containerservice.azure.com/v1api20240901

"2024-09-01"

DayOfMonth: The date of the month.

IntervalMonths: Specifies the number of months between each set of occurrences.

DayOfMonth: The date of the month.

IntervalMonths: Specifies the number of months between each set of occurrences.

Enabled: Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false.

Observability: Observability profile to enable advanced network metrics and flow logs with historical contexts.

Security: Security profile to enable security features on cilium based cluster.

Enabled: Indicates the enablement of Advanced Networking observability functionalities on clusters.

Enabled: Indicates the enablement of Advanced Networking observability functionalities on clusters.

Enabled: This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false.

Enabled: This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false.

Enabled: Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false.

Observability: Observability profile to enable advanced network metrics and flow logs with historical contexts.

Security: Security profile to enable security features on cilium based cluster.

"System"

"User"

"System"

"User"

AllowedHostPorts: The port ranges that are allowed to access. The specified ranges are allowed to overlap.

ApplicationSecurityGroupsReferences: The IDs of the application security groups which agent pool will associate when created.

NodePublicIPTags: IPTags of instance-level public IPs.

AllowedHostPorts: The port ranges that are allowed to access. The specified ranges are allowed to overlap.

ApplicationSecurityGroups: The IDs of the application security groups which agent pool will associate when created.

NodePublicIPTags: IPTags of instance-level public IPs.

EnableSecureBoot: Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.

EnableVTPM: vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.

EnableSecureBoot: Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.

EnableVTPM: vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.

"AvailabilitySet"

"VirtualMachineScaleSets"

"AvailabilitySet"

"VirtualMachineScaleSets"

DrainTimeoutInMinutes: The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes.

MaxSurge: This can either be set to an integer (e.g. ‘5’) or a percentage (e.g. ‘50%’). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: https://docs.microsoft.com/azure/aks/upgrade-cluster#customize-node-surge-upgrade

NodeSoakDurationInMinutes: The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes.

DrainTimeoutInMinutes: The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes.

MaxSurge: This can either be set to an integer (e.g. ‘5’) or a percentage (e.g. ‘50%’). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: https://docs.microsoft.com/azure/aks/upgrade-cluster#customize-node-surge-upgrade

NodeSoakDurationInMinutes: The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes.

DisableOutboundNat: The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled.

DisableOutboundNat: The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled.

Enabled: Whether to enable Azure Key Vault key management service. The default is false.

KeyId: Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty.

KeyVaultNetworkAccess: Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.

KeyVaultResourceReference: Resource ID of key vault. When keyVaultNetworkAccess is Private, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public, leave the field empty.

"Private"

"Public"

"Private"

"Public"

Enabled: Whether to enable Azure Key Vault key management service. The default is false.

KeyId: Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty.

KeyVaultNetworkAccess: Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.

KeyVaultResourceId: Resource ID of key vault. When keyVaultNetworkAccess is Private, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public, leave the field empty.

OverrideSettings: Settings for overrides.

OverrideSettings: Settings for overrides.

AdminUsername: The administrator username to use for Linux VMs.

Ssh: The SSH configuration for Linux-based VMs running on Azure.

AdminUsername: The administrator username to use for Linux VMs.

Ssh: The SSH configuration for Linux-based VMs running on Azure.

AdvancedNetworking: Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking.

DnsServiceIP: An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr.

IpFamilies: IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6.

LoadBalancerProfile: Profile of the cluster load balancer.

LoadBalancerSku: The default is ‘standard’. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs.

NatGatewayProfile: Profile of the cluster NAT gateway.

NetworkDataplane: Network dataplane used in the Kubernetes cluster.

NetworkMode: This cannot be specified if networkPlugin is anything other than ‘azure’.

NetworkPlugin: Network plugin used for building the Kubernetes network.

NetworkPluginMode: The mode the network plugin should use.

NetworkPolicy: Network policy used for building the Kubernetes network.

OutboundType: This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type.

PodCidr: A CIDR notation IP range from which to assign pod IPs when kubenet is used.

PodCidrs: One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking.

ServiceCidr: A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges.

ServiceCidrs: One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges.

"IPv4"

"IPv6"

"IPv4"

"IPv6"

"basic"

"standard"

"basic"

"standard"

"azure"

"cilium"

"azure"

"cilium"

"bridge"

"transparent"

"bridge"

"transparent"

"azure"

"kubenet"

"none"

"overlay"

"overlay"

"azure"

"kubenet"

"none"

"azure"

"calico"

"cilium"

"none"

"azure"

"calico"

"cilium"

"none"

"loadBalancer"

"managedNATGateway"

"userAssignedNATGateway"

"userDefinedRouting"

"loadBalancer"

"managedNATGateway"

"userAssignedNATGateway"

"userDefinedRouting"

AdvancedNetworking: Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking.

DnsServiceIP: An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr.

IpFamilies: IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6.

LoadBalancerProfile: Profile of the cluster load balancer.

LoadBalancerSku: The default is ‘standard’. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs.

NatGatewayProfile: Profile of the cluster NAT gateway.

NetworkDataplane: Network dataplane used in the Kubernetes cluster.

NetworkMode: This cannot be specified if networkPlugin is anything other than ‘azure’.

NetworkPlugin: Network plugin used for building the Kubernetes network.

NetworkPluginMode: The mode the network plugin should use.

NetworkPolicy: Network policy used for building the Kubernetes network.

OutboundType: This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type.

PodCidr: A CIDR notation IP range from which to assign pod IPs when kubenet is used.

PodCidrs: One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking.

ServiceCidr: A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges.

ServiceCidrs: One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges.

PublicKeys: The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified.

PublicKeys: The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified.

KeyData: Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers.

KeyData: Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers.

SourceResourceReference: This is the ARM ID of the source object to be used to create the target object.

SourceResourceId: This is the ARM ID of the source object to be used to create the target object.

IntervalDays: Specifies the number of days between each set of occurrences.

IntervalDays: Specifies the number of days between each set of occurrences.

End: The end date of the date span.

Start: The start date of the date span.

End: The end date of the date span.

Start: The start date of the date span.

Location: The source resource location - internal use only.

ReferralResource: The delegation id of the referral delegation (optional) - internal use only.

ResourceReference: The ARM resource id of the delegated resource - internal use only.

TenantId: The tenant id of the delegated resource - internal use only.

Location: The source resource location - internal use only.

ReferralResource: The delegation id of the referral delegation (optional) - internal use only.

ResourceId: The ARM resource id of the delegated resource - internal use only.

TenantId: The tenant id of the delegated resource - internal use only.

Name: The name of the extended location.

Type: The type of the extended location.

"EdgeZone"

"EdgeZone"

Name: The name of the extended location.

Type: The type of the extended location.

"MIG1g"

"MIG2g"

"MIG3g"

"MIG4g"

"MIG7g"

"MIG1g"

"MIG2g"

"MIG3g"

"MIG4g"

"MIG7g"

IpTagType: The IP tag type. Example: RoutingPreference.

Tag: The value of the IP tag associated with the public IP. Example: Internet.

IpTagType: The IP tag type. Example: RoutingPreference.

Tag: The value of the IP tag associated with the public IP. Example: Internet.

Plugin: Plugin certificates information for Service Mesh.

Plugin: Plugin certificates information for Service Mesh.

EgressGateways: Istio egress gateways.

IngressGateways: Istio ingress gateways.

EgressGateways: Istio egress gateways.

IngressGateways: Istio ingress gateways.

Enabled: Whether to enable the egress gateway.

Enabled: Whether to enable the egress gateway.

Enabled: Whether to enable the ingress gateway.

Mode: Mode of an ingress gateway.

"External"

"Internal"

"External"

"Internal"

Enabled: Whether to enable the ingress gateway.

Mode: Mode of an ingress gateway.

CertChainObjectName: Certificate chain object name in Azure Key Vault.

CertObjectName: Intermediate certificate object name in Azure Key Vault.

KeyObjectName: Intermediate certificate private key object name in Azure Key Vault.

KeyVaultReference: The resource ID of the Key Vault.

RootCertObjectName: Root certificate object name in Azure Key Vault.

CertChainObjectName: Certificate chain object name in Azure Key Vault.

CertObjectName: Intermediate certificate object name in Azure Key Vault.

KeyObjectName: Intermediate certificate private key object name in Azure Key Vault.

KeyVaultId: The resource ID of the Key Vault.

RootCertObjectName: Root certificate object name in Azure Key Vault.

CertificateAuthority: Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca

Components: Istio components configuration.

Revisions: The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: https://learn.microsoft.com/en-us/azure/aks/istio-upgrade

CertificateAuthority: Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca

Components: Istio components configuration.

Revisions: The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: https://learn.microsoft.com/en-us/azure/aks/istio-upgrade

AllowedUnsafeSysctls: Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *).

ContainerLogMaxFiles: The maximum number of container log files that can be present for a container. The number must be ≥ 2.

ContainerLogMaxSizeMB: The maximum size (e.g. 10Mi) of container log file before it is rotated.

CpuCfsQuota: The default is true.

CpuCfsQuotaPeriod: The default is ‘100ms.’ Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: ‘300ms’, ‘2h45m’. Supported units are ‘ns’, ‘us’, ‘ms’, ’s’, ’m’, and ‘h’.

CpuManagerPolicy: The default is ‘none’. See Kubernetes CPU management policies for more information. Allowed values are ‘none’ and ‘static’.

FailSwapOn: If set to true it will make the Kubelet fail to start if swap is enabled on the node.

ImageGcHighThreshold: To disable image garbage collection, set to 100. The default is 85%

ImageGcLowThreshold: This cannot be set higher than imageGcHighThreshold. The default is 80%

PodMaxPids: The maximum number of processes per pod.

TopologyManagerPolicy: For more information see Kubernetes Topology Manager. The default is ‘none’. Allowed values are ‘none’, ‘best-effort’, ‘restricted’, and ‘single-numa-node’.

AllowedUnsafeSysctls: Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *).

ContainerLogMaxFiles: The maximum number of container log files that can be present for a container. The number must be ≥ 2.

ContainerLogMaxSizeMB: The maximum size (e.g. 10Mi) of container log file before it is rotated.

CpuCfsQuota: The default is true.

CpuCfsQuotaPeriod: The default is ‘100ms.’ Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: ‘300ms’, ‘2h45m’. Supported units are ‘ns’, ‘us’, ‘ms’, ’s’, ’m’, and ‘h’.

CpuManagerPolicy: The default is ‘none’. See Kubernetes CPU management policies for more information. Allowed values are ‘none’ and ‘static’.

FailSwapOn: If set to true it will make the Kubelet fail to start if swap is enabled on the node.

ImageGcHighThreshold: To disable image garbage collection, set to 100. The default is 85%

ImageGcLowThreshold: This cannot be set higher than imageGcHighThreshold. The default is 80%

PodMaxPids: The maximum number of processes per pod.

TopologyManagerPolicy: For more information see Kubernetes Topology Manager. The default is ‘none’. Allowed values are ‘none’, ‘best-effort’, ‘restricted’, and ‘single-numa-node’.

"OS"

"Temporary"

"OS"

"Temporary"

"AKSLongTermSupport"

"KubernetesOfficial"

"AKSLongTermSupport"

"KubernetesOfficial"

SwapFileSizeMB: The size in MB of a swap file that will be created on each node.

Sysctls: Sysctl settings for Linux agent nodes.

TransparentHugePageDefrag: Valid values are ‘always’, ‘defer’, ‘defer+madvise’, ‘madvise’ and ‘never’. The default is ‘madvise’. For more information see Transparent Hugepages.

TransparentHugePageEnabled: Valid values are ‘always’, ‘madvise’, and ‘never’. The default is ‘always’. For more information see Transparent Hugepages.

SwapFileSizeMB: The size in MB of a swap file that will be created on each node.

Sysctls: Sysctl settings for Linux agent nodes.

TransparentHugePageDefrag: Valid values are ‘always’, ‘defer’, ‘defer+madvise’, ‘madvise’ and ‘never’. The default is ‘madvise’. For more information see Transparent Hugepages.

TransparentHugePageEnabled: Valid values are ‘always’, ‘madvise’, and ‘never’. The default is ‘always’. For more information see Transparent Hugepages.

ConfigMapExpressions: configures where to place operator written dynamic ConfigMaps (created with CEL expressions).

SecretExpressions: configures where to place operator written dynamic secrets (created with CEL expressions).

Conditions: The observed state of the resource

Id: Resource ID.

MaintenanceWindow: Maintenance window for the maintenance configuration.

Name: The name of the resource that is unique within a resource group. This name can be used to access the resource.

NotAllowedTime: Time slots on which upgrade is not allowed.

SystemData: The system metadata relating to this resource.

TimeInWeek: If two array entries specify the same day of the week, the applied configuration is the union of times in both entries.

Type: Resource type

AzureName: The name of the resource in Azure. This is often the same as the name of the resource in Kubernetes but it doesn’t have to be.

MaintenanceWindow: Maintenance window for the maintenance configuration.

NotAllowedTime: Time slots on which upgrade is not allowed.

OperatorSpec: The specification for configuring operator behavior. This field is interpreted by the operator and not passed directly to Azure

Owner: The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also controls the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a reference to a containerservice.azure.com/ManagedCluster resource

TimeInWeek: If two array entries specify the same day of the week, the applied configuration is the union of times in both entries.

DurationHours: Length of maintenance window range from 4 to 24 hours.

NotAllowedDates: Date ranges on which upgrade is not allowed. ‘utcOffset’ applies to this field. For example, with ‘utcOffset: +02:00’ and ‘dateSpan’ being ‘2022-12-23’ to ‘2023-01-03’, maintenance will be blocked from ‘2022-12-22 22:00’ to ‘2023-01-03 22:00’ in UTC time.

Schedule: Recurrence schedule for the maintenance window.

StartDate: The date the maintenance window activates. If the current date is before this date, the maintenance window is inactive and will not be used for upgrades. If not specified, the maintenance window will be active right away.

StartTime: The start time of the maintenance window. Accepted values are from ‘00:00’ to ‘23:59’. ‘utcOffset’ applies to this field. For example: ‘02:00’ with ‘utcOffset: +02:00’ means UTC time ‘00:00’.

UtcOffset: The UTC offset in format +/-HH:mm. For example, ‘+05:30’ for IST and ‘-07:00’ for PST. If not specified, the default is ‘+00:00’.

DurationHours: Length of maintenance window range from 4 to 24 hours.

NotAllowedDates: Date ranges on which upgrade is not allowed. ‘utcOffset’ applies to this field. For example, with ‘utcOffset: +02:00’ and ‘dateSpan’ being ‘2022-12-23’ to ‘2023-01-03’, maintenance will be blocked from ‘2022-12-22 22:00’ to ‘2023-01-03 22:00’ in UTC time.

Schedule: Recurrence schedule for the maintenance window.

StartDate: The date the maintenance window activates. If the current date is before this date, the maintenance window is inactive and will not be used for upgrades. If not specified, the maintenance window will be active right away.

StartTime: The start time of the maintenance window. Accepted values are from ‘00:00’ to ‘23:59’. ‘utcOffset’ applies to this field. For example: ‘02:00’ with ‘utcOffset: +02:00’ means UTC time ‘00:00’.

UtcOffset: The UTC offset in format +/-HH:mm. For example, ‘+05:30’ for IST and ‘-07:00’ for PST. If not specified, the default is ‘+00:00’.

AdminGroupObjectIDs: The list of AAD group object IDs that will have admin role of the cluster.

ClientAppID: (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.

EnableAzureRBAC: Whether to enable Azure RBAC for Kubernetes authorization.

Managed: Whether to enable managed AAD.

ServerAppID: (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.

ServerAppSecret: (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy.

TenantID: The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription.

AdminGroupObjectIDs: The list of AAD group object IDs that will have admin role of the cluster.

ClientAppID: (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.

EnableAzureRBAC: Whether to enable Azure RBAC for Kubernetes authorization.

Managed: Whether to enable managed AAD.

ServerAppID: (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.

ServerAppSecret: (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy.

TenantID: The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription.

AuthorizedIPRanges: IP ranges are specified in CIDR format, e.g. 137.117.106.⁸⁸⁄₂₉. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges.

DisableRunCommand: Whether to disable run command for the cluster or not.

EnablePrivateCluster: For more details, see Creating a private AKS cluster.

EnablePrivateClusterPublicFQDN: Whether to create additional public FQDN for private cluster or not.

PrivateDNSZone: The default is System. For more details see configure private DNS zone. Allowed values are ‘system’ and ‘none’.

AuthorizedIPRanges: IP ranges are specified in CIDR format, e.g. 137.117.106.⁸⁸⁄₂₉. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges.

DisableRunCommand: Whether to disable run command for the cluster or not.

EnablePrivateCluster: For more details, see Creating a private AKS cluster.

EnablePrivateClusterPublicFQDN: Whether to create additional public FQDN for private cluster or not.

PrivateDNSZone: The default is System. For more details see configure private DNS zone. Allowed values are ‘system’ and ‘none’.

Config: Key-value pairs for configuring an add-on.

Enabled: Whether the add-on is enabled or not.

Config: Key-value pairs for configuring an add-on.

Enabled: Whether the add-on is enabled or not.

Identity: Information of user assigned identity used by this add-on.

AvailabilityZones: The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is ‘VirtualMachineScaleSets’.

CapacityReservationGroupReference: AKS will associate the specified agent pool with the Capacity Reservation Group.

Count: Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1.

CreationData: CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot.

EnableAutoScaling: Whether to enable auto-scaler

EnableEncryptionAtHost: This is only supported on certain VM sizes and in certain Azure regions. For more information, see: https://docs.microsoft.com/azure/aks/enable-host-encryption

EnableFIPS: See Add a FIPS-enabled node pool for more details.

EnableNodePublicIP: Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false.

EnableUltraSSD: Whether to enable UltraSSD

GpuInstanceProfile: GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.

HostGroupReference: This is of the form: /​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.Compute/​hostGroups/​{hostGroupName}. For more information see Azure dedicated hosts.

KubeletConfig: The Kubelet configuration on the agent pool nodes.

KubeletDiskType: Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage.

LinuxOSConfig: The OS configuration of Linux agent nodes.

MaxCount: The maximum number of nodes for auto-scaling

MaxPods: The maximum number of pods that can run on a node.

MinCount: The minimum number of nodes for auto-scaling

Mode: A cluster must have at least one ‘System’ Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: https://docs.microsoft.com/azure/aks/use-system-pools

Name: Windows agent pool names must be 6 characters or less.

NetworkProfile: Network-related settings of an agent pool.

NodeLabels: The node labels to be persisted across all nodes in agent pool.

NodePublicIPPrefixReference: This is of the form: /​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.Network/​publicIPPrefixes/​{publicIPPrefixName}

NodeTaints: The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule.

OrchestratorVersion: Both patch version (e.g. 1.20.13) and (e.g. 1.20) are supported. When is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool.

OsDiskType: The default is ‘Ephemeral’ if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to ‘Managed’. May not be changed after creation. For more information see Ephemeral OS.

OsSKU: Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows.

OsType: The operating system type. The default is Linux.

PodSubnetReference: If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.Network/​virtualNetworks/​{virtualNetworkName}/​subnets/​{subnetName}

PowerState: When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded

ProximityPlacementGroupReference: The ID for Proximity Placement Group.

ScaleDownMode: This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete.

ScaleSetEvictionPolicy: This cannot be specified unless the scaleSetPriority is ‘Spot’. If not specified, the default is ‘Delete’.

ScaleSetPriority: The Virtual Machine Scale Set priority. If not specified, the default is ‘Regular’.

SecurityProfile: The security settings of an agent pool.

SpotMaxPrice: Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing

Tags: The tags to be persisted on the agent pool virtual machine scale set.

Type: The type of Agent Pool.

UpgradeSettings: Settings for upgrading the agentpool

VmSize: VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: https://docs.microsoft.com/azure/aks/quotas-skus-regions

VnetSubnetReference: If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.Network/​virtualNetworks/​{virtualNetworkName}/​subnets/​{subnetName}

WindowsProfile: The Windows agent pool’s specific profile.

WorkloadRuntime: Determines the type of workload a node can run.

AvailabilityZones: The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is ‘VirtualMachineScaleSets’.

CapacityReservationGroupID: AKS will associate the specified agent pool with the Capacity Reservation Group.

Count: Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1.

CreationData: CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot.

CurrentOrchestratorVersion: If orchestratorVersion is a fully specified version , this field will be exactly equal to it. If orchestratorVersion is , this field will contain the full version being used.

ETag: Unique read-only string used to implement optimistic concurrency. The eTag value will change when the resource is updated. Specify an if-match or if-none-match header with the eTag value for a subsequent request to enable optimistic concurrency per the normal etag convention.

EnableAutoScaling: Whether to enable auto-scaler

EnableEncryptionAtHost: This is only supported on certain VM sizes and in certain Azure regions. For more information, see: https://docs.microsoft.com/azure/aks/enable-host-encryption

EnableFIPS: See Add a FIPS-enabled node pool for more details.

EnableNodePublicIP: Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false.

EnableUltraSSD: Whether to enable UltraSSD

GpuInstanceProfile: GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.

HostGroupID: This is of the form: /​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.Compute/​hostGroups/​{hostGroupName}. For more information see Azure dedicated hosts.

KubeletConfig: The Kubelet configuration on the agent pool nodes.

KubeletDiskType: Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage.

LinuxOSConfig: The OS configuration of Linux agent nodes.

MaxCount: The maximum number of nodes for auto-scaling

MaxPods: The maximum number of pods that can run on a node.

MinCount: The minimum number of nodes for auto-scaling

Mode: A cluster must have at least one ‘System’ Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: https://docs.microsoft.com/azure/aks/use-system-pools

Name: Windows agent pool names must be 6 characters or less.

NetworkProfile: Network-related settings of an agent pool.

NodeImageVersion: The version of node image

NodeLabels: The node labels to be persisted across all nodes in agent pool.

NodePublicIPPrefixID: This is of the form: /​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.Network/​publicIPPrefixes/​{publicIPPrefixName}

NodeTaints: The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule.

OrchestratorVersion: Both patch version (e.g. 1.20.13) and (e.g. 1.20) are supported. When is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool.

OsDiskType: The default is ‘Ephemeral’ if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to ‘Managed’. May not be changed after creation. For more information see Ephemeral OS.

OsSKU: Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows.

OsType: The operating system type. The default is Linux.

PodSubnetID: If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.Network/​virtualNetworks/​{virtualNetworkName}/​subnets/​{subnetName}

PowerState: When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded

ProvisioningState: The current deployment or provisioning state.

ProximityPlacementGroupID: The ID for Proximity Placement Group.

ScaleDownMode: This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete.

ScaleSetEvictionPolicy: This cannot be specified unless the scaleSetPriority is ‘Spot’. If not specified, the default is ‘Delete’.

ScaleSetPriority: The Virtual Machine Scale Set priority. If not specified, the default is ‘Regular’.

SecurityProfile: The security settings of an agent pool.

SpotMaxPrice: Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing

Tags: The tags to be persisted on the agent pool virtual machine scale set.

Type: The type of Agent Pool.

UpgradeSettings: Settings for upgrading the agentpool

VmSize: VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: https://docs.microsoft.com/azure/aks/quotas-skus-regions

VnetSubnetID: If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.Network/​virtualNetworks/​{virtualNetworkName}/​subnets/​{subnetName}

WindowsProfile: The Windows agent pool’s specific profile.

WorkloadRuntime: Determines the type of workload a node can run.

NodeOSUpgradeChannel: Manner in which the OS on your nodes is updated. The default is NodeImage.

UpgradeChannel: For more information see setting the AKS cluster auto-upgrade channel.

"NodeImage"

"None"

"SecurityPatch"

"Unmanaged"

"NodeImage"

"None"

"SecurityPatch"

"Unmanaged"

NodeOSUpgradeChannel: Manner in which the OS on your nodes is updated. The default is NodeImage.

UpgradeChannel: For more information see setting the AKS cluster auto-upgrade channel.

"node-image"

"none"

"patch"

"rapid"

"stable"

"node-image"

"none"

"patch"

"rapid"

"stable"

Metrics: Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview.

MetricAnnotationsAllowList: Comma-separated list of Kubernetes annotation keys that will be used in the resource’s labels metric (Example: ‘namespaces=[kubernetes.io/team,…],pods=[kubernetes.io/team],…’). By default the metric contains only resource name and namespace labels.

MetricLabelsAllowlist: Comma-separated list of additional Kubernetes label keys that will be used in the resource’s labels metric (Example: ‘namespaces=[k8s-label-1,k8s-label-n,…],pods=[app],…’). By default the metric contains only resource name and namespace labels.

MetricAnnotationsAllowList: Comma-separated list of Kubernetes annotation keys that will be used in the resource’s labels metric (Example: ‘namespaces=[kubernetes.io/team,…],pods=[kubernetes.io/team],…’). By default the metric contains only resource name and namespace labels.

MetricLabelsAllowlist: Comma-separated list of additional Kubernetes label keys that will be used in the resource’s labels metric (Example: ‘namespaces=[k8s-label-1,k8s-label-n,…],pods=[app],…’). By default the metric contains only resource name and namespace labels.

Enabled: Whether to enable or disable the Azure Managed Prometheus addon for Prometheus monitoring. See aka.ms/AzureManagedPrometheus-aks-enable for details on enabling and disabling.

KubeStateMetrics: Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details.

Enabled: Whether to enable or disable the Azure Managed Prometheus addon for Prometheus monitoring. See aka.ms/AzureManagedPrometheus-aks-enable for details on enabling and disabling.

KubeStateMetrics: Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details.

Metrics: Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview.

Enabled: The Managed Cluster sku.tier must be set to ‘Standard’ or ‘Premium’ to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis.

Enabled: The Managed Cluster sku.tier must be set to ‘Standard’ or ‘Premium’ to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis.

HttpProxy: The HTTP proxy server endpoint to use.

HttpsProxy: The HTTPS proxy server endpoint to use.

NoProxy: The endpoints that should not go through proxy.

TrustedCa: Alternative CA cert to use for connecting to proxy servers.

HttpProxy: The HTTP proxy server endpoint to use.

HttpsProxy: The HTTPS proxy server endpoint to use.

NoProxy: The endpoints that should not go through proxy.

TrustedCa: Alternative CA cert to use for connecting to proxy servers.

DelegatedResources: The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only.

Type: For more information see use managed identities in AKS.

UserAssignedIdentities: The keys must be ARM resource IDs in the form: ‘/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.ManagedIdentity/​userAssignedIdentities/​{identityName}’.

DelegatedResources: The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only.

PrincipalId: The principal id of the system assigned identity which is used by master components.

TenantId: The tenant id of the system assigned identity which is used by master components.

Type: For more information see use managed identities in AKS.

UserAssignedIdentities: The keys must be ARM resource IDs in the form: ‘/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.ManagedIdentity/​userAssignedIdentities/​{identityName}’.

"None"

"SystemAssigned"

"UserAssigned"

"None"

"SystemAssigned"

"UserAssigned"

ClientId: The client id of user assigned identity.

PrincipalId: The principal id of user assigned identity.

WebAppRouting: App Routing settings for the ingress profile. You can find an overview and onboarding guide for this feature at https://learn.microsoft.com/en-us/azure/aks/app-routing?tabs=default%2Cdeploy-app-default.

DnsZoneResourceReferences: Resource IDs of the DNS zones to be associated with the Application Routing add-on. Used only when Application Routing add-on is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group.

Enabled: Whether to enable the Application Routing add-on.

DnsZoneResourceIds: Resource IDs of the DNS zones to be associated with the Application Routing add-on. Used only when Application Routing add-on is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group.

Enabled: Whether to enable the Application Routing add-on.

Identity: Managed identity of the Application Routing add-on. This is the identity that should be granted permissions, for example, to manage the associated Azure DNS resource and get certificates from Azure Key Vault. See this overview of the add-on for more instructions.

WebAppRouting: App Routing settings for the ingress profile. You can find an overview and onboarding guide for this feature at https://learn.microsoft.com/en-us/azure/aks/app-routing?tabs=default%2Cdeploy-app-default.

AllocatedOutboundPorts: The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports.

BackendPoolType: The type of the managed inbound Load Balancer BackendPool.

EffectiveOutboundIPs: The effective outbound IP resources of the cluster load balancer.

EnableMultipleStandardLoadBalancers: Enable multiple standard load balancers per AKS cluster or not.

IdleTimeoutInMinutes: Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes.

ManagedOutboundIPs: Desired managed outbound IPs for the cluster load balancer.

OutboundIPPrefixes: Desired outbound IP Prefix resources for the cluster load balancer.

OutboundIPs: Desired outbound IP resources for the cluster load balancer.

"NodeIP"

"NodeIPConfiguration"

"NodeIP"

"NodeIPConfiguration"

Count: The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1.

CountIPv6: The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.

Count: The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1.

CountIPv6: The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.

PublicIPPrefixes: A list of public IP prefix resources.

PublicIPPrefixes: A list of public IP prefix resources.

PublicIPs: A list of public IP resources.

PublicIPs: A list of public IP resources.

AllocatedOutboundPorts: The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports.

BackendPoolType: The type of the managed inbound Load Balancer BackendPool.

EffectiveOutboundIPs: The effective outbound IP resources of the cluster load balancer.

EnableMultipleStandardLoadBalancers: Enable multiple standard load balancers per AKS cluster or not.

IdleTimeoutInMinutes: Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes.

ManagedOutboundIPs: Desired managed outbound IPs for the cluster load balancer.

OutboundIPPrefixes: Desired outbound IP Prefix resources for the cluster load balancer.

OutboundIPs: Desired outbound IP resources for the cluster load balancer.

Count: The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1.

Count: The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1.

CostAnalysis: The cost analysis configuration for the cluster

CostAnalysis: The cost analysis configuration for the cluster

EffectiveOutboundIPs: The effective outbound IP resources of the cluster NAT gateway.

IdleTimeoutInMinutes: Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes.

ManagedOutboundIPProfile: Profile of the managed outbound IP resources of the cluster NAT gateway.

EffectiveOutboundIPs: The effective outbound IP resources of the cluster NAT gateway.

IdleTimeoutInMinutes: Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes.

ManagedOutboundIPProfile: Profile of the managed outbound IP resources of the cluster NAT gateway.

RestrictionLevel: The restriction level applied to the cluster’s node resource group. If not specified, the default is ‘Unrestricted’

"ReadOnly"

"Unrestricted"

"ReadOnly"

"Unrestricted"

RestrictionLevel: The restriction level applied to the cluster’s node resource group. If not specified, the default is ‘Unrestricted’

Enabled: Whether the OIDC issuer is enabled.

Enabled: Whether the OIDC issuer is enabled.

IssuerURL: The OIDC issuer url of the Managed Cluster.

OIDCIssuerProfile: indicates where the OIDCIssuerProfile config map should be placed. If omitted, no config map will be created.

AdminCredentials: indicates where the AdminCredentials secret should be placed. If omitted, the secret will not be retrieved from Azure.

UserCredentials: indicates where the UserCredentials secret should be placed. If omitted, the secret will not be retrieved from Azure.

ConfigMapExpressions: configures where to place operator written dynamic ConfigMaps (created with CEL expressions).

ConfigMaps: configures where to place operator written ConfigMaps.

SecretExpressions: configures where to place operator written dynamic secrets (created with CEL expressions).

Secrets: configures where to place Azure generated secrets.

BindingSelector: The binding selector to use for the AzureIdentityBinding resource.

Identity: The user assigned identity details.

Name: The name of the pod identity.

Namespace: The namespace of the pod identity.

Name: The name of the pod identity exception.

Namespace: The namespace of the pod identity exception.

PodLabels: The pod labels to match.

Name: The name of the pod identity exception.

Namespace: The namespace of the pod identity exception.

PodLabels: The pod labels to match.

AllowNetworkPluginKubenet: Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information.

Enabled: Whether the pod identity addon is enabled.

UserAssignedIdentities: The pod identities to use in the cluster.

UserAssignedIdentityExceptions: The pod identity exceptions to allow.

AllowNetworkPluginKubenet: Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information.

Enabled: Whether the pod identity addon is enabled.

UserAssignedIdentities: The pod identities to use in the cluster.

UserAssignedIdentityExceptions: The pod identity exceptions to allow.

Code: An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

Details: A list of additional details about the error.

Message: A message describing the error, intended to be suitable for display in a user interface.

Target: The target of the particular error. For example, the name of the property in error.

Code: An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

Message: A message describing the error, intended to be suitable for display in a user interface.

Target: The target of the particular error. For example, the name of the property in error.

Error: Details about the error.

Error: Pod identity assignment error (if any).

"Assigned"

"Canceled"

"Deleting"

"Failed"

"Succeeded"

"Updating"

BindingSelector: The binding selector to use for the AzureIdentityBinding resource.

Identity: The user assigned identity details.

Name: The name of the pod identity.

Namespace: The namespace of the pod identity.

ProvisioningState: The current provisioning state of the pod identity.

BalanceSimilarNodeGroups: Valid values are ‘true’ and ‘false’

DaemonsetEvictionForEmptyNodes: If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.

DaemonsetEvictionForOccupiedNodes: If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.

Expander: If not specified, the default is ‘random’. See expanders for more information.

IgnoreDaemonsetsUtilization: If set to true, the resources used by daemonset will be taken into account when making scaling down decisions.

MaxEmptyBulkDelete: The default is 10.

MaxGracefulTerminationSec: The default is 600.

MaxNodeProvisionTime: The default is ‘15m’. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

MaxTotalUnreadyPercentage: The default is 45. The maximum is 100 and the minimum is 0.

NewPodScaleUpDelay: For scenarios like burst/batch scale where you don’t want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they’re a certain age. The default is ‘0s’. Values must be an integer followed by a unit (’s’ for seconds, ’m’ for minutes, ‘h’ for hours, etc).

OkTotalUnreadyCount: This must be an integer. The default is 3.

ScaleDownDelayAfterAdd: The default is ‘10m’. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

ScaleDownDelayAfterDelete: The default is the scan-interval. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

ScaleDownDelayAfterFailure: The default is ‘3m’. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

ScaleDownUnneededTime: The default is ‘10m’. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

ScaleDownUnreadyTime: The default is ‘20m’. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

ScaleDownUtilizationThreshold: The default is ‘0.5’.

ScanInterval: The default is ‘10’. Values must be an integer number of seconds.

SkipNodesWithLocalStorage: The default is true.

SkipNodesWithSystemPods: The default is true.

"least-waste"

"most-pods"

"priority"

"random"

"least-waste"

"most-pods"

"priority"

"random"

BalanceSimilarNodeGroups: Valid values are ‘true’ and ‘false’

DaemonsetEvictionForEmptyNodes: If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.

DaemonsetEvictionForOccupiedNodes: If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.

Expander: If not specified, the default is ‘random’. See expanders for more information.

IgnoreDaemonsetsUtilization: If set to true, the resources used by daemonset will be taken into account when making scaling down decisions.

MaxEmptyBulkDelete: The default is 10.

MaxGracefulTerminationSec: The default is 600.

MaxNodeProvisionTime: The default is ‘15m’. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

MaxTotalUnreadyPercentage: The default is 45. The maximum is 100 and the minimum is 0.

NewPodScaleUpDelay: For scenarios like burst/batch scale where you don’t want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they’re a certain age. The default is ‘0s’. Values must be an integer followed by a unit (’s’ for seconds, ’m’ for minutes, ‘h’ for hours, etc).

OkTotalUnreadyCount: This must be an integer. The default is 3.

ScaleDownDelayAfterAdd: The default is ‘10m’. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

ScaleDownDelayAfterDelete: The default is the scan-interval. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

ScaleDownDelayAfterFailure: The default is ‘3m’. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

ScaleDownUnneededTime: The default is ‘10m’. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

ScaleDownUnreadyTime: The default is ‘20m’. Values must be an integer followed by an ’m’. No unit of time other than minutes (m) is supported.

ScaleDownUtilizationThreshold: The default is ‘0.5’.

ScanInterval: The default is ‘10’. Values must be an integer number of seconds.

SkipNodesWithLocalStorage: The default is true.

SkipNodesWithSystemPods: The default is true.

"Disabled"

"Enabled"

"Disabled"

"Enabled"

Name: The name of a managed cluster SKU.

Tier: If not specified, the default is ‘Free’. See AKS Pricing Tier for more details.

"Base"

"Base"

Name: The name of a managed cluster SKU.

Tier: If not specified, the default is ‘Free’. See AKS Pricing Tier for more details.

"Free"

"Premium"

"Standard"

"Free"

"Premium"

"Standard"

AzureKeyVaultKms: Azure Key Vault key management service settings for the security profile.

Defender: Microsoft Defender settings for the security profile.

ImageCleaner: Image Cleaner settings for the security profile.

WorkloadIdentity: Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details.

LogAnalyticsWorkspaceResourceReference: Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty.

SecurityMonitoring: Microsoft Defender threat detection for Cloud settings for the security profile.

Enabled: Whether to enable Defender threat detection

Enabled: Whether to enable Defender threat detection

LogAnalyticsWorkspaceResourceId: Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty.

SecurityMonitoring: Microsoft Defender threat detection for Cloud settings for the security profile.

Enabled: Whether to enable Image Cleaner on AKS cluster.

IntervalHours: Image Cleaner scanning interval in hours.

Enabled: Whether to enable Image Cleaner on AKS cluster.

IntervalHours: Image Cleaner scanning interval in hours.

Enabled: Whether to enable workload identity.

Enabled: Whether to enable workload identity.

AzureKeyVaultKms: Azure Key Vault key management service settings for the security profile.

Defender: Microsoft Defender settings for the security profile.

ImageCleaner: Image Cleaner settings for the security profile.

WorkloadIdentity: Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details.

ClientId: The ID for the service principal.

Secret: The secret password associated with the service principal in plain text.

ClientId: The ID for the service principal.

BlobCSIDriver: AzureBlob CSI Driver settings for the storage profile.

DiskCSIDriver: AzureDisk CSI Driver settings for the storage profile.

FileCSIDriver: AzureFile CSI Driver settings for the storage profile.

SnapshotController: Snapshot Controller settings for the storage profile.

Enabled: Whether to enable AzureBlob CSI Driver. The default value is false.

Enabled: Whether to enable AzureBlob CSI Driver. The default value is false.

Enabled: Whether to enable AzureDisk CSI Driver. The default value is true.

Enabled: Whether to enable AzureDisk CSI Driver. The default value is true.

Enabled: Whether to enable AzureFile CSI Driver. The default value is true.

Enabled: Whether to enable AzureFile CSI Driver. The default value is true.

Enabled: Whether to enable Snapshot Controller. The default value is true.

Enabled: Whether to enable Snapshot Controller. The default value is true.

BlobCSIDriver: AzureBlob CSI Driver settings for the storage profile.

DiskCSIDriver: AzureDisk CSI Driver settings for the storage profile.

FileCSIDriver: AzureFile CSI Driver settings for the storage profile.

SnapshotController: Snapshot Controller settings for the storage profile.

AdminPassword: Specifies the password of the administrator account. Minimum-length: 8 characters Max-length: 123 characters Complexity requirements: 3 out of 4 conditions below need to be fulfilled Has lower characters Has upper characters Has a digit Has a special character (Regex match [\W_]) Disallowed values: “abc@123”, “P@$$w0rd”, “P@ssw0rd”, “P@ssword123”, “Pa$$word”, “pass@word1”, “Password!”, “Password1”, “Password22”, “iloveyou!”

AdminUsername: Specifies the name of the administrator account. Restriction: Cannot end in “.” Disallowed values: “administrator”, “admin”, “user”, “user1”, “test”, “user2”, “test1”, “user3”, “admin1”, “1”, “123”, “a”, “actuser”, “adm”, “admin2”, “aspnet”, “backup”, “console”, “david”, “guest”, “john”, “owner”, “root”, “server”, “sql”, “support”, “support_388945a0”, “sys”, “test2”, “test3”, “user4”, “user5”. Minimum-length: 1 character Max-length: 20 characters

EnableCSIProxy: For more details on CSI proxy, see the CSI proxy GitHub repo.

GmsaProfile: The Windows gMSA Profile in the Managed Cluster.

LicenseType: The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details.

"None"

"Windows_Server"

"None"

"Windows_Server"

AdminUsername: Specifies the name of the administrator account. Restriction: Cannot end in “.” Disallowed values: “administrator”, “admin”, “user”, “user1”, “test”, “user2”, “test1”, “user3”, “admin1”, “1”, “123”, “a”, “actuser”, “adm”, “admin2”, “aspnet”, “backup”, “console”, “david”, “guest”, “john”, “owner”, “root”, “server”, “sql”, “support”, “support_388945a0”, “sys”, “test2”, “test3”, “user4”, “user5”. Minimum-length: 1 character Max-length: 20 characters

EnableCSIProxy: For more details on CSI proxy, see the CSI proxy GitHub repo.

GmsaProfile: The Windows gMSA Profile in the Managed Cluster.

LicenseType: The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details.

Keda: KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile.

VerticalPodAutoscaler: VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile.

Enabled: Whether to enable KEDA.

Enabled: Whether to enable KEDA.

Enabled: Whether to enable VPA. Default value is false.

Enabled: Whether to enable VPA. Default value is false.

Keda: KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile.

VerticalPodAutoscaler: VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile.

AadProfile: The Azure Active Directory configuration.

AddonProfiles: The profile of managed cluster add-on.

AgentPoolProfiles: The agent pool properties.

ApiServerAccessProfile: The access profile for managed cluster API server.

AutoScalerProfile: Parameters to be applied to the cluster-autoscaler when enabled

AutoUpgradeProfile: The auto upgrade configuration.

AzureMonitorProfile: Azure Monitor addon profiles for monitoring the managed cluster.

AzurePortalFQDN: The Azure Portal requires certain Cross-Origin Resource Sharing (CORS) headers to be sent in some responses, which Kubernetes APIServer doesn’t handle by default. This special FQDN supports CORS, allowing the Azure Portal to function properly.

Conditions: The observed state of the resource

CurrentKubernetesVersion: If kubernetesVersion was a fully specified version , this field will be exactly equal to it. If kubernetesVersion was , this field will contain the full version being used.

DisableLocalAccounts: If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts.

DiskEncryptionSetID: This is of the form: ‘/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.Compute/​diskEncryptionSets/​{encryptionSetName}’

DnsPrefix: This cannot be updated once the Managed Cluster has been created.

ETag: Unique read-only string used to implement optimistic concurrency. The eTag value will change when the resource is updated. Specify an if-match or if-none-match header with the eTag value for a subsequent request to enable optimistic concurrency per the normal etag convention.

EnablePodSecurityPolicy: (DEPRECATED) Whether to enable Kubernetes pod security policy (preview). PodSecurityPolicy was deprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Learn more at https://aka.ms/k8s/psp and https://aka.ms/aks/psp.

EnableRBAC: Whether to enable Kubernetes Role-Based Access Control.

ExtendedLocation: The extended location of the Virtual Machine.

Fqdn: The FQDN of the master pool.

FqdnSubdomain: This cannot be updated once the Managed Cluster has been created.

HttpProxyConfig: Configurations for provisioning the cluster with HTTP proxy servers.

Id: Fully qualified resource ID for the resource. E.g. “/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​{resourceProviderNamespace}/​{resourceType}/​{resourceName}”

Identity: The identity of the managed cluster, if configured.

IdentityProfile: The user identity associated with the managed cluster. This identity will be used by the kubelet. Only one user assigned identity is allowed. The only accepted key is “kubeletidentity”, with value of “resourceId”: “/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroupName}/​providers/​Microsoft.ManagedIdentity/​userAssignedIdentities/​{identityName}”.

IngressProfile: Ingress profile for the managed cluster.

KubernetesVersion: Both patch version (e.g. 1.20.13) and (e.g. 1.20) are supported. When is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details.

LinuxProfile: The profile for Linux VMs in the Managed Cluster.

Location: The geo-location where the resource lives

MaxAgentPools: The max number of agent pools for the managed cluster.

MetricsProfile: Optional cluster metrics configuration.

Name: The name of the resource

NetworkProfile: The network configuration profile.

NodeResourceGroup: The name of the resource group containing agent pool nodes.

NodeResourceGroupProfile: Profile of the node resource group configuration.

OidcIssuerProfile: The OIDC issuer profile of the Managed Cluster.

PodIdentityProfile: See use AAD pod identity for more details on AAD pod identity integration.

PowerState: The Power State of the cluster.

PrivateFQDN: The FQDN of private cluster.

PrivateLinkResources: Private link resources associated with the cluster.

ProvisioningState: The current provisioning state.

PublicNetworkAccess: Allow or deny public network access for AKS

ResourceUID: The resourceUID uniquely identifies ManagedClusters that reuse ARM ResourceIds (i.e: create, delete, create sequence)

SecurityProfile: Security profile for the managed cluster.

ServiceMeshProfile: Service mesh profile for a managed cluster.

ServicePrincipalProfile: Information about a service principal identity for the cluster to use for manipulating Azure APIs.

Sku: The managed cluster SKU.

StorageProfile: Storage profile for the managed cluster.

SupportPlan: The support plan for the Managed Cluster. If unspecified, the default is ‘KubernetesOfficial’.

SystemData: Azure Resource Manager metadata containing createdBy and modifiedBy information.

Tags: Resource tags.

Type: The type of the resource. E.g. “Microsoft.Compute/virtualMachines” or “Microsoft.Storage/storageAccounts”

UpgradeSettings: Settings for upgrading a cluster.

WindowsProfile: The profile for Windows VMs in the Managed Cluster.