custom context
az connectedk8s proxy -n clusterName -g resourceGroupName --kube-context contextName
Optional Parameters
Kubernetes configuration file to update. If not provided, updates the file '~/.kube/config'. Use '-' to print YAML to stdout instead.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
If specified, overwrite the default context name.
The name of the connected cluster.
Port used for accessing connected cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Service account token to use to authenticate to the kubernetes cluster.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az connectedk8s show
Show details of a connected kubernetes cluster.
az connectedk8s show [--ids]
[--name]
[--resource-group]
[--subscription]
Examples
Show the details for a connected kubernetes cluster
az connectedk8s show -g resourceGroupName -n connectedClusterName
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The name of the connected cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az connectedk8s troubleshoot
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Perform diagnostic checks on an Arc enabled Kubernetes cluster.
az connectedk8s troubleshoot --name
--resource-group
[--kube-config]
[--kube-context]
[--skip-ssl-verification]
[--tags]
Examples
Perform diagnostic checks on an Arc enabled Kubernetes cluster.
az connectedk8s troubleshoot -n clusterName -g resourceGroupName
Required Parameters
The name of the connected cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Path to the kube config file.
Kubeconfig context from current machine.
Skip SSL verification for any cluster connection.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az connectedk8s update
Update properties of the arc onboarded kubernetes cluster.
az connectedk8s update [--auto-upgrade {false, true}]
[--azure-hybrid-benefit {False, NotApplicable, True}]
[--config]
[--config-protected]
[--container-log-path]
[--custom-ca-cert]
[--disable-gateway {false, true}]
[--disable-proxy]
[--disable-wi {false, true}]
[--distribution {aks, aks_edge_k3s, aks_edge_k8s, aks_engine, aks_management, aks_workload, canonical, capz, eks, generic, gke, k3s, karbon, kind, minikube, openshift, rancher_rke, tkg}]
[--distribution-version]
[--enable-oidc-issuer {false, true}]
[--enable-wi {false, true}]
[--gateway-resource-id]
[--ids]
[--kube-config]
[--kube-context]
[--name]
[--proxy-http]
[--proxy-https]
[--proxy-skip-range]
[--resource-group]
[--self-hosted-issuer]
[--skip-ssl-verification]
[--subscription]
[--tags]
[--yes]
Examples
Update proxy values for the agents
az connectedk8s update -g resourceGroupName -n connectedClusterName --proxy-cert /path/to/crt --proxy-https https://proxy-url --proxy-http http://proxy-url --proxy-skip-range excludedIP,excludedCIDR,exampleCIDRfollowed,10.0.0.0/24
Disable proxy settings for agents
az connectedk8s update -g resourceGroupName -n connectedClusterName --disable-proxy
Disable auto-upgrade of agents
az connectedk8s update -g resourceGroupName -n connectedClusterName --auto-upgrade false
Update a connected kubernetes cluster with oidc issuer and the workload identity webhook enabled.
az connectedk8s update -g resourceGroupName -n connectedClusterName --enable-oidc-issuer --enable-workload-identity
Update a connected kubernetes cluster with oidc issuer enabled using a self hosted issuer url for public cloud cluster.
az connectedk8s update -g resourceGroupName -n connectedClusterName --enable-oidc-issuer --self-hosted-issuer aksissuerurl
Disable the workload identity webhook on a connected kubernetes cluster.
az connectedk8s update -g resourceGroupName -n connectedClusterName --disable-workload-identity
Update a connected kubernetes cluster with azure gateway feature enabled.
az connectedk8s update -g resourceGroupName -n connectedClusterName --gateway-resource-id gatewayResourceId
Disable the azure gateway feature on a connected kubernetes cluster.
az connectedk8s update -g resourceGroupName -n connectedClusterName --disable-gateway
Optional Parameters
Flag to enable/disable auto upgrade of arc agents. By default, auto upgrade of agents is enabled.
Flag to enable/disable Azure Hybrid Benefit feature.
Configuration Settings as key=value pair. Repeat parameter for each setting. Do not use this for secrets, as this value is returned in response.
Configuration Protected Settings as key=value pair. Repeat parameter for each setting. Only the key is returned in response, the value is not.
Override the default container log path to enable fluent-bit logging.
Path to the certificate file for proxy or custom Certificate Authority.
Flag to disable Arc Gateway.
Disables proxy settings for agents.
Disable workload identity webhook.
The Kubernetes distribution which will be running on this connected cluster.
The Kubernetes distribution version of the connected cluster.
Enable creation of OIDC issuer url used for workload identity federation.
Enable workload identity webhook.
ArmID of the Arc Gateway resource.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Path to the kube config file.
Kubconfig context from current machine.
The name of the connected cluster.
Http proxy URL to be used.
Https proxy URL to be used.
List of URLs/CIDRs for which proxy should not to be used.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Self hosted issuer url for public cloud clusters - AKS, GKE, EKS.
Skip SSL verification for any cluster connection.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az connectedk8s upgrade
Atomically upgrade onboarded agents to the specific version or default to the latest version.
az connectedk8s upgrade [--agent-version]
[--ids]
[--kube-config]
[--kube-context]
[--name]
[--resource-group]
[--skip-ssl-verification]
[--subscription]
[--upgrade-timeout]
Examples
Upgrade the agents to the latest version
az connectedk8s upgrade -g resourceGroupName -n connectedClusterName
Upgrade the agents to a specific version
az connectedk8s upgrade -g resourceGroupName -n connectedClusterName --agent-version 0.2.62
Upgrade the agents with custom upgrade timeout.
az connectedk8s upgrade -g resourceGroupName -n connectedClusterName --upgrade-timeout 600
Optional Parameters
Version of agent to update the helm charts to.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Path to the kube config file.
Kubconfig context from current machine.
The name of the connected cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Skip SSL verification for any cluster connection.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Time required (in seconds) for the arc-agent pods to be upgraded on the kubernetes cluster. Override this value if the hardware/network constraints on your cluster requires more time for upgrading the arc-agent pods.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Azure CLI