Module kubernetes-services

managedCluster

Property	Value	Description
general (required)	general
skuTier (required)	'Free' 'Premium' 'Standard'	The managed cluster SKU. (default: Free)
identity	identity
diagnosticSettings	diagnosticSetting[]
aadProfile	managedClusterAADProfile	The Azure Active Directory configuration.
addonProfiles	object	The profile of managed cluster add-on.
agentPoolProfiles	managedClusterAgentPoolProfile[]	The agent pool properties.
apiServerAccessProfile	managedClusterAPIServerAccessProfile	The access profile for managed cluster API server.
autoScalerProfile	managedClusterPropertiesAutoScalerProfile	Parameters to be applied to the cluster-autoscaler when enabled
autoUpgradeProfile	managedClusterAutoUpgradeProfile	The auto upgrade configuration.
azureMonitorProfile	managedClusterAzureMonitorProfile	Prometheus addon profile for the container service cluster
creationDataResourceId	string	CreationData to be used to specify the source Snapshot ID if the cluster will be created/upgraded using a snapshot.
disableLocalAccounts (required)	bool	If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts.
diskEncryptionSetID	string	This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}
dnsPrefix (required)	string	This cannot be updated once the Managed Cluster has been created.
enableNamespaceResources	bool	The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See https://aka.ms/NamespaceARMResource for more details on Namespace as a ARM Resource.
enableRBAC (required)	bool	Whether to enable Kubernetes Role-Based Access Control.
fqdnSubdomain	string	This cannot be updated once the Managed Cluster has been created.
guardrailsProfile	guardrailsProfile	The guardrails profile holds all the guardrails information for a given cluster
httpProxyConfig	managedClusterHttpProxyConfig	Configurations for provisioning the cluster with HTTP proxy servers.
identityProfile	object	Identities associated with the cluster.
ingressProfile	managedClusterIngressProfile	Ingress profile for the managed cluster.
kubernetesVersion (required)	string	When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details.
linuxProfile	containerServiceLinuxProfile	The profile for Linux VMs in the Managed Cluster.
metricsProfileCostAnalysisEnabled	bool	Optional cluster metrics configuration.
networkProfile	containerServiceNetworkProfile	The network configuration profile.
nodeResourceGroup (required)	string	The name of the resource group containing agent pool nodes.
nodeResourceGroupProfileRestrictionLevel	'ReadOnly' 'Unrestricted'	The node resource group configuration profile.
oidcIssuerProfileEnabled	bool	The OIDC issuer profile of the Managed Cluster.
podIdentityProfile	managedClusterPodIdentityProfile	See use AAD pod identity for more details on AAD pod identity integration.
privateLinkResources	managedClusterPrivateLinkResources[]	Private link resources associated with the cluster.
publicNetworkAccess	'Disabled' 'Enabled' 'SecuredByPerimeter'	Allow or deny public network access for AKS (default: Disabled)
securityProfile	managedClusterSecurityProfile	Security profile for the managed cluster.
serviceMeshProfile	serviceMeshProfile	Service mesh profile for a managed cluster.
servicePrincipalProfile	servicePrincipalProfile	Information about a service principal identity for the cluster to use for manipulating Azure APIs.
storageProfile	storageProfile	Storage profile for the managed cluster.
supportPlan	'AKSLongTermSupport' 'KubernetesOfficial'	The support plan for the Managed Cluster. If unspecified, the default is KubernetesOfficial.
upgradeSettings	upgradeSettings
windowsProfile	managedClusterWindowsProfile	The profile for Windows VMs in the Managed Cluster.
workloadAutoScalerProfile	managedClusterWorkloadAutoScalerProfile	Workload Auto-scaler profile for the managed cluster.
privateLink	privateLink	Settings for the private endpoint and private link for this resource, only available for private clusters
nodePools	managedClusterAgentPoolProfile[]	Use this parameter to add node pools. Node pools specified in the agentPoolProfiles parameter cannot be changed after initial deployment.

identity

Property	Value	Description
clientId (required)	string	The client ID of the user assigned identity.
objectId (required)	string	The object ID of the user assigned identity.
resourceId (required)	string	The resource ID of the user assigned identity.

servicePrincipalProfile

Property	Value	Description
clientId (required)	string	The ID for the service principal.
secret	string	The secret password associated with the service principal in plain text.

storageProfile

Property	Value	Description
blobCSIDriverEnabled	bool	AzureBlob CSI Driver settings for the storage profile.
diskCSIDriverEnabled	bool	AzureDisk CSI Driver settings for the storage profile.
fileCSIDriverEnabled	bool	AzureFile CSI Driver settings for the storage profile.
snapshotControllerEnabled	bool	Snapshot Controller settings for the storage profile.

overrideSettings

Property	Value	Description
forceUpgrade (required)	bool	Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution.
until	string	Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness wont change once an upgrade starts even if the until expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect.

upgradeSettings

Property	Value	Description
drainTimeoutInMinutes (required)	int	The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes.
maxSurge	string	This can either be set to an integer (e.g. 5) or a percentage (e.g. 50%). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: https://docs.microsoft.com/azure/aks/upgrade-cluster#customize-node-surge-upgrade

managedClusterAADProfile

Property	Value	Description
adminGroupObjectIDs (required)	string[]	The list of AAD group object IDs that will have admin role of the cluster.
enableAzureRBAC (required)	bool	Whether to enable Azure RBAC for Kubernetes authorization.
managed (required)	bool	Whether to enable managed AAD.
tenantID (required)	string	The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription.

managedClusterAgentPoolProfile

Property	Value	Description
availabilityZones	string[]	The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is VirtualMachineScaleSets.
capacityReservationGroupID	string	AKS will associate the specified agent pool with the Capacity Reservation Group.
count	int	Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1.
enableAutoScaling	bool	Whether to enable auto-scaler
enableEncryptionAtHost	bool	This is only supported on certain VM sizes and in certain Azure regions. For more information, see: https://docs.microsoft.com/azure/aks/enable-host-encryption
enableFIPS	bool	See Add a FIPS-enabled node pool for more details.
enableNodePublicIP	bool	Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false.
enableUltraSSD	bool	Whether to enable UltraSSD
gpuInstanceProfile	'MIG1g' 'MIG2g' 'MIG3g' 'MIG4g' 'MIG7g'	GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.
hostGroupID	string	This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts.
kubeletConfig	kubeletConfig	The Kubelet configuration on the agent pool nodes.
kubeletDiskType	'OS' 'Temporary'	Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage.
linuxOSConfig	linuxOSConfig	The OS configuration of Linux agent nodes.
maxCount	int	The maximum number of nodes for auto-scaling
maxPods (required)	int	The maximum number of pods that can run on a node.
messageOfTheDay	string	A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script).
minCount	int	The minimum number of nodes for auto-scaling
mode	'System' 'User'	A cluster must have at least one System Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: https://docs.microsoft.com/azure/aks/use-system-pools
name (required)	string	Windows agent pool names must be 6 characters or less.
networkProfile	agentPoolNetworkProfile	Network-related settings of an agent pool.
nodeLabels	object	The node labels to be persisted across all nodes in agent pool.
nodePublicIPPrefixID	string	This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName}
nodeTaints	string[]	The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule.
orchestratorVersion	string	Both patch version {major.minor.patch} and {major.minor} are supported. When {major.minor} is specified, the latest supported patch version is chosen automatically. Updating the agent pool with the same {major.minor} once it has been created will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool.
osDiskSizeGB	int	OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.
osDiskType	'Ephemeral' 'Managed'	The default is Ephemeral if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to Managed. May not be changed after creation. For more information see Ephemeral OS.
osSKU	'AzureLinux' 'CBLMariner' 'Mariner' 'Ubuntu' 'Windows2019' 'Windows2022'	Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated.
osType	'Linux' 'Windows'	The operating system type. The default is Linux.
podSubnetID	string	If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}
proximityPlacementGroupID	string	The ID for Proximity Placement Group.
scaleDownMode	'Deallocate' 'Delete'	This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete.
scaleSetEvictionPolicy	'Deallocate' 'Delete'	This cannot be specified unless the scaleSetPriority is Spot. If not specified, the default is Delete.
scaleSetPriority	'Regular' 'Spot'	The Virtual Machine Scale Set priority. If not specified, the default is Regular.
spotMaxPrice	int	Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing To specify a decimal value, use the json() function.
tags	object	The tags to be persisted on the agent pool virtual machine scale set.
type (required)	'AvailabilitySet' 'VirtualMachineScaleSets'	The type of Agent Pool.
upgradeSettings	upgradeSettings	Settings for upgrading the agentpool
vmSize (required)	string	VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: https://docs.microsoft.com/azure/aks/quotas-skus-regions
vnetSubnetID	string	If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}
workloadRuntime	'KataMshvVmIsolation' 'OCIContainer' 'WasmWasi'	Determines the type of workload a node can run.

kubeletConfig

Property	Value	Description
allowedUnsafeSysctls	string[]	Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *).
containerLogMaxFiles	int	The maximum number of container log files that can be present for a container. The number must be ≥ 2.
containerLogMaxSizeMB	int	The maximum size (e.g. 10Mi) of container log file before it is rotated.
cpuCfsQuota	bool	The default is true.
cpuCfsQuotaPeriod	string	The default is 100ms. Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: 300ms, 2h45m. Supported units are ns, us, ms, s, m, and h.
cpuManagerPolicy	'none' 'static'	The default is none. See Kubernetes CPU management policies for more information. Allowed values are none and static.
failSwapOn	bool	If set to true it will make the Kubelet fail to start if swap is enabled on the node.
imageGcHighThreshold	int	To disable image garbage collection, set to 100. The default is 85%
imageGcLowThreshold	int	This cannot be set higher than imageGcHighThreshold. The default is 80%
podMaxPids	int	The maximum number of processes per pod.
topologyManagerPolicy	'best-effort' 'none' 'restricted' 'single-numa-node'	For more information see Kubernetes Topology Manager. The default is none. Allowed values are none, best-effort, restricted, and single-numa-node.

linuxOSConfig

Property	Value	Description
swapFileSizeMB	int	The size in MB of a swap file that will be created on each node.
sysctls	sysctls	Sysctl settings for Linux agent nodes.
transparentHugePageDefrag	'always' 'defer' 'defer+madvise' 'madvise' 'never'	Valid values are always, defer, defer+madvise, madvise and never. The default is madvise. For more information see Transparent Hugepages.
transparentHugePageEnabled	'always' 'madvise' 'never'	Valid values are always, madvise, and never. The default is always. For more information see Transparent Hugepages.

sysctls

Property	Value	Description
fsAioMaxNr (required)	int	Sysctl setting fs.aio-max-nr.
fsFileMax (required)	int	Sysctl setting fs.file-max.
fsInotifyMaxUserWatches (required)	int	Sysctl setting fs.inotify.max_user_watches.
fsNrOpen (required)	int	Sysctl setting fs.nr_open.
kernelThreadsMax (required)	int	Sysctl setting kernel.threads-max.
netCoreNetdevMaxBacklog (required)	int	Sysctl setting net.core.netdev_max_backlog.
netCoreOptmemMax (required)	int	Sysctl setting net.core.optmem_max.
netCoreRmemDefault (required)	int	Sysctl setting net.core.rmem_default.
netCoreRmemMax (required)	int	Sysctl setting net.core.rmem_max.
netCoreSomaxconn (required)	int	Sysctl setting net.core.somaxconn.
netCoreWmemDefault (required)	int	Sysctl setting net.core.wmem_default.
netCoreWmemMax (required)	int	Sysctl setting net.core.wmem_max.
netIpv4IpLocalPortRange (required)	string	Sysctl setting net.ipv4.ip_local_port_range.
netIpv4NeighDefaultGcThresh1 (required)	int	Sysctl setting net.ipv4.neigh.default.gc_thresh1.
netIpv4NeighDefaultGcThresh2 (required)	int	Sysctl setting net.ipv4.neigh.default.gc_thresh2.
netIpv4NeighDefaultGcThresh3 (required)	int	Sysctl setting net.ipv4.neigh.default.gc_thresh3.
netIpv4TcpFinTimeout (required)	int	Sysctl setting net.ipv4.tcp_fin_timeout.
netIpv4TcpkeepaliveIntvl (required)	int	Sysctl setting net.ipv4.tcp_keepalive_intvl.
netIpv4TcpKeepaliveProbes (required)	int	Sysctl setting net.ipv4.tcp_keepalive_probes.
netIpv4TcpKeepaliveTime (required)	int	Sysctl setting net.ipv4.tcp_keepalive_time.
netIpv4TcpMaxSynBacklog (required)	int	Sysctl setting net.ipv4.tcp_max_syn_backlog.
netIpv4TcpMaxTwBuckets (required)	int	Sysctl setting net.ipv4.tcp_max_tw_buckets.
netIpv4TcpTwReuse (required)	bool	Sysctl setting net.ipv4.tcp_tw_reuse.
netNetfilterNfConntrackBuckets (required)	int	Sysctl setting net.netfilter.nf_conntrack_buckets.
netNetfilterNfConntrackMax (required)	int	Sysctl setting net.netfilter.nf_conntrack_max.
vmMaxMapCount (required)	int	Sysctl setting vm.max_map_count.
vmSwappiness (required)	int	Sysctl setting vm.swappiness.
vmVfsCachePressure (required)	int	Sysctl setting vm.vfs_cache_pressure.

agentPoolNetworkProfile

Property	Value	Description
allowedHostPorts (required)	portRange[]	The port ranges that are allowed to access. The specified ranges are allowed to overlap.
applicationSecurityGroups	string[]	The IDs of the application security groups which agent pool will associate when created.
nodePublicIPTags	iPTag[]	IPTags of instance-level public IPs.

portRange

Property	Value	Description
portEnd (required)	int	The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart.
portStart (required)	int	The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd.
protocol (required)	'TCP' 'UDP'	The network protocol of the port.

iPTag

Property	Value	Description
ipTagType (required)	string	The IP tag type. Example: RoutingPreference
tag (required)	string	The value of the IP tag associated with the public IP. Example: Internet.

managedClusterAPIServerAccessProfile

Property	Value	Description
authorizedIPRanges	string[]	IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges.
disableRunCommand	bool	Whether to disable run command for the cluster or not.
enablePrivateCluster (required)	bool	For more details, see Creating a private AKS cluster.
enablePrivateClusterPublicFQDN (required)	bool	Whether to create additional public FQDN for private cluster or not.
enableVnetIntegration	bool	Whether to enable apiserver vnet integration for the cluster or not.
privateDNSZone	'none' 'system'	The default is System. For more details see configure private DNS zone. Allowed values are system and none.
subnetId	string	The subnet to be used when apiserver vnet integration is enabled. It is required when: 1. creating a new cluster with BYO Vnet; 2. updating an existing cluster to enable apiserver vnet integration.

managedClusterPropertiesAutoScalerProfile

Property	Value	Description
balanceSimilarNodeGroups (required)	'false' 'true'	Valid values are true and false
expander	'least-waste' 'most-pods' 'priority' 'random'	If not specified, the default is random. See expanders for more information.
maxEmptyBulkDelete	int	The default is 10.
maxGracefulTerminationSec	int	The default is 600.
maxNodeProvisionTime	string	The default is 15m. Values must be an integer followed by an m. No unit of time other than minutes (m) is supported.
maxTotalUnreadyPercentage	int	The default is 45. The maximum is 100 and the minimum is 0.
newPodScaleUpDelay	string	For scenarios like burst/batch scale where you dont want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before theyre a certain age. The default is 0s. Values must be an integer followed by a unit (s for seconds, m for minutes, h for hours, etc).
okTotalUnreadyCount	int	This must be an integer. The default is 3.
scaleDownDelayAfterAdd	string	The default is 10m. Values must be an integer followed by an m. No unit of time other than minutes (m) is supported.
scaleDownDelayAfterDelete	string	The default is the scan-interval. Values must be an integer followed by an m. No unit of time other than minutes (m) is supported.
scaleDownDelayAfterFailure	string	The default is 3m. Values must be an integer followed by an m. No unit of time other than minutes (m) is supported.
scaleDownUnneededTime	string	The default is 10m. Values must be an integer followed by an m. No unit of time other than minutes (m) is supported.
scaleDownUnreadyTime	string	The default is 20m. Values must be an integer followed by an m. No unit of time other than minutes (m) is supported.
scaleDownUtilizationThreshold	string	The default is 0.5.
scanInterval	int	The default is 10. Values must be an integer number of seconds.
skipNodesWithLocalStorage	'false' 'true'	The default is true.
skipNodesWithSystemPods	'false' 'true'	The default is true.

managedClusterAutoUpgradeProfile

Property	Value	Description
nodeOSUpgradeChannel	'NodeImage' 'None' 'SecurityPatch' 'Unmanaged'	The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA.
upgradeChannel (required)	'node-image' 'none' 'patch' 'rapid' 'stable'	For more information see setting the AKS cluster auto-upgrade channel.

managedClusterAzureMonitorProfile

Property	Value	Description
metrics (required)	metrics	Metrics profile for the prometheus service addon

kubeStateMetrics

Property	Value	Description
metricAnnotationsAllowList	string	Comma-separated list of additional Kubernetes label keys that will be used in the resources labels metric.
metricLabelsAllowlist	string	Comma-separated list of Kubernetes annotations keys that will be used in the resources labels metric.

metrics

Property	Value	Description
enabled (required)	bool	Whether to enable the Prometheus collector
kubeStateMetrics (required)	kubeStateMetrics	Kube State Metrics for prometheus addon profile for the container service cluster

managedClusterAzureMonitorProfileLogs

Property	Value	Description
appMonitoringEnabled	bool	Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics and traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See aka.ms/AzureMonitorApplicationMonitoring for an overview.
containerInsights	managedClusterAzureMonitorProfileContainerInsights	Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout & stderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview.

managedClusterAzureMonitorProfileContainerInsights

Property	Value	Description
enabled (required)	bool	Indicates if Azure Monitor Container Insights Logs Addon is enabled or not.
logAnalyticsWorkspaceResourceId (required)	string	Fully Qualified ARM Resource Id of Azure Log Analytics Workspace for storing Azure Monitor Container Insights Logs.
windowsHostLogsEnabled (required)	bool	Windows Host Logs Profile for Kubernetes Windows Nodes Log Collection. Collects ETW, Event Logs and Text logs etc. See aka.ms/AzureMonitorContainerInsights for an overview.

guardrailsProfile

Property	Value	Description
excludedNamespaces	string[]	List of namespaces excluded from guardrails checks
level (required)	'Enforcement' 'Off' 'Warning'	The guardrails level to be used. By default, Guardrails is enabled for all namespaces except those that AKS excludes via systemExcludedNamespaces
version	string	The version of constraints to use

managedClusterHttpProxyConfig

Property	Value	Description
httpProxy (required)	string	The HTTP proxy server endpoint to use.
httpsProxy (required)	string	The HTTPS proxy server endpoint to use.
noProxy (required)	string[]	The endpoints that should not go through proxy.
trustedCa (required)	string	Alternative CA cert to use for connecting to proxy servers.

managedClusterIngressProfile

Property	Value	Description
webAppRouting (required)	webAppRouting	Web App Routing settings for the ingress profile.

webAppRouting

Property	Value	Description
dnsZoneResourceIds (required)	string[]	Resource IDs of the public DNS zones to be associated with the Web App Routing add-on. Used only when Web App Routing is enabled. All public DNS zones must be in the same resource group.
enabled (required)	bool	Whether to enable Web App Routing.

containerServiceLinuxProfile

Property	Value	Description
adminUsername (required)	string	The administrator username to use for Linux VMs.
ssh (required)	ssh	The SSH configuration for Linux-based VMs running on Azure.

ssh

Property	Value	Description
publicKeys (required)	containerServiceSshPublicKey[]	The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified.

containerServiceSshPublicKey

Property	Value	Description
keyData (required)	string	Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers.

containerServiceNetworkProfile

Property	Value	Description
dnsServiceIP	string	An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr.
ipFamilies	Array containing any of: 'IPv4' 'IPv6'	IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6.
kubeProxyConfig	containerServiceNetworkProfileKubeProxyConfig	Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy defaulting behavior. See https://v{version}.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ where {version} is represented by a {major version}-{minor version} string. Kubernetes version 1.23 would be 1-23.
loadBalancerProfile	managedClusterLoadBalancerProfile	Profile of the cluster load balancer.
loadBalancerSku	'Basic' 'Standard'	The default is standard. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs.
monitoringEnabled	bool	This addon can be used to configure network monitoring and generate network monitoring data in Prometheus format
natGatewayProfile	managedClusterNATGatewayProfile	Profile of the cluster NAT gateway.
networkDataplane	'azure' 'cilium'	Network dataplane used in the Kubernetes cluster.
networkMode	'bridge' 'transparent'	This cannot be specified if networkPlugin is anything other than azure.
networkPlugin	'azure' 'kubenet' 'none'	Network plugin used for building the Kubernetes network.
networkPluginMode	'overlay'	Network plugin mode used for building the Kubernetes network.
networkPolicy	'azure' 'calico' 'cilium'	Network policy used for building the Kubernetes network.
outboundType	'loadBalancer' 'managedNATGateway' 'userAssignedNATGateway' 'userDefinedRouting'	This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type.
podCidr	string	A CIDR notation IP range from which to assign pod IPs when kubenet is used.
podCidrs	string[]	One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking.
serviceCidr	string	A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges.
serviceCidrs	string[]	One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges.

containerServiceNetworkProfileKubeProxyConfig

Property	Value	Description
enabled	bool	Whether to enable on kube-proxy on the cluster (if no kubeProxyConfig exists, kube-proxy is enabled in AKS by default without these customizations).
ipvsConfig	containerServiceNetworkProfileKubeProxyConfigIpvsConfig	Holds configuration customizations for IPVS. May only be specified if mode is set to IPVS.
mode (required)	'IPTABLES' 'IPVS'	Specify which proxy mode to use (IPTABLES or IPVS)

containerServiceNetworkProfileKubeProxyConfigIpvsConfig

Property	Value	Description
scheduler (required)	'LeastConnection' 'RoundRobin'	IPVS scheduler, for more information please see http://www.linuxvirtualserver.org/docs/scheduling.html.
tcpFinTimeoutSeconds (required)	int	The timeout value used for IPVS TCP sessions after receiving a FIN in seconds. Must be a positive integer value.
tcpTimeoutSeconds (required)	int	The timeout value used for idle IPVS TCP sessions in seconds. Must be a positive integer value.
udpTimeoutSeconds (required)	int	The timeout value used for IPVS UDP packets in seconds. Must be a positive integer value.

managedClusterLoadBalancerProfile

Property	Value	Description
allocatedOutboundPorts	int	The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports.
backendPoolType (required)	'nodeIP' 'nodeIPConfiguration'	The type of the managed inbound Load Balancer BackendPool.
enableMultipleStandardLoadBalancers	bool	Enable multiple standard load balancers per AKS cluster or not.
idleTimeoutInMinutes	int	Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes.
managedOutboundIPs	managedOutboundIPs	Desired managed outbound IPs for the cluster load balancer.
outboundIPPrefixes	outboundIPPrefixes	Desired outbound IP Prefix resources for the cluster load balancer.
outboundIPs	outboundIPs	Desired outbound IP resources for the cluster load balancer.

managedOutboundIPs

Property	Value	Description
count	int	The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1.
countIPv6	int	The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.

publicIPPrefixes

Property	Value	Description
id (required)	string	Resource ID.

outboundIPPrefixes

Property	Value	Description
publicIPPrefixes (required)	publicIPPrefixes[]	A list of public IP prefix resources.

publicIPs

Property	Value	Description
id (required)	string	Resource ID.

outboundIPs

Property	Value	Description
publicIPs (required)	publicIPs[]	A list of public IP resources.

managedClusterNATGatewayProfile

Property	Value	Description
idleTimeoutInMinutes	int	Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes.
managedOutboundIPProfile (required)	managedOutboundIPProfile	Profile of the managed outbound IP resources of the cluster NAT gateway.

managedOutboundIPProfile

Property	Value	Description
count	int	The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1.

managedClusterPodIdentityProfile

Property	Value	Description
allowNetworkPluginKubenet (required)	bool	Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information.
enabled (required)	bool	Whether the pod identity addon is enabled.
userAssignedIdentities (required)	managedClusterPodIdentity[]	The pod identities to use in the cluster.
userAssignedIdentityExceptions (required)	managedClusterPodIdentityException[]	The pod identity exceptions to allow.

managedClusterPodIdentity

Property	Value	Description
bindingSelector (required)	string	The binding selector to use for the AzureIdentityBinding resource.
identity (required)	identity	The user assigned identity details.
name (required)	string	The name of the pod identity.
namespace (required)	string	The namespace of the pod identity.

managedClusterPodIdentityException

Property	Value	Description
name (required)	string	The name of the pod identity exception.
namespace (required)	string	The namespace of the pod identity exception.
podLabels (required)	object	The pod labels to match.

managedClusterSecurityProfile

Property	Value	Description
azureKeyVaultKms	azureKeyVaultKms	Azure Key Vault key management service settings for the security profile.
customCATrustCertificates	string[]	A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the Custom CA Trust feature enabled. For more information see Custom CA Trust Certificates
defender	defender	Microsoft Defender settings for the security profile.
imageCleaner	imageCleaner	Image Cleaner settings for the security profile.
workloadIdentity	workloadIdentity	Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details.

azureKeyVaultKms

Property	Value	Description
enabled	bool	Whether to enable Azure Key Vault key management service. The default is false.
keyId	string	Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty.
keyVaultNetworkAccess	'Private' 'Public'	Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.
keyVaultResourceId	string	Resource ID of key vault. When keyVaultNetworkAccess is Private, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public, leave the field empty.

securityMonitoring

Property	Value	Description
enabled (required)	bool

defender

Property	Value	Description
logAnalyticsWorkspaceResourceId (required)	string	Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty.
securityMonitoring	securityMonitoring	Microsoft Defender threat detection for Cloud settings for the security profile.

imageCleaner

Property	Value	Description
enabled (required)	bool	Whether to enable Image Cleaner on AKS cluster.
intervalHours	int	Image Cleaner scanning interval in hours.

workloadIdentity

Property	Value	Description
enabled (required)	bool

serviceMeshProfile

Property	Value	Description
istio (required)	istio	Istio service mesh configuration.
mode (required)	'Disabled' 'Istio'	Mode of the service mesh.

plugin

Property	Value	Description
certChainObjectName (required)	string	Certificate chain object name in Azure Key Vault.
certObjectName (required)	string	Intermediate certificate object name in Azure Key Vault.
keyObjectName (required)	string	Intermediate certificate private key object name in Azure Key Vault.
keyVaultId (required)	string	The resource ID of the Key Vault.
rootCertObjectName (required)	string	Root certificate object name in Azure Key Vault.

certificateAuthority

Property	Value	Description
plugin (required)	plugin	Plugin certificates information for Service Mesh.

components

Property	Value	Description
ingressGateways (required)	istioIngressGateway[]	Istio ingress gateways.

istio

Property	Value	Description
certificateAuthority (required)	certificateAuthority	Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca
components (required)	components	Istio components configuration.
revisions (required)	string[]	The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: https://learn.microsoft.com/azure/aks/istio-upgrade

istioIngressGateway

Property	Value	Description
enabled (required)	bool	Whether to enable the ingress gateway.
mode (required)	'External' 'Internal'	Mode of an ingress gateway.

managedClusterWindowsProfile

Property	Value	Description
adminPassword (required)	string	Specifies the password of the administrator account.
adminUsername (required)	string	Specifies the name of the administrator account.
enableCSIProxy (required)	bool	For more details on CSI proxy, see the CSI proxy GitHub repo.
gmsaProfile	gmsaProfile	The Windows gMSA Profile in the Managed Cluster.
licenseType (required)	'None' 'Windows_Server'	The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details.

gmsaProfile

Property	Value	Description
dnsServer	string	Specifies the DNS server for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster
enabled	bool	Specifies whether to enable Windows gMSA in the managed cluster.
rootDomainName	string	Specifies the root domain name for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.

managedClusterWorkloadAutoScalerProfile

Property	Value	Description
kedaEnabled	bool	KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile.
verticalPodAutoscalerEnabled	bool