We recommend using Azure Native.
azure.containerservice.KubernetesCluster
Explore with Pulumi AI
Manages a Managed Kubernetes Cluster (also known as AKS / Azure Kubernetes Service)
Example Usage
This example provisions a basic Managed Kubernetes Cluster.
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", {
name: "example-aks1",
location: example.location,
resourceGroupName: example.name,
dnsPrefix: "exampleaks1",
defaultNodePool: {
name: "default",
nodeCount: 1,
vmSize: "Standard_D2_v2",
},
identity: {
type: "SystemAssigned",
},
tags: {
Environment: "Production",
},
});
export const clientCertificate = exampleKubernetesCluster.kubeConfigs.apply(kubeConfigs => kubeConfigs[0].clientCertificate);
export const kubeConfig = exampleKubernetesCluster.kubeConfigRaw;
import pulumi
import pulumi_azure as azure
example = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
name="example-aks1",
location=example.location,
resource_group_name=example.name,
dns_prefix="exampleaks1",
default_node_pool={
"name": "default",
"node_count": 1,
"vm_size": "Standard_D2_v2",
},
identity={
"type": "SystemAssigned",
},
tags={
"Environment": "Production",
})
pulumi.export("clientCertificate", example_kubernetes_cluster.kube_configs[0].client_certificate)
pulumi.export("kubeConfig", example_kubernetes_cluster.kube_config_raw)
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleKubernetesCluster, err := containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
Name: pulumi.String("example-aks1"),
Location: example.Location,
ResourceGroupName: example.Name,
DnsPrefix: pulumi.String("exampleaks1"),
DefaultNodePool: &containerservice.KubernetesClusterDefaultNodePoolArgs{
Name: pulumi.String("default"),
NodeCount: pulumi.Int(1),
VmSize: pulumi.String("Standard_D2_v2"),
},
Identity: &containerservice.KubernetesClusterIdentityArgs{
Type: pulumi.String("SystemAssigned"),
},
Tags: pulumi.StringMap{
"Environment": pulumi.String("Production"),
},
})
if err != nil {
return err
}
ctx.Export("clientCertificate", exampleKubernetesCluster.KubeConfigs.ApplyT(func(kubeConfigs []containerservice.KubernetesClusterKubeConfig) (*string, error) {
return &kubeConfigs[0].ClientCertificate, nil
}).(pulumi.StringPtrOutput))
ctx.Export("kubeConfig", exampleKubernetesCluster.KubeConfigRaw)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
{
Name = "example-aks1",
Location = example.Location,
ResourceGroupName = example.Name,
DnsPrefix = "exampleaks1",
DefaultNodePool = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolArgs
{
Name = "default",
NodeCount = 1,
VmSize = "Standard_D2_v2",
},
Identity = new Azure.ContainerService.Inputs.KubernetesClusterIdentityArgs
{
Type = "SystemAssigned",
},
Tags =
{
{ "Environment", "Production" },
},
});
return new Dictionary<string, object?>
{
["clientCertificate"] = exampleKubernetesCluster.KubeConfigs.Apply(kubeConfigs => kubeConfigs[0].ClientCertificate),
["kubeConfig"] = exampleKubernetesCluster.KubeConfigRaw,
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.containerservice.KubernetesCluster;
import com.pulumi.azure.containerservice.KubernetesClusterArgs;
import com.pulumi.azure.containerservice.inputs.KubernetesClusterDefaultNodePoolArgs;
import com.pulumi.azure.containerservice.inputs.KubernetesClusterIdentityArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()
.name("example-aks1")
.location(example.location())
.resourceGroupName(example.name())
.dnsPrefix("exampleaks1")
.defaultNodePool(KubernetesClusterDefaultNodePoolArgs.builder()
.name("default")
.nodeCount(1)
.vmSize("Standard_D2_v2")
.build())
.identity(KubernetesClusterIdentityArgs.builder()
.type("SystemAssigned")
.build())
.tags(Map.of("Environment", "Production"))
.build());
ctx.export("clientCertificate", exampleKubernetesCluster.kubeConfigs().applyValue(kubeConfigs -> kubeConfigs[0].clientCertificate()));
ctx.export("kubeConfig", exampleKubernetesCluster.kubeConfigRaw());
}
}
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-resources
location: West Europe
exampleKubernetesCluster:
type: azure:containerservice:KubernetesCluster
name: example
properties:
name: example-aks1
location: ${example.location}
resourceGroupName: ${example.name}
dnsPrefix: exampleaks1
defaultNodePool:
name: default
nodeCount: 1
vmSize: Standard_D2_v2
identity:
type: SystemAssigned
tags:
Environment: Production
outputs:
clientCertificate: ${exampleKubernetesCluster.kubeConfigs[0].clientCertificate}
kubeConfig: ${exampleKubernetesCluster.kubeConfigRaw}
Create KubernetesCluster Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new KubernetesCluster(name: string, args: KubernetesClusterArgs, opts?: CustomResourceOptions);
@overload
def KubernetesCluster(resource_name: str,
args: KubernetesClusterArgs,
opts: Optional[ResourceOptions] = None)
@overload
def KubernetesCluster(resource_name: str,
opts: Optional[ResourceOptions] = None,
default_node_pool: Optional[KubernetesClusterDefaultNodePoolArgs] = None,
resource_group_name: Optional[str] = None,
aci_connector_linux: Optional[KubernetesClusterAciConnectorLinuxArgs] = None,
api_server_access_profile: Optional[KubernetesClusterApiServerAccessProfileArgs] = None,
auto_scaler_profile: Optional[KubernetesClusterAutoScalerProfileArgs] = None,
automatic_upgrade_channel: Optional[str] = None,
azure_active_directory_role_based_access_control: Optional[KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs] = None,
azure_policy_enabled: Optional[bool] = None,
confidential_computing: Optional[KubernetesClusterConfidentialComputingArgs] = None,
cost_analysis_enabled: Optional[bool] = None,
disk_encryption_set_id: Optional[str] = None,
dns_prefix: Optional[str] = None,
dns_prefix_private_cluster: Optional[str] = None,
edge_zone: Optional[str] = None,
http_application_routing_enabled: Optional[bool] = None,
http_proxy_config: Optional[KubernetesClusterHttpProxyConfigArgs] = None,
identity: Optional[KubernetesClusterIdentityArgs] = None,
image_cleaner_enabled: Optional[bool] = None,
image_cleaner_interval_hours: Optional[int] = None,
ingress_application_gateway: Optional[KubernetesClusterIngressApplicationGatewayArgs] = None,
key_management_service: Optional[KubernetesClusterKeyManagementServiceArgs] = None,
key_vault_secrets_provider: Optional[KubernetesClusterKeyVaultSecretsProviderArgs] = None,
kubelet_identity: Optional[KubernetesClusterKubeletIdentityArgs] = None,
kubernetes_version: Optional[str] = None,
linux_profile: Optional[KubernetesClusterLinuxProfileArgs] = None,
local_account_disabled: Optional[bool] = None,
location: Optional[str] = None,
maintenance_window: Optional[KubernetesClusterMaintenanceWindowArgs] = None,
maintenance_window_auto_upgrade: Optional[KubernetesClusterMaintenanceWindowAutoUpgradeArgs] = None,
maintenance_window_node_os: Optional[KubernetesClusterMaintenanceWindowNodeOsArgs] = None,
microsoft_defender: Optional[KubernetesClusterMicrosoftDefenderArgs] = None,
monitor_metrics: Optional[KubernetesClusterMonitorMetricsArgs] = None,
name: Optional[str] = None,
network_profile: Optional[KubernetesClusterNetworkProfileArgs] = None,
node_os_upgrade_channel: Optional[str] = None,
node_resource_group: Optional[str] = None,
oidc_issuer_enabled: Optional[bool] = None,
oms_agent: Optional[KubernetesClusterOmsAgentArgs] = None,
open_service_mesh_enabled: Optional[bool] = None,
private_cluster_enabled: Optional[bool] = None,
private_cluster_public_fqdn_enabled: Optional[bool] = None,
private_dns_zone_id: Optional[str] = None,
role_based_access_control_enabled: Optional[bool] = None,
run_command_enabled: Optional[bool] = None,
service_mesh_profile: Optional[KubernetesClusterServiceMeshProfileArgs] = None,
service_principal: Optional[KubernetesClusterServicePrincipalArgs] = None,
sku_tier: Optional[str] = None,
storage_profile: Optional[KubernetesClusterStorageProfileArgs] = None,
support_plan: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
web_app_routing: Optional[KubernetesClusterWebAppRoutingArgs] = None,
windows_profile: Optional[KubernetesClusterWindowsProfileArgs] = None,
workload_autoscaler_profile: Optional[KubernetesClusterWorkloadAutoscalerProfileArgs] = None,
workload_identity_enabled: Optional[bool] = None)
func NewKubernetesCluster(ctx *Context, name string, args KubernetesClusterArgs, opts ...ResourceOption) (*KubernetesCluster, error)
public KubernetesCluster(string name, KubernetesClusterArgs args, CustomResourceOptions? opts = null)
public KubernetesCluster(String name, KubernetesClusterArgs args)
public KubernetesCluster(String name, KubernetesClusterArgs args, CustomResourceOptions options)
type: azure:containerservice:KubernetesCluster
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args KubernetesClusterArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args KubernetesClusterArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args KubernetesClusterArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args KubernetesClusterArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args KubernetesClusterArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var kubernetesClusterResource = new Azure.ContainerService.KubernetesCluster("kubernetesClusterResource", new()
{
DefaultNodePool = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolArgs
{
Name = "string",
VmSize = "string",
OnlyCriticalAddonsEnabled = false,
MaxCount = 0,
HostEncryptionEnabled = false,
HostGroupId = "string",
AutoScalingEnabled = false,
KubeletDiskType = "string",
LinuxOsConfig = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolLinuxOsConfigArgs
{
SwapFileSizeMb = 0,
SysctlConfig = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfigArgs
{
FsAioMaxNr = 0,
FsFileMax = 0,
FsInotifyMaxUserWatches = 0,
FsNrOpen = 0,
KernelThreadsMax = 0,
NetCoreNetdevMaxBacklog = 0,
NetCoreOptmemMax = 0,
NetCoreRmemDefault = 0,
NetCoreRmemMax = 0,
NetCoreSomaxconn = 0,
NetCoreWmemDefault = 0,
NetCoreWmemMax = 0,
NetIpv4IpLocalPortRangeMax = 0,
NetIpv4IpLocalPortRangeMin = 0,
NetIpv4NeighDefaultGcThresh1 = 0,
NetIpv4NeighDefaultGcThresh2 = 0,
NetIpv4NeighDefaultGcThresh3 = 0,
NetIpv4TcpFinTimeout = 0,
NetIpv4TcpKeepaliveIntvl = 0,
NetIpv4TcpKeepaliveProbes = 0,
NetIpv4TcpKeepaliveTime = 0,
NetIpv4TcpMaxSynBacklog = 0,
NetIpv4TcpMaxTwBuckets = 0,
NetIpv4TcpTwReuse = false,
NetNetfilterNfConntrackBuckets = 0,
NetNetfilterNfConntrackMax = 0,
VmMaxMapCount = 0,
VmSwappiness = 0,
VmVfsCachePressure = 0,
},
TransparentHugePageDefrag = "string",
TransparentHugePageEnabled = "string",
},
OrchestratorVersion = "string",
MaxPods = 0,
OsDiskSizeGb = 0,
FipsEnabled = false,
NodeCount = 0,
NodeLabels =
{
{ "string", "string" },
},
NodeNetworkProfile = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolNodeNetworkProfileArgs
{
AllowedHostPorts = new[]
{
new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPortArgs
{
PortEnd = 0,
PortStart = 0,
Protocol = "string",
},
},
ApplicationSecurityGroupIds = new[]
{
"string",
},
NodePublicIpTags =
{
{ "string", "string" },
},
},
NodePublicIpEnabled = false,
NodePublicIpPrefixId = "string",
KubeletConfig = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolKubeletConfigArgs
{
AllowedUnsafeSysctls = new[]
{
"string",
},
ContainerLogMaxLine = 0,
ContainerLogMaxSizeMb = 0,
CpuCfsQuotaEnabled = false,
CpuCfsQuotaPeriod = "string",
CpuManagerPolicy = "string",
ImageGcHighThreshold = 0,
ImageGcLowThreshold = 0,
PodMaxPid = 0,
TopologyManagerPolicy = "string",
},
GpuInstance = "string",
MinCount = 0,
OsDiskType = "string",
OsSku = "string",
PodSubnetId = "string",
ProximityPlacementGroupId = "string",
ScaleDownMode = "string",
SnapshotId = "string",
Tags =
{
{ "string", "string" },
},
TemporaryNameForRotation = "string",
Type = "string",
UltraSsdEnabled = false,
UpgradeSettings = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolUpgradeSettingsArgs
{
MaxSurge = "string",
DrainTimeoutInMinutes = 0,
NodeSoakDurationInMinutes = 0,
},
CapacityReservationGroupId = "string",
VnetSubnetId = "string",
WorkloadRuntime = "string",
Zones = new[]
{
"string",
},
},
ResourceGroupName = "string",
AciConnectorLinux = new Azure.ContainerService.Inputs.KubernetesClusterAciConnectorLinuxArgs
{
SubnetName = "string",
ConnectorIdentities = new[]
{
new Azure.ContainerService.Inputs.KubernetesClusterAciConnectorLinuxConnectorIdentityArgs
{
ClientId = "string",
ObjectId = "string",
UserAssignedIdentityId = "string",
},
},
},
ApiServerAccessProfile = new Azure.ContainerService.Inputs.KubernetesClusterApiServerAccessProfileArgs
{
AuthorizedIpRanges = new[]
{
"string",
},
},
AutoScalerProfile = new Azure.ContainerService.Inputs.KubernetesClusterAutoScalerProfileArgs
{
BalanceSimilarNodeGroups = false,
DaemonsetEvictionForEmptyNodesEnabled = false,
DaemonsetEvictionForOccupiedNodesEnabled = false,
EmptyBulkDeleteMax = "string",
Expander = "string",
IgnoreDaemonsetsUtilizationEnabled = false,
MaxGracefulTerminationSec = "string",
MaxNodeProvisioningTime = "string",
MaxUnreadyNodes = 0,
MaxUnreadyPercentage = 0,
NewPodScaleUpDelay = "string",
ScaleDownDelayAfterAdd = "string",
ScaleDownDelayAfterDelete = "string",
ScaleDownDelayAfterFailure = "string",
ScaleDownUnneeded = "string",
ScaleDownUnready = "string",
ScaleDownUtilizationThreshold = "string",
ScanInterval = "string",
SkipNodesWithLocalStorage = false,
SkipNodesWithSystemPods = false,
},
AutomaticUpgradeChannel = "string",
AzureActiveDirectoryRoleBasedAccessControl = new Azure.ContainerService.Inputs.KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs
{
AdminGroupObjectIds = new[]
{
"string",
},
AzureRbacEnabled = false,
TenantId = "string",
},
AzurePolicyEnabled = false,
ConfidentialComputing = new Azure.ContainerService.Inputs.KubernetesClusterConfidentialComputingArgs
{
SgxQuoteHelperEnabled = false,
},
CostAnalysisEnabled = false,
DiskEncryptionSetId = "string",
DnsPrefix = "string",
DnsPrefixPrivateCluster = "string",
EdgeZone = "string",
HttpApplicationRoutingEnabled = false,
HttpProxyConfig = new Azure.ContainerService.Inputs.KubernetesClusterHttpProxyConfigArgs
{
HttpProxy = "string",
HttpsProxy = "string",
NoProxies = new[]
{
"string",
},
TrustedCa = "string",
},
Identity = new Azure.ContainerService.Inputs.KubernetesClusterIdentityArgs
{
Type = "string",
IdentityIds = new[]
{
"string",
},
PrincipalId = "string",
TenantId = "string",
},
ImageCleanerEnabled = false,
ImageCleanerIntervalHours = 0,
IngressApplicationGateway = new Azure.ContainerService.Inputs.KubernetesClusterIngressApplicationGatewayArgs
{
EffectiveGatewayId = "string",
GatewayId = "string",
GatewayName = "string",
IngressApplicationGatewayIdentities = new[]
{
new Azure.ContainerService.Inputs.KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentityArgs
{
ClientId = "string",
ObjectId = "string",
UserAssignedIdentityId = "string",
},
},
SubnetCidr = "string",
SubnetId = "string",
},
KeyManagementService = new Azure.ContainerService.Inputs.KubernetesClusterKeyManagementServiceArgs
{
KeyVaultKeyId = "string",
KeyVaultNetworkAccess = "string",
},
KeyVaultSecretsProvider = new Azure.ContainerService.Inputs.KubernetesClusterKeyVaultSecretsProviderArgs
{
SecretIdentities = new[]
{
new Azure.ContainerService.Inputs.KubernetesClusterKeyVaultSecretsProviderSecretIdentityArgs
{
ClientId = "string",
ObjectId = "string",
UserAssignedIdentityId = "string",
},
},
SecretRotationEnabled = false,
SecretRotationInterval = "string",
},
KubeletIdentity = new Azure.ContainerService.Inputs.KubernetesClusterKubeletIdentityArgs
{
ClientId = "string",
ObjectId = "string",
UserAssignedIdentityId = "string",
},
KubernetesVersion = "string",
LinuxProfile = new Azure.ContainerService.Inputs.KubernetesClusterLinuxProfileArgs
{
AdminUsername = "string",
SshKey = new Azure.ContainerService.Inputs.KubernetesClusterLinuxProfileSshKeyArgs
{
KeyData = "string",
},
},
LocalAccountDisabled = false,
Location = "string",
MaintenanceWindow = new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowArgs
{
Alloweds = new[]
{
new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowAllowedArgs
{
Day = "string",
Hours = new[]
{
0,
},
},
},
NotAlloweds = new[]
{
new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowNotAllowedArgs
{
End = "string",
Start = "string",
},
},
},
MaintenanceWindowAutoUpgrade = new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowAutoUpgradeArgs
{
Duration = 0,
Frequency = "string",
Interval = 0,
DayOfMonth = 0,
DayOfWeek = "string",
NotAlloweds = new[]
{
new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowedArgs
{
End = "string",
Start = "string",
},
},
StartDate = "string",
StartTime = "string",
UtcOffset = "string",
WeekIndex = "string",
},
MaintenanceWindowNodeOs = new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowNodeOsArgs
{
Duration = 0,
Frequency = "string",
Interval = 0,
DayOfMonth = 0,
DayOfWeek = "string",
NotAlloweds = new[]
{
new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowNodeOsNotAllowedArgs
{
End = "string",
Start = "string",
},
},
StartDate = "string",
StartTime = "string",
UtcOffset = "string",
WeekIndex = "string",
},
MicrosoftDefender = new Azure.ContainerService.Inputs.KubernetesClusterMicrosoftDefenderArgs
{
LogAnalyticsWorkspaceId = "string",
},
MonitorMetrics = new Azure.ContainerService.Inputs.KubernetesClusterMonitorMetricsArgs
{
AnnotationsAllowed = "string",
LabelsAllowed = "string",
},
Name = "string",
NetworkProfile = new Azure.ContainerService.Inputs.KubernetesClusterNetworkProfileArgs
{
NetworkPlugin = "string",
NetworkMode = "string",
NetworkPluginMode = "string",
LoadBalancerSku = "string",
NatGatewayProfile = new Azure.ContainerService.Inputs.KubernetesClusterNetworkProfileNatGatewayProfileArgs
{
EffectiveOutboundIps = new[]
{
"string",
},
IdleTimeoutInMinutes = 0,
ManagedOutboundIpCount = 0,
},
NetworkDataPlane = "string",
DnsServiceIp = "string",
IpVersions = new[]
{
"string",
},
LoadBalancerProfile = new Azure.ContainerService.Inputs.KubernetesClusterNetworkProfileLoadBalancerProfileArgs
{
BackendPoolType = "string",
EffectiveOutboundIps = new[]
{
"string",
},
IdleTimeoutInMinutes = 0,
ManagedOutboundIpCount = 0,
ManagedOutboundIpv6Count = 0,
OutboundIpAddressIds = new[]
{
"string",
},
OutboundIpPrefixIds = new[]
{
"string",
},
OutboundPortsAllocated = 0,
},
NetworkPolicy = "string",
OutboundType = "string",
PodCidr = "string",
PodCidrs = new[]
{
"string",
},
ServiceCidr = "string",
ServiceCidrs = new[]
{
"string",
},
},
NodeOsUpgradeChannel = "string",
NodeResourceGroup = "string",
OidcIssuerEnabled = false,
OmsAgent = new Azure.ContainerService.Inputs.KubernetesClusterOmsAgentArgs
{
LogAnalyticsWorkspaceId = "string",
MsiAuthForMonitoringEnabled = false,
OmsAgentIdentities = new[]
{
new Azure.ContainerService.Inputs.KubernetesClusterOmsAgentOmsAgentIdentityArgs
{
ClientId = "string",
ObjectId = "string",
UserAssignedIdentityId = "string",
},
},
},
OpenServiceMeshEnabled = false,
PrivateClusterEnabled = false,
PrivateClusterPublicFqdnEnabled = false,
PrivateDnsZoneId = "string",
RoleBasedAccessControlEnabled = false,
RunCommandEnabled = false,
ServiceMeshProfile = new Azure.ContainerService.Inputs.KubernetesClusterServiceMeshProfileArgs
{
Mode = "string",
Revisions = new[]
{
"string",
},
CertificateAuthority = new Azure.ContainerService.Inputs.KubernetesClusterServiceMeshProfileCertificateAuthorityArgs
{
CertChainObjectName = "string",
CertObjectName = "string",
KeyObjectName = "string",
KeyVaultId = "string",
RootCertObjectName = "string",
},
ExternalIngressGatewayEnabled = false,
InternalIngressGatewayEnabled = false,
},
ServicePrincipal = new Azure.ContainerService.Inputs.KubernetesClusterServicePrincipalArgs
{
ClientId = "string",
ClientSecret = "string",
},
SkuTier = "string",
StorageProfile = new Azure.ContainerService.Inputs.KubernetesClusterStorageProfileArgs
{
BlobDriverEnabled = false,
DiskDriverEnabled = false,
FileDriverEnabled = false,
SnapshotControllerEnabled = false,
},
SupportPlan = "string",
Tags =
{
{ "string", "string" },
},
WebAppRouting = new Azure.ContainerService.Inputs.KubernetesClusterWebAppRoutingArgs
{
DnsZoneIds = new[]
{
"string",
},
WebAppRoutingIdentities = new[]
{
new Azure.ContainerService.Inputs.KubernetesClusterWebAppRoutingWebAppRoutingIdentityArgs
{
ClientId = "string",
ObjectId = "string",
UserAssignedIdentityId = "string",
},
},
},
WindowsProfile = new Azure.ContainerService.Inputs.KubernetesClusterWindowsProfileArgs
{
AdminPassword = "string",
AdminUsername = "string",
Gmsa = new Azure.ContainerService.Inputs.KubernetesClusterWindowsProfileGmsaArgs
{
DnsServer = "string",
RootDomain = "string",
},
License = "string",
},
WorkloadAutoscalerProfile = new Azure.ContainerService.Inputs.KubernetesClusterWorkloadAutoscalerProfileArgs
{
KedaEnabled = false,
VerticalPodAutoscalerEnabled = false,
},
WorkloadIdentityEnabled = false,
});
example, err := containerservice.NewKubernetesCluster(ctx, "kubernetesClusterResource", &containerservice.KubernetesClusterArgs{
DefaultNodePool: &containerservice.KubernetesClusterDefaultNodePoolArgs{
Name: pulumi.String("string"),
VmSize: pulumi.String("string"),
OnlyCriticalAddonsEnabled: pulumi.Bool(false),
MaxCount: pulumi.Int(0),
HostEncryptionEnabled: pulumi.Bool(false),
HostGroupId: pulumi.String("string"),
AutoScalingEnabled: pulumi.Bool(false),
KubeletDiskType: pulumi.String("string"),
LinuxOsConfig: &containerservice.KubernetesClusterDefaultNodePoolLinuxOsConfigArgs{
SwapFileSizeMb: pulumi.Int(0),
SysctlConfig: &containerservice.KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfigArgs{
FsAioMaxNr: pulumi.Int(0),
FsFileMax: pulumi.Int(0),
FsInotifyMaxUserWatches: pulumi.Int(0),
FsNrOpen: pulumi.Int(0),
KernelThreadsMax: pulumi.Int(0),
NetCoreNetdevMaxBacklog: pulumi.Int(0),
NetCoreOptmemMax: pulumi.Int(0),
NetCoreRmemDefault: pulumi.Int(0),
NetCoreRmemMax: pulumi.Int(0),
NetCoreSomaxconn: pulumi.Int(0),
NetCoreWmemDefault: pulumi.Int(0),
NetCoreWmemMax: pulumi.Int(0),
NetIpv4IpLocalPortRangeMax: pulumi.Int(0),
NetIpv4IpLocalPortRangeMin: pulumi.Int(0),
NetIpv4NeighDefaultGcThresh1: pulumi.Int(0),
NetIpv4NeighDefaultGcThresh2: pulumi.Int(0),
NetIpv4NeighDefaultGcThresh3: pulumi.Int(0),
NetIpv4TcpFinTimeout: pulumi.Int(0),
NetIpv4TcpKeepaliveIntvl: pulumi.Int(0),
NetIpv4TcpKeepaliveProbes: pulumi.Int(0),
NetIpv4TcpKeepaliveTime: pulumi.Int(0),
NetIpv4TcpMaxSynBacklog: pulumi.Int(0),
NetIpv4TcpMaxTwBuckets: pulumi.Int(0),
NetIpv4TcpTwReuse: pulumi.Bool(false),
NetNetfilterNfConntrackBuckets: pulumi.Int(0),
NetNetfilterNfConntrackMax: pulumi.Int(0),
VmMaxMapCount: pulumi.Int(0),
VmSwappiness: pulumi.Int(0),
VmVfsCachePressure: pulumi.Int(0),
},
TransparentHugePageDefrag: pulumi.String("string"),
TransparentHugePageEnabled: pulumi.String("string"),
},
OrchestratorVersion: pulumi.String("string"),
MaxPods: pulumi.Int(0),
OsDiskSizeGb: pulumi.Int(0),
FipsEnabled: pulumi.Bool(false),
NodeCount: pulumi.Int(0),
NodeLabels: pulumi.StringMap{
"string": pulumi.String("string"),
},
NodeNetworkProfile: &containerservice.KubernetesClusterDefaultNodePoolNodeNetworkProfileArgs{
AllowedHostPorts: containerservice.KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPortArray{
&containerservice.KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPortArgs{
PortEnd: pulumi.Int(0),
PortStart: pulumi.Int(0),
Protocol: pulumi.String("string"),
},
},
ApplicationSecurityGroupIds: pulumi.StringArray{
pulumi.String("string"),
},
NodePublicIpTags: pulumi.StringMap{
"string": pulumi.String("string"),
},
},
NodePublicIpEnabled: pulumi.Bool(false),
NodePublicIpPrefixId: pulumi.String("string"),
KubeletConfig: &containerservice.KubernetesClusterDefaultNodePoolKubeletConfigArgs{
AllowedUnsafeSysctls: pulumi.StringArray{
pulumi.String("string"),
},
ContainerLogMaxLine: pulumi.Int(0),
ContainerLogMaxSizeMb: pulumi.Int(0),
CpuCfsQuotaEnabled: pulumi.Bool(false),
CpuCfsQuotaPeriod: pulumi.String("string"),
CpuManagerPolicy: pulumi.String("string"),
ImageGcHighThreshold: pulumi.Int(0),
ImageGcLowThreshold: pulumi.Int(0),
PodMaxPid: pulumi.Int(0),
TopologyManagerPolicy: pulumi.String("string"),
},
GpuInstance: pulumi.String("string"),
MinCount: pulumi.Int(0),
OsDiskType: pulumi.String("string"),
OsSku: pulumi.String("string"),
PodSubnetId: pulumi.String("string"),
ProximityPlacementGroupId: pulumi.String("string"),
ScaleDownMode: pulumi.String("string"),
SnapshotId: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
TemporaryNameForRotation: pulumi.String("string"),
Type: pulumi.String("string"),
UltraSsdEnabled: pulumi.Bool(false),
UpgradeSettings: &containerservice.KubernetesClusterDefaultNodePoolUpgradeSettingsArgs{
MaxSurge: pulumi.String("string"),
DrainTimeoutInMinutes: pulumi.Int(0),
NodeSoakDurationInMinutes: pulumi.Int(0),
},
CapacityReservationGroupId: pulumi.String("string"),
VnetSubnetId: pulumi.String("string"),
WorkloadRuntime: pulumi.String("string"),
Zones: pulumi.StringArray{
pulumi.String("string"),
},
},
ResourceGroupName: pulumi.String("string"),
AciConnectorLinux: &containerservice.KubernetesClusterAciConnectorLinuxArgs{
SubnetName: pulumi.String("string"),
ConnectorIdentities: containerservice.KubernetesClusterAciConnectorLinuxConnectorIdentityArray{
&containerservice.KubernetesClusterAciConnectorLinuxConnectorIdentityArgs{
ClientId: pulumi.String("string"),
ObjectId: pulumi.String("string"),
UserAssignedIdentityId: pulumi.String("string"),
},
},
},
ApiServerAccessProfile: &containerservice.KubernetesClusterApiServerAccessProfileArgs{
AuthorizedIpRanges: pulumi.StringArray{
pulumi.String("string"),
},
},
AutoScalerProfile: &containerservice.KubernetesClusterAutoScalerProfileArgs{
BalanceSimilarNodeGroups: pulumi.Bool(false),
DaemonsetEvictionForEmptyNodesEnabled: pulumi.Bool(false),
DaemonsetEvictionForOccupiedNodesEnabled: pulumi.Bool(false),
EmptyBulkDeleteMax: pulumi.String("string"),
Expander: pulumi.String("string"),
IgnoreDaemonsetsUtilizationEnabled: pulumi.Bool(false),
MaxGracefulTerminationSec: pulumi.String("string"),
MaxNodeProvisioningTime: pulumi.String("string"),
MaxUnreadyNodes: pulumi.Int(0),
MaxUnreadyPercentage: pulumi.Float64(0),
NewPodScaleUpDelay: pulumi.String("string"),
ScaleDownDelayAfterAdd: pulumi.String("string"),
ScaleDownDelayAfterDelete: pulumi.String("string"),
ScaleDownDelayAfterFailure: pulumi.String("string"),
ScaleDownUnneeded: pulumi.String("string"),
ScaleDownUnready: pulumi.String("string"),
ScaleDownUtilizationThreshold: pulumi.String("string"),
ScanInterval: pulumi.String("string"),
SkipNodesWithLocalStorage: pulumi.Bool(false),
SkipNodesWithSystemPods: pulumi.Bool(false),
},
AutomaticUpgradeChannel: pulumi.String("string"),
AzureActiveDirectoryRoleBasedAccessControl: &containerservice.KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs{
AdminGroupObjectIds: pulumi.StringArray{
pulumi.String("string"),
},
AzureRbacEnabled: pulumi.Bool(false),
TenantId: pulumi.String("string"),
},
AzurePolicyEnabled: pulumi.Bool(false),
ConfidentialComputing: &containerservice.KubernetesClusterConfidentialComputingArgs{
SgxQuoteHelperEnabled: pulumi.Bool(false),
},
CostAnalysisEnabled: pulumi.Bool(false),
DiskEncryptionSetId: pulumi.String("string"),
DnsPrefix: pulumi.String("string"),
DnsPrefixPrivateCluster: pulumi.String("string"),
EdgeZone: pulumi.String("string"),
HttpApplicationRoutingEnabled: pulumi.Bool(false),
HttpProxyConfig: &containerservice.KubernetesClusterHttpProxyConfigArgs{
HttpProxy: pulumi.String("string"),
HttpsProxy: pulumi.String("string"),
NoProxies: pulumi.StringArray{
pulumi.String("string"),
},
TrustedCa: pulumi.String("string"),
},
Identity: &containerservice.KubernetesClusterIdentityArgs{
Type: pulumi.String("string"),
IdentityIds: pulumi.StringArray{
pulumi.String("string"),
},
PrincipalId: pulumi.String("string"),
TenantId: pulumi.String("string"),
},
ImageCleanerEnabled: pulumi.Bool(false),
ImageCleanerIntervalHours: pulumi.Int(0),
IngressApplicationGateway: &containerservice.KubernetesClusterIngressApplicationGatewayArgs{
EffectiveGatewayId: pulumi.String("string"),
GatewayId: pulumi.String("string"),
GatewayName: pulumi.String("string"),
IngressApplicationGatewayIdentities: containerservice.KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentityArray{
&containerservice.KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentityArgs{
ClientId: pulumi.String("string"),
ObjectId: pulumi.String("string"),
UserAssignedIdentityId: pulumi.String("string"),
},
},
SubnetCidr: pulumi.String("string"),
SubnetId: pulumi.String("string"),
},
KeyManagementService: &containerservice.KubernetesClusterKeyManagementServiceArgs{
KeyVaultKeyId: pulumi.String("string"),
KeyVaultNetworkAccess: pulumi.String("string"),
},
KeyVaultSecretsProvider: &containerservice.KubernetesClusterKeyVaultSecretsProviderArgs{
SecretIdentities: containerservice.KubernetesClusterKeyVaultSecretsProviderSecretIdentityArray{
&containerservice.KubernetesClusterKeyVaultSecretsProviderSecretIdentityArgs{
ClientId: pulumi.String("string"),
ObjectId: pulumi.String("string"),
UserAssignedIdentityId: pulumi.String("string"),
},
},
SecretRotationEnabled: pulumi.Bool(false),
SecretRotationInterval: pulumi.String("string"),
},
KubeletIdentity: &containerservice.KubernetesClusterKubeletIdentityArgs{
ClientId: pulumi.String("string"),
ObjectId: pulumi.String("string"),
UserAssignedIdentityId: pulumi.String("string"),
},
KubernetesVersion: pulumi.String("string"),
LinuxProfile: &containerservice.KubernetesClusterLinuxProfileArgs{
AdminUsername: pulumi.String("string"),
SshKey: &containerservice.KubernetesClusterLinuxProfileSshKeyArgs{
KeyData: pulumi.String("string"),
},
},
LocalAccountDisabled: pulumi.Bool(false),
Location: pulumi.String("string"),
MaintenanceWindow: &containerservice.KubernetesClusterMaintenanceWindowArgs{
Alloweds: containerservice.KubernetesClusterMaintenanceWindowAllowedArray{
&containerservice.KubernetesClusterMaintenanceWindowAllowedArgs{
Day: pulumi.String("string"),
Hours: pulumi.IntArray{
pulumi.Int(0),
},
},
},
NotAlloweds: containerservice.KubernetesClusterMaintenanceWindowNotAllowedArray{
&containerservice.KubernetesClusterMaintenanceWindowNotAllowedArgs{
End: pulumi.String("string"),
Start: pulumi.String("string"),
},
},
},
MaintenanceWindowAutoUpgrade: &containerservice.KubernetesClusterMaintenanceWindowAutoUpgradeArgs{
Duration: pulumi.Int(0),
Frequency: pulumi.String("string"),
Interval: pulumi.Int(0),
DayOfMonth: pulumi.Int(0),
DayOfWeek: pulumi.String("string"),
NotAlloweds: containerservice.KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowedArray{
&containerservice.KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowedArgs{
End: pulumi.String("string"),
Start: pulumi.String("string"),
},
},
StartDate: pulumi.String("string"),
StartTime: pulumi.String("string"),
UtcOffset: pulumi.String("string"),
WeekIndex: pulumi.String("string"),
},
MaintenanceWindowNodeOs: &containerservice.KubernetesClusterMaintenanceWindowNodeOsArgs{
Duration: pulumi.Int(0),
Frequency: pulumi.String("string"),
Interval: pulumi.Int(0),
DayOfMonth: pulumi.Int(0),
DayOfWeek: pulumi.String("string"),
NotAlloweds: containerservice.KubernetesClusterMaintenanceWindowNodeOsNotAllowedArray{
&containerservice.KubernetesClusterMaintenanceWindowNodeOsNotAllowedArgs{
End: pulumi.String("string"),
Start: pulumi.String("string"),
},
},
StartDate: pulumi.String("string"),
StartTime: pulumi.String("string"),
UtcOffset: pulumi.String("string"),
WeekIndex: pulumi.String("string"),
},
MicrosoftDefender: &containerservice.KubernetesClusterMicrosoftDefenderArgs{
LogAnalyticsWorkspaceId: pulumi.String("string"),
},
MonitorMetrics: &containerservice.KubernetesClusterMonitorMetricsArgs{
AnnotationsAllowed: pulumi.String("string"),
LabelsAllowed: pulumi.String("string"),
},
Name: pulumi.String("string"),
NetworkProfile: &containerservice.KubernetesClusterNetworkProfileArgs{
NetworkPlugin: pulumi.String("string"),
NetworkMode: pulumi.String("string"),
NetworkPluginMode: pulumi.String("string"),
LoadBalancerSku: pulumi.String("string"),
NatGatewayProfile: &containerservice.KubernetesClusterNetworkProfileNatGatewayProfileArgs{
EffectiveOutboundIps: pulumi.StringArray{
pulumi.String("string"),
},
IdleTimeoutInMinutes: pulumi.Int(0),
ManagedOutboundIpCount: pulumi.Int(0),
},
NetworkDataPlane: pulumi.String("string"),
DnsServiceIp: pulumi.String("string"),
IpVersions: pulumi.StringArray{
pulumi.String("string"),
},
LoadBalancerProfile: &containerservice.KubernetesClusterNetworkProfileLoadBalancerProfileArgs{
BackendPoolType: pulumi.String("string"),
EffectiveOutboundIps: pulumi.StringArray{
pulumi.String("string"),
},
IdleTimeoutInMinutes: pulumi.Int(0),
ManagedOutboundIpCount: pulumi.Int(0),
ManagedOutboundIpv6Count: pulumi.Int(0),
OutboundIpAddressIds: pulumi.StringArray{
pulumi.String("string"),
},
OutboundIpPrefixIds: pulumi.StringArray{
pulumi.String("string"),
},
OutboundPortsAllocated: pulumi.Int(0),
},
NetworkPolicy: pulumi.String("string"),
OutboundType: pulumi.String("string"),
PodCidr: pulumi.String("string"),
PodCidrs: pulumi.StringArray{
pulumi.String("string"),
},
ServiceCidr: pulumi.String("string"),
ServiceCidrs: pulumi.StringArray{
pulumi.String("string"),
},
},
NodeOsUpgradeChannel: pulumi.String("string"),
NodeResourceGroup: pulumi.String("string"),
OidcIssuerEnabled: pulumi.Bool(false),
OmsAgent: &containerservice.KubernetesClusterOmsAgentArgs{
LogAnalyticsWorkspaceId: pulumi.String("string"),
MsiAuthForMonitoringEnabled: pulumi.Bool(false),
OmsAgentIdentities: containerservice.KubernetesClusterOmsAgentOmsAgentIdentityArray{
&containerservice.KubernetesClusterOmsAgentOmsAgentIdentityArgs{
ClientId: pulumi.String("string"),
ObjectId: pulumi.String("string"),
UserAssignedIdentityId: pulumi.String("string"),
},
},
},
OpenServiceMeshEnabled: pulumi.Bool(false),
PrivateClusterEnabled: pulumi.Bool(false),
PrivateClusterPublicFqdnEnabled: pulumi.Bool(false),
PrivateDnsZoneId: pulumi.String("string"),
RoleBasedAccessControlEnabled: pulumi.Bool(false),
RunCommandEnabled: pulumi.Bool(false),
ServiceMeshProfile: &containerservice.KubernetesClusterServiceMeshProfileArgs{
Mode: pulumi.String("string"),
Revisions: pulumi.StringArray{
pulumi.String("string"),
},
CertificateAuthority: &containerservice.KubernetesClusterServiceMeshProfileCertificateAuthorityArgs{
CertChainObjectName: pulumi.String("string"),
CertObjectName: pulumi.String("string"),
KeyObjectName: pulumi.String("string"),
KeyVaultId: pulumi.String("string"),
RootCertObjectName: pulumi.String("string"),
},
ExternalIngressGatewayEnabled: pulumi.Bool(false),
InternalIngressGatewayEnabled: pulumi.Bool(false),
},
ServicePrincipal: &containerservice.KubernetesClusterServicePrincipalArgs{
ClientId: pulumi.String("string"),
ClientSecret: pulumi.String("string"),
},
SkuTier: pulumi.String("string"),
StorageProfile: &containerservice.KubernetesClusterStorageProfileArgs{
BlobDriverEnabled: pulumi.Bool(false),
DiskDriverEnabled: pulumi.Bool(false),
FileDriverEnabled: pulumi.Bool(false),
SnapshotControllerEnabled: pulumi.Bool(false),
},
SupportPlan: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
WebAppRouting: &containerservice.KubernetesClusterWebAppRoutingArgs{
DnsZoneIds: pulumi.StringArray{
pulumi.String("string"),
},
WebAppRoutingIdentities: containerservice.KubernetesClusterWebAppRoutingWebAppRoutingIdentityArray{
&containerservice.KubernetesClusterWebAppRoutingWebAppRoutingIdentityArgs{
ClientId: pulumi.String("string"),
ObjectId: pulumi.String("string"),
UserAssignedIdentityId: pulumi.String("string"),
},
},
},
WindowsProfile: &containerservice.KubernetesClusterWindowsProfileArgs{
AdminPassword: pulumi.String("string"),
AdminUsername: pulumi.String("string"),
Gmsa: &containerservice.KubernetesClusterWindowsProfileGmsaArgs{
DnsServer: pulumi.String("string"),
RootDomain: pulumi.String("string"),
},
License: pulumi.String("string"),
},
WorkloadAutoscalerProfile: &containerservice.KubernetesClusterWorkloadAutoscalerProfileArgs{
KedaEnabled: pulumi.Bool(false),
VerticalPodAutoscalerEnabled: pulumi.Bool(false),
},
WorkloadIdentityEnabled: pulumi.Bool(false),
})
var kubernetesClusterResource = new KubernetesCluster("kubernetesClusterResource", KubernetesClusterArgs.builder()
.defaultNodePool(KubernetesClusterDefaultNodePoolArgs.builder()
.name("string")
.vmSize("string")
.onlyCriticalAddonsEnabled(false)
.maxCount(0)
.hostEncryptionEnabled(false)
.hostGroupId("string")
.autoScalingEnabled(false)
.kubeletDiskType("string")
.linuxOsConfig(KubernetesClusterDefaultNodePoolLinuxOsConfigArgs.builder()
.swapFileSizeMb(0)
.sysctlConfig(KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfigArgs.builder()
.fsAioMaxNr(0)
.fsFileMax(0)
.fsInotifyMaxUserWatches(0)
.fsNrOpen(0)
.kernelThreadsMax(0)
.netCoreNetdevMaxBacklog(0)
.netCoreOptmemMax(0)
.netCoreRmemDefault(0)
.netCoreRmemMax(0)
.netCoreSomaxconn(0)
.netCoreWmemDefault(0)
.netCoreWmemMax(0)
.netIpv4IpLocalPortRangeMax(0)
.netIpv4IpLocalPortRangeMin(0)
.netIpv4NeighDefaultGcThresh1(0)
.netIpv4NeighDefaultGcThresh2(0)
.netIpv4NeighDefaultGcThresh3(0)
.netIpv4TcpFinTimeout(0)
.netIpv4TcpKeepaliveIntvl(0)
.netIpv4TcpKeepaliveProbes(0)
.netIpv4TcpKeepaliveTime(0)
.netIpv4TcpMaxSynBacklog(0)
.netIpv4TcpMaxTwBuckets(0)
.netIpv4TcpTwReuse(false)
.netNetfilterNfConntrackBuckets(0)
.netNetfilterNfConntrackMax(0)
.vmMaxMapCount(0)
.vmSwappiness(0)
.vmVfsCachePressure(0)
.build())
.transparentHugePageDefrag("string")
.transparentHugePageEnabled("string")
.build())
.orchestratorVersion("string")
.maxPods(0)
.osDiskSizeGb(0)
.fipsEnabled(false)
.nodeCount(0)
.nodeLabels(Map.of("string", "string"))
.nodeNetworkProfile(KubernetesClusterDefaultNodePoolNodeNetworkProfileArgs.builder()
.allowedHostPorts(KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPortArgs.builder()
.portEnd(0)
.portStart(0)
.protocol("string")
.build())
.applicationSecurityGroupIds("string")
.nodePublicIpTags(Map.of("string", "string"))
.build())
.nodePublicIpEnabled(false)
.nodePublicIpPrefixId("string")
.kubeletConfig(KubernetesClusterDefaultNodePoolKubeletConfigArgs.builder()
.allowedUnsafeSysctls("string")
.containerLogMaxLine(0)
.containerLogMaxSizeMb(0)
.cpuCfsQuotaEnabled(false)
.cpuCfsQuotaPeriod("string")
.cpuManagerPolicy("string")
.imageGcHighThreshold(0)
.imageGcLowThreshold(0)
.podMaxPid(0)
.topologyManagerPolicy("string")
.build())
.gpuInstance("string")
.minCount(0)
.osDiskType("string")
.osSku("string")
.podSubnetId("string")
.proximityPlacementGroupId("string")
.scaleDownMode("string")
.snapshotId("string")
.tags(Map.of("string", "string"))
.temporaryNameForRotation("string")
.type("string")
.ultraSsdEnabled(false)
.upgradeSettings(KubernetesClusterDefaultNodePoolUpgradeSettingsArgs.builder()
.maxSurge("string")
.drainTimeoutInMinutes(0)
.nodeSoakDurationInMinutes(0)
.build())
.capacityReservationGroupId("string")
.vnetSubnetId("string")
.workloadRuntime("string")
.zones("string")
.build())
.resourceGroupName("string")
.aciConnectorLinux(KubernetesClusterAciConnectorLinuxArgs.builder()
.subnetName("string")
.connectorIdentities(KubernetesClusterAciConnectorLinuxConnectorIdentityArgs.builder()
.clientId("string")
.objectId("string")
.userAssignedIdentityId("string")
.build())
.build())
.apiServerAccessProfile(KubernetesClusterApiServerAccessProfileArgs.builder()
.authorizedIpRanges("string")
.build())
.autoScalerProfile(KubernetesClusterAutoScalerProfileArgs.builder()
.balanceSimilarNodeGroups(false)
.daemonsetEvictionForEmptyNodesEnabled(false)
.daemonsetEvictionForOccupiedNodesEnabled(false)
.emptyBulkDeleteMax("string")
.expander("string")
.ignoreDaemonsetsUtilizationEnabled(false)
.maxGracefulTerminationSec("string")
.maxNodeProvisioningTime("string")
.maxUnreadyNodes(0)
.maxUnreadyPercentage(0)
.newPodScaleUpDelay("string")
.scaleDownDelayAfterAdd("string")
.scaleDownDelayAfterDelete("string")
.scaleDownDelayAfterFailure("string")
.scaleDownUnneeded("string")
.scaleDownUnready("string")
.scaleDownUtilizationThreshold("string")
.scanInterval("string")
.skipNodesWithLocalStorage(false)
.skipNodesWithSystemPods(false)
.build())
.automaticUpgradeChannel("string")
.azureActiveDirectoryRoleBasedAccessControl(KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs.builder()
.adminGroupObjectIds("string")
.azureRbacEnabled(false)
.tenantId("string")
.build())
.azurePolicyEnabled(false)
.confidentialComputing(KubernetesClusterConfidentialComputingArgs.builder()
.sgxQuoteHelperEnabled(false)
.build())
.costAnalysisEnabled(false)
.diskEncryptionSetId("string")
.dnsPrefix("string")
.dnsPrefixPrivateCluster("string")
.edgeZone("string")
.httpApplicationRoutingEnabled(false)
.httpProxyConfig(KubernetesClusterHttpProxyConfigArgs.builder()
.httpProxy("string")
.httpsProxy("string")
.noProxies("string")
.trustedCa("string")
.build())
.identity(KubernetesClusterIdentityArgs.builder()
.type("string")
.identityIds("string")
.principalId("string")
.tenantId("string")
.build())
.imageCleanerEnabled(false)
.imageCleanerIntervalHours(0)
.ingressApplicationGateway(KubernetesClusterIngressApplicationGatewayArgs.builder()
.effectiveGatewayId("string")
.gatewayId("string")
.gatewayName("string")
.ingressApplicationGatewayIdentities(KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentityArgs.builder()
.clientId("string")
.objectId("string")
.userAssignedIdentityId("string")
.build())
.subnetCidr("string")
.subnetId("string")
.build())
.keyManagementService(KubernetesClusterKeyManagementServiceArgs.builder()
.keyVaultKeyId("string")
.keyVaultNetworkAccess("string")
.build())
.keyVaultSecretsProvider(KubernetesClusterKeyVaultSecretsProviderArgs.builder()
.secretIdentities(KubernetesClusterKeyVaultSecretsProviderSecretIdentityArgs.builder()
.clientId("string")
.objectId("string")
.userAssignedIdentityId("string")
.build())
.secretRotationEnabled(false)
.secretRotationInterval("string")
.build())
.kubeletIdentity(KubernetesClusterKubeletIdentityArgs.builder()
.clientId("string")
.objectId("string")
.userAssignedIdentityId("string")
.build())
.kubernetesVersion("string")
.linuxProfile(KubernetesClusterLinuxProfileArgs.builder()
.adminUsername("string")
.sshKey(KubernetesClusterLinuxProfileSshKeyArgs.builder()
.keyData("string")
.build())
.build())
.localAccountDisabled(false)
.location("string")
.maintenanceWindow(KubernetesClusterMaintenanceWindowArgs.builder()
.alloweds(KubernetesClusterMaintenanceWindowAllowedArgs.builder()
.day("string")
.hours(0)
.build())
.notAlloweds(KubernetesClusterMaintenanceWindowNotAllowedArgs.builder()
.end("string")
.start("string")
.build())
.build())
.maintenanceWindowAutoUpgrade(KubernetesClusterMaintenanceWindowAutoUpgradeArgs.builder()
.duration(0)
.frequency("string")
.interval(0)
.dayOfMonth(0)
.dayOfWeek("string")
.notAlloweds(KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowedArgs.builder()
.end("string")
.start("string")
.build())
.startDate("string")
.startTime("string")
.utcOffset("string")
.weekIndex("string")
.build())
.maintenanceWindowNodeOs(KubernetesClusterMaintenanceWindowNodeOsArgs.builder()
.duration(0)
.frequency("string")
.interval(0)
.dayOfMonth(0)
.dayOfWeek("string")
.notAlloweds(KubernetesClusterMaintenanceWindowNodeOsNotAllowedArgs.builder()
.end("string")
.start("string")
.build())
.startDate("string")
.startTime("string")
.utcOffset("string")
.weekIndex("string")
.build())
.microsoftDefender(KubernetesClusterMicrosoftDefenderArgs.builder()
.logAnalyticsWorkspaceId("string")
.build())
.monitorMetrics(KubernetesClusterMonitorMetricsArgs.builder()
.annotationsAllowed("string")
.labelsAllowed("string")
.build())
.name("string")
.networkProfile(KubernetesClusterNetworkProfileArgs.builder()
.networkPlugin("string")
.networkMode("string")
.networkPluginMode("string")
.loadBalancerSku("string")
.natGatewayProfile(KubernetesClusterNetworkProfileNatGatewayProfileArgs.builder()
.effectiveOutboundIps("string")
.idleTimeoutInMinutes(0)
.managedOutboundIpCount(0)
.build())
.networkDataPlane("string")
.dnsServiceIp("string")
.ipVersions("string")
.loadBalancerProfile(KubernetesClusterNetworkProfileLoadBalancerProfileArgs.builder()
.backendPoolType("string")
.effectiveOutboundIps("string")
.idleTimeoutInMinutes(0)
.managedOutboundIpCount(0)
.managedOutboundIpv6Count(0)
.outboundIpAddressIds("string")
.outboundIpPrefixIds("string")
.outboundPortsAllocated(0)
.build())
.networkPolicy("string")
.outboundType("string")
.podCidr("string")
.podCidrs("string")
.serviceCidr("string")
.serviceCidrs("string")
.build())
.nodeOsUpgradeChannel("string")
.nodeResourceGroup("string")
.oidcIssuerEnabled(false)
.omsAgent(KubernetesClusterOmsAgentArgs.builder()
.logAnalyticsWorkspaceId("string")
.msiAuthForMonitoringEnabled(false)
.omsAgentIdentities(KubernetesClusterOmsAgentOmsAgentIdentityArgs.builder()
.clientId("string")
.objectId("string")
.userAssignedIdentityId("string")
.build())
.build())
.openServiceMeshEnabled(false)
.privateClusterEnabled(false)
.privateClusterPublicFqdnEnabled(false)
.privateDnsZoneId("string")
.roleBasedAccessControlEnabled(false)
.runCommandEnabled(false)
.serviceMeshProfile(KubernetesClusterServiceMeshProfileArgs.builder()
.mode("string")
.revisions("string")
.certificateAuthority(KubernetesClusterServiceMeshProfileCertificateAuthorityArgs.builder()
.certChainObjectName("string")
.certObjectName("string")
.keyObjectName("string")
.keyVaultId("string")
.rootCertObjectName("string")
.build())
.externalIngressGatewayEnabled(false)
.internalIngressGatewayEnabled(false)
.build())
.servicePrincipal(KubernetesClusterServicePrincipalArgs.builder()
.clientId("string")
.clientSecret("string")
.build())
.skuTier("string")
.storageProfile(KubernetesClusterStorageProfileArgs.builder()
.blobDriverEnabled(false)
.diskDriverEnabled(false)
.fileDriverEnabled(false)
.snapshotControllerEnabled(false)
.build())
.supportPlan("string")
.tags(Map.of("string", "string"))
.webAppRouting(KubernetesClusterWebAppRoutingArgs.builder()
.dnsZoneIds("string")
.webAppRoutingIdentities(KubernetesClusterWebAppRoutingWebAppRoutingIdentityArgs.builder()
.clientId("string")
.objectId("string")
.userAssignedIdentityId("string")
.build())
.build())
.windowsProfile(KubernetesClusterWindowsProfileArgs.builder()
.adminPassword("string")
.adminUsername("string")
.gmsa(KubernetesClusterWindowsProfileGmsaArgs.builder()
.dnsServer("string")
.rootDomain("string")
.build())
.license("string")
.build())
.workloadAutoscalerProfile(KubernetesClusterWorkloadAutoscalerProfileArgs.builder()
.kedaEnabled(false)
.verticalPodAutoscalerEnabled(false)
.build())
.workloadIdentityEnabled(false)
.build());
kubernetes_cluster_resource = azure.containerservice.KubernetesCluster("kubernetesClusterResource",
default_node_pool={
"name": "string",
"vm_size": "string",
"only_critical_addons_enabled": False,
"max_count": 0,
"host_encryption_enabled": False,
"host_group_id": "string",
"auto_scaling_enabled": False,
"kubelet_disk_type": "string",
"linux_os_config": {
"swap_file_size_mb": 0,
"sysctl_config": {
"fs_aio_max_nr": 0,
"fs_file_max": 0,
"fs_inotify_max_user_watches": 0,
"fs_nr_open": 0,
"kernel_threads_max": 0,
"net_core_netdev_max_backlog": 0,
"net_core_optmem_max": 0,
"net_core_rmem_default": 0,
"net_core_rmem_max": 0,
"net_core_somaxconn": 0,
"net_core_wmem_default": 0,
"net_core_wmem_max": 0,
"net_ipv4_ip_local_port_range_max": 0,
"net_ipv4_ip_local_port_range_min": 0,
"net_ipv4_neigh_default_gc_thresh1": 0,
"net_ipv4_neigh_default_gc_thresh2": 0,
"net_ipv4_neigh_default_gc_thresh3": 0,
"net_ipv4_tcp_fin_timeout": 0,
"net_ipv4_tcp_keepalive_intvl": 0,
"net_ipv4_tcp_keepalive_probes": 0,
"net_ipv4_tcp_keepalive_time": 0,
"net_ipv4_tcp_max_syn_backlog": 0,
"net_ipv4_tcp_max_tw_buckets": 0,
"net_ipv4_tcp_tw_reuse": False,
"net_netfilter_nf_conntrack_buckets": 0,
"net_netfilter_nf_conntrack_max": 0,
"vm_max_map_count": 0,
"vm_swappiness": 0,
"vm_vfs_cache_pressure": 0,
},
"transparent_huge_page_defrag": "string",
"transparent_huge_page_enabled": "string",
},
"orchestrator_version": "string",
"max_pods": 0,
"os_disk_size_gb": 0,
"fips_enabled": False,
"node_count": 0,
"node_labels": {
"string": "string",
},
"node_network_profile": {
"allowed_host_ports": [{
"port_end": 0,
"port_start": 0,
"protocol": "string",
}],
"application_security_group_ids": ["string"],
"node_public_ip_tags": {
"string": "string",
},
},
"node_public_ip_enabled": False,
"node_public_ip_prefix_id": "string",
"kubelet_config": {
"allowed_unsafe_sysctls": ["string"],
"container_log_max_line": 0,
"container_log_max_size_mb": 0,
"cpu_cfs_quota_enabled": False,
"cpu_cfs_quota_period": "string",
"cpu_manager_policy": "string",
"image_gc_high_threshold": 0,
"image_gc_low_threshold": 0,
"pod_max_pid": 0,
"topology_manager_policy": "string",
},
"gpu_instance": "string",
"min_count": 0,
"os_disk_type": "string",
"os_sku": "string",
"pod_subnet_id": "string",
"proximity_placement_group_id": "string",
"scale_down_mode": "string",
"snapshot_id": "string",
"tags": {
"string": "string",
},
"temporary_name_for_rotation": "string",
"type": "string",
"ultra_ssd_enabled": False,
"upgrade_settings": {
"max_surge": "string",
"drain_timeout_in_minutes": 0,
"node_soak_duration_in_minutes": 0,
},
"capacity_reservation_group_id": "string",
"vnet_subnet_id": "string",
"workload_runtime": "string",
"zones": ["string"],
},
resource_group_name="string",
aci_connector_linux={
"subnet_name": "string",
"connector_identities": [{
"client_id": "string",
"object_id": "string",
"user_assigned_identity_id": "string",
}],
},
api_server_access_profile={
"authorized_ip_ranges": ["string"],
},
auto_scaler_profile={
"balance_similar_node_groups": False,
"daemonset_eviction_for_empty_nodes_enabled": False,
"daemonset_eviction_for_occupied_nodes_enabled": False,
"empty_bulk_delete_max": "string",
"expander": "string",
"ignore_daemonsets_utilization_enabled": False,
"max_graceful_termination_sec": "string",
"max_node_provisioning_time": "string",
"max_unready_nodes": 0,
"max_unready_percentage": 0,
"new_pod_scale_up_delay": "string",
"scale_down_delay_after_add": "string",
"scale_down_delay_after_delete": "string",
"scale_down_delay_after_failure": "string",
"scale_down_unneeded": "string",
"scale_down_unready": "string",
"scale_down_utilization_threshold": "string",
"scan_interval": "string",
"skip_nodes_with_local_storage": False,
"skip_nodes_with_system_pods": False,
},
automatic_upgrade_channel="string",
azure_active_directory_role_based_access_control={
"admin_group_object_ids": ["string"],
"azure_rbac_enabled": False,
"tenant_id": "string",
},
azure_policy_enabled=False,
confidential_computing={
"sgx_quote_helper_enabled": False,
},
cost_analysis_enabled=False,
disk_encryption_set_id="string",
dns_prefix="string",
dns_prefix_private_cluster="string",
edge_zone="string",
http_application_routing_enabled=False,
http_proxy_config={
"http_proxy": "string",
"https_proxy": "string",
"no_proxies": ["string"],
"trusted_ca": "string",
},
identity={
"type": "string",
"identity_ids": ["string"],
"principal_id": "string",
"tenant_id": "string",
},
image_cleaner_enabled=False,
image_cleaner_interval_hours=0,
ingress_application_gateway={
"effective_gateway_id": "string",
"gateway_id": "string",
"gateway_name": "string",
"ingress_application_gateway_identities": [{
"client_id": "string",
"object_id": "string",
"user_assigned_identity_id": "string",
}],
"subnet_cidr": "string",
"subnet_id": "string",
},
key_management_service={
"key_vault_key_id": "string",
"key_vault_network_access": "string",
},
key_vault_secrets_provider={
"secret_identities": [{
"client_id": "string",
"object_id": "string",
"user_assigned_identity_id": "string",
}],
"secret_rotation_enabled": False,
"secret_rotation_interval": "string",
},
kubelet_identity={
"client_id": "string",
"object_id": "string",
"user_assigned_identity_id": "string",
},
kubernetes_version="string",
linux_profile={
"admin_username": "string",
"ssh_key": {
"key_data": "string",
},
},
local_account_disabled=False,
location="string",
maintenance_window={
"alloweds": [{
"day": "string",
"hours": [0],
}],
"not_alloweds": [{
"end": "string",
"start": "string",
}],
},
maintenance_window_auto_upgrade={
"duration": 0,
"frequency": "string",
"interval": 0,
"day_of_month": 0,
"day_of_week": "string",
"not_alloweds": [{
"end": "string",
"start": "string",
}],
"start_date": "string",
"start_time": "string",
"utc_offset": "string",
"week_index": "string",
},
maintenance_window_node_os={
"duration": 0,
"frequency": "string",
"interval": 0,
"day_of_month": 0,
"day_of_week": "string",
"not_alloweds": [{
"end": "string",
"start": "string",
}],
"start_date": "string",
"start_time": "string",
"utc_offset": "string",
"week_index": "string",
},
microsoft_defender={
"log_analytics_workspace_id": "string",
},
monitor_metrics={
"annotations_allowed": "string",
"labels_allowed": "string",
},
name="string",
network_profile={
"network_plugin": "string",
"network_mode": "string",
"network_plugin_mode": "string",
"load_balancer_sku": "string",
"nat_gateway_profile": {
"effective_outbound_ips": ["string"],
"idle_timeout_in_minutes": 0,
"managed_outbound_ip_count": 0,
},
"network_data_plane": "string",
"dns_service_ip": "string",
"ip_versions": ["string"],
"load_balancer_profile": {
"backend_pool_type": "string",
"effective_outbound_ips": ["string"],
"idle_timeout_in_minutes": 0,
"managed_outbound_ip_count": 0,
"managed_outbound_ipv6_count": 0,
"outbound_ip_address_ids": ["string"],
"outbound_ip_prefix_ids": ["string"],
"outbound_ports_allocated": 0,
},
"network_policy": "string",
"outbound_type": "string",
"pod_cidr": "string",
"pod_cidrs": ["string"],
"service_cidr": "string",
"service_cidrs": ["string"],
},
node_os_upgrade_channel="string",
node_resource_group="string",
oidc_issuer_enabled=False,
oms_agent={
"log_analytics_workspace_id": "string",
"msi_auth_for_monitoring_enabled": False,
"oms_agent_identities": [{
"client_id": "string",
"object_id": "string",
"user_assigned_identity_id": "string",
}],
},
open_service_mesh_enabled=False,
private_cluster_enabled=False,
private_cluster_public_fqdn_enabled=False,
private_dns_zone_id="string",
role_based_access_control_enabled=False,
run_command_enabled=False,
service_mesh_profile={
"mode": "string",
"revisions": ["string"],
"certificate_authority": {
"cert_chain_object_name": "string",
"cert_object_name": "string",
"key_object_name": "string",
"key_vault_id": "string",
"root_cert_object_name": "string",
},
"external_ingress_gateway_enabled": False,
"internal_ingress_gateway_enabled": False,
},
service_principal={
"client_id": "string",
"client_secret": "string",
},
sku_tier="string",
storage_profile={
"blob_driver_enabled": False,
"disk_driver_enabled": False,
"file_driver_enabled": False,
"snapshot_controller_enabled": False,
},
support_plan="string",
tags={
"string": "string",
},
web_app_routing={
"dns_zone_ids": ["string"],
"web_app_routing_identities": [{
"client_id": "string",
"object_id": "string",
"user_assigned_identity_id": "string",
}],
},
windows_profile={
"admin_password": "string",
"admin_username": "string",
"gmsa": {
"dns_server": "string",
"root_domain": "string",
},
"license": "string",
},
workload_autoscaler_profile={
"keda_enabled": False,
"vertical_pod_autoscaler_enabled": False,
},
workload_identity_enabled=False)
const kubernetesClusterResource = new azure.containerservice.KubernetesCluster("kubernetesClusterResource", {
defaultNodePool: {
name: "string",
vmSize: "string",
onlyCriticalAddonsEnabled: false,
maxCount: 0,
hostEncryptionEnabled: false,
hostGroupId: "string",
autoScalingEnabled: false,
kubeletDiskType: "string",
linuxOsConfig: {
swapFileSizeMb: 0,
sysctlConfig: {
fsAioMaxNr: 0,
fsFileMax: 0,
fsInotifyMaxUserWatches: 0,
fsNrOpen: 0,
kernelThreadsMax: 0,
netCoreNetdevMaxBacklog: 0,
netCoreOptmemMax: 0,
netCoreRmemDefault: 0,
netCoreRmemMax: 0,
netCoreSomaxconn: 0,
netCoreWmemDefault: 0,
netCoreWmemMax: 0,
netIpv4IpLocalPortRangeMax: 0,
netIpv4IpLocalPortRangeMin: 0,
netIpv4NeighDefaultGcThresh1: 0,
netIpv4NeighDefaultGcThresh2: 0,
netIpv4NeighDefaultGcThresh3: 0,
netIpv4TcpFinTimeout: 0,
netIpv4TcpKeepaliveIntvl: 0,
netIpv4TcpKeepaliveProbes: 0,
netIpv4TcpKeepaliveTime: 0,
netIpv4TcpMaxSynBacklog: 0,
netIpv4TcpMaxTwBuckets: 0,
netIpv4TcpTwReuse: false,
netNetfilterNfConntrackBuckets: 0,
netNetfilterNfConntrackMax: 0,
vmMaxMapCount: 0,
vmSwappiness: 0,
vmVfsCachePressure: 0,
},
transparentHugePageDefrag: "string",
transparentHugePageEnabled: "string",
},
orchestratorVersion: "string",
maxPods: 0,
osDiskSizeGb: 0,
fipsEnabled: false,
nodeCount: 0,
nodeLabels: {
string: "string",
},
nodeNetworkProfile: {
allowedHostPorts: [{
portEnd: 0,
portStart: 0,
protocol: "string",
}],
applicationSecurityGroupIds: ["string"],
nodePublicIpTags: {
string: "string",
},
},
nodePublicIpEnabled: false,
nodePublicIpPrefixId: "string",
kubeletConfig: {
allowedUnsafeSysctls: ["string"],
containerLogMaxLine: 0,
containerLogMaxSizeMb: 0,
cpuCfsQuotaEnabled: false,
cpuCfsQuotaPeriod: "string",
cpuManagerPolicy: "string",
imageGcHighThreshold: 0,
imageGcLowThreshold: 0,
podMaxPid: 0,
topologyManagerPolicy: "string",
},
gpuInstance: "string",
minCount: 0,
osDiskType: "string",
osSku: "string",
podSubnetId: "string",
proximityPlacementGroupId: "string",
scaleDownMode: "string",
snapshotId: "string",
tags: {
string: "string",
},
temporaryNameForRotation: "string",
type: "string",
ultraSsdEnabled: false,
upgradeSettings: {
maxSurge: "string",
drainTimeoutInMinutes: 0,
nodeSoakDurationInMinutes: 0,
},
capacityReservationGroupId: "string",
vnetSubnetId: "string",
workloadRuntime: "string",
zones: ["string"],
},
resourceGroupName: "string",
aciConnectorLinux: {
subnetName: "string",
connectorIdentities: [{
clientId: "string",
objectId: "string",
userAssignedIdentityId: "string",
}],
},
apiServerAccessProfile: {
authorizedIpRanges: ["string"],
},
autoScalerProfile: {
balanceSimilarNodeGroups: false,
daemonsetEvictionForEmptyNodesEnabled: false,
daemonsetEvictionForOccupiedNodesEnabled: false,
emptyBulkDeleteMax: "string",
expander: "string",
ignoreDaemonsetsUtilizationEnabled: false,
maxGracefulTerminationSec: "string",
maxNodeProvisioningTime: "string",
maxUnreadyNodes: 0,
maxUnreadyPercentage: 0,
newPodScaleUpDelay: "string",
scaleDownDelayAfterAdd: "string",
scaleDownDelayAfterDelete: "string",
scaleDownDelayAfterFailure: "string",
scaleDownUnneeded: "string",
scaleDownUnready: "string",
scaleDownUtilizationThreshold: "string",
scanInterval: "string",
skipNodesWithLocalStorage: false,
skipNodesWithSystemPods: false,
},
automaticUpgradeChannel: "string",
azureActiveDirectoryRoleBasedAccessControl: {
adminGroupObjectIds: ["string"],
azureRbacEnabled: false,
tenantId: "string",
},
azurePolicyEnabled: false,
confidentialComputing: {
sgxQuoteHelperEnabled: false,
},
costAnalysisEnabled: false,
diskEncryptionSetId: "string",
dnsPrefix: "string",
dnsPrefixPrivateCluster: "string",
edgeZone: "string",
httpApplicationRoutingEnabled: false,
httpProxyConfig: {
httpProxy: "string",
httpsProxy: "string",
noProxies: ["string"],
trustedCa: "string",
},
identity: {
type: "string",
identityIds: ["string"],
principalId: "string",
tenantId: "string",
},
imageCleanerEnabled: false,
imageCleanerIntervalHours: 0,
ingressApplicationGateway: {
effectiveGatewayId: "string",
gatewayId: "string",
gatewayName: "string",
ingressApplicationGatewayIdentities: [{
clientId: "string",
objectId: "string",
userAssignedIdentityId: "string",
}],
subnetCidr: "string",
subnetId: "string",
},
keyManagementService: {
keyVaultKeyId: "string",
keyVaultNetworkAccess: "string",
},
keyVaultSecretsProvider: {
secretIdentities: [{
clientId: "string",
objectId: "string",
userAssignedIdentityId: "string",
}],
secretRotationEnabled: false,
secretRotationInterval: "string",
},
kubeletIdentity: {
clientId: "string",
objectId: "string",
userAssignedIdentityId: "string",
},
kubernetesVersion: "string",
linuxProfile: {
adminUsername: "string",
sshKey: {
keyData: "string",
},
},
localAccountDisabled: false,
location: "string",
maintenanceWindow: {
alloweds: [{
day: "string",
hours: [0],
}],
notAlloweds: [{
end: "string",
start: "string",
}],
},
maintenanceWindowAutoUpgrade: {
duration: 0,
frequency: "string",
interval: 0,
dayOfMonth: 0,
dayOfWeek: "string",
notAlloweds: [{
end: "string",
start: "string",
}],
startDate: "string",
startTime: "string",
utcOffset: "string",
weekIndex: "string",
},
maintenanceWindowNodeOs: {
duration: 0,
frequency: "string",
interval: 0,
dayOfMonth: 0,
dayOfWeek: "string",
notAlloweds: [{
end: "string",
start: "string",
}],
startDate: "string",
startTime: "string",
utcOffset: "string",
weekIndex: "string",
},
microsoftDefender: {
logAnalyticsWorkspaceId: "string",
},
monitorMetrics: {
annotationsAllowed: "string",
labelsAllowed: "string",
},
name: "string",
networkProfile: {
networkPlugin: "string",
networkMode: "string",
networkPluginMode: "string",
loadBalancerSku: "string",
natGatewayProfile: {
effectiveOutboundIps: ["string"],
idleTimeoutInMinutes: 0,
managedOutboundIpCount: 0,
},
networkDataPlane: "string",
dnsServiceIp: "string",
ipVersions: ["string"],
loadBalancerProfile: {
backendPoolType: "string",
effectiveOutboundIps: ["string"],
idleTimeoutInMinutes: 0,
managedOutboundIpCount: 0,
managedOutboundIpv6Count: 0,
outboundIpAddressIds: ["string"],
outboundIpPrefixIds: ["string"],
outboundPortsAllocated: 0,
},
networkPolicy: "string",
outboundType: "string",
podCidr: "string",
podCidrs: ["string"],
serviceCidr: "string",
serviceCidrs: ["string"],
},
nodeOsUpgradeChannel: "string",
nodeResourceGroup: "string",
oidcIssuerEnabled: false,
omsAgent: {
logAnalyticsWorkspaceId: "string",
msiAuthForMonitoringEnabled: false,
omsAgentIdentities: [{
clientId: "string",
objectId: "string",
userAssignedIdentityId: "string",
}],
},
openServiceMeshEnabled: false,
privateClusterEnabled: false,
privateClusterPublicFqdnEnabled: false,
privateDnsZoneId: "string",
roleBasedAccessControlEnabled: false,
runCommandEnabled: false,
serviceMeshProfile: {
mode: "string",
revisions: ["string"],
certificateAuthority: {
certChainObjectName: "string",
certObjectName: "string",
keyObjectName: "string",
keyVaultId: "string",
rootCertObjectName: "string",
},
externalIngressGatewayEnabled: false,
internalIngressGatewayEnabled: false,
},
servicePrincipal: {
clientId: "string",
clientSecret: "string",
},
skuTier: "string",
storageProfile: {
blobDriverEnabled: false,
diskDriverEnabled: false,
fileDriverEnabled: false,
snapshotControllerEnabled: false,
},
supportPlan: "string",
tags: {
string: "string",
},
webAppRouting: {
dnsZoneIds: ["string"],
webAppRoutingIdentities: [{
clientId: "string",
objectId: "string",
userAssignedIdentityId: "string",
}],
},
windowsProfile: {
adminPassword: "string",
adminUsername: "string",
gmsa: {
dnsServer: "string",
rootDomain: "string",
},
license: "string",
},
workloadAutoscalerProfile: {
kedaEnabled: false,
verticalPodAutoscalerEnabled: false,
},
workloadIdentityEnabled: false,
});
type: azure:containerservice:KubernetesCluster
properties:
aciConnectorLinux:
connectorIdentities:
- clientId: string
objectId: string
userAssignedIdentityId: string
subnetName: string
apiServerAccessProfile:
authorizedIpRanges:
- string
autoScalerProfile:
balanceSimilarNodeGroups: false
daemonsetEvictionForEmptyNodesEnabled: false
daemonsetEvictionForOccupiedNodesEnabled: false
emptyBulkDeleteMax: string
expander: string
ignoreDaemonsetsUtilizationEnabled: false
maxGracefulTerminationSec: string
maxNodeProvisioningTime: string
maxUnreadyNodes: 0
maxUnreadyPercentage: 0
newPodScaleUpDelay: string
scaleDownDelayAfterAdd: string
scaleDownDelayAfterDelete: string
scaleDownDelayAfterFailure: string
scaleDownUnneeded: string
scaleDownUnready: string
scaleDownUtilizationThreshold: string
scanInterval: string
skipNodesWithLocalStorage: false
skipNodesWithSystemPods: false
automaticUpgradeChannel: string
azureActiveDirectoryRoleBasedAccessControl:
adminGroupObjectIds:
- string
azureRbacEnabled: false
tenantId: string
azurePolicyEnabled: false
confidentialComputing:
sgxQuoteHelperEnabled: false
costAnalysisEnabled: false
defaultNodePool:
autoScalingEnabled: false
capacityReservationGroupId: string
fipsEnabled: false
gpuInstance: string
hostEncryptionEnabled: false
hostGroupId: string
kubeletConfig:
allowedUnsafeSysctls:
- string
containerLogMaxLine: 0
containerLogMaxSizeMb: 0
cpuCfsQuotaEnabled: false
cpuCfsQuotaPeriod: string
cpuManagerPolicy: string
imageGcHighThreshold: 0
imageGcLowThreshold: 0
podMaxPid: 0
topologyManagerPolicy: string
kubeletDiskType: string
linuxOsConfig:
swapFileSizeMb: 0
sysctlConfig:
fsAioMaxNr: 0
fsFileMax: 0
fsInotifyMaxUserWatches: 0
fsNrOpen: 0
kernelThreadsMax: 0
netCoreNetdevMaxBacklog: 0
netCoreOptmemMax: 0
netCoreRmemDefault: 0
netCoreRmemMax: 0
netCoreSomaxconn: 0
netCoreWmemDefault: 0
netCoreWmemMax: 0
netIpv4IpLocalPortRangeMax: 0
netIpv4IpLocalPortRangeMin: 0
netIpv4NeighDefaultGcThresh1: 0
netIpv4NeighDefaultGcThresh2: 0
netIpv4NeighDefaultGcThresh3: 0
netIpv4TcpFinTimeout: 0
netIpv4TcpKeepaliveIntvl: 0
netIpv4TcpKeepaliveProbes: 0
netIpv4TcpKeepaliveTime: 0
netIpv4TcpMaxSynBacklog: 0
netIpv4TcpMaxTwBuckets: 0
netIpv4TcpTwReuse: false
netNetfilterNfConntrackBuckets: 0
netNetfilterNfConntrackMax: 0
vmMaxMapCount: 0
vmSwappiness: 0
vmVfsCachePressure: 0
transparentHugePageDefrag: string
transparentHugePageEnabled: string
maxCount: 0
maxPods: 0
minCount: 0
name: string
nodeCount: 0
nodeLabels:
string: string
nodeNetworkProfile:
allowedHostPorts:
- portEnd: 0
portStart: 0
protocol: string
applicationSecurityGroupIds:
- string
nodePublicIpTags:
string: string
nodePublicIpEnabled: false
nodePublicIpPrefixId: string
onlyCriticalAddonsEnabled: false
orchestratorVersion: string
osDiskSizeGb: 0
osDiskType: string
osSku: string
podSubnetId: string
proximityPlacementGroupId: string
scaleDownMode: string
snapshotId: string
tags:
string: string
temporaryNameForRotation: string
type: string
ultraSsdEnabled: false
upgradeSettings:
drainTimeoutInMinutes: 0
maxSurge: string
nodeSoakDurationInMinutes: 0
vmSize: string
vnetSubnetId: string
workloadRuntime: string
zones:
- string
diskEncryptionSetId: string
dnsPrefix: string
dnsPrefixPrivateCluster: string
edgeZone: string
httpApplicationRoutingEnabled: false
httpProxyConfig:
httpProxy: string
httpsProxy: string
noProxies:
- string
trustedCa: string
identity:
identityIds:
- string
principalId: string
tenantId: string
type: string
imageCleanerEnabled: false
imageCleanerIntervalHours: 0
ingressApplicationGateway:
effectiveGatewayId: string
gatewayId: string
gatewayName: string
ingressApplicationGatewayIdentities:
- clientId: string
objectId: string
userAssignedIdentityId: string
subnetCidr: string
subnetId: string
keyManagementService:
keyVaultKeyId: string
keyVaultNetworkAccess: string
keyVaultSecretsProvider:
secretIdentities:
- clientId: string
objectId: string
userAssignedIdentityId: string
secretRotationEnabled: false
secretRotationInterval: string
kubeletIdentity:
clientId: string
objectId: string
userAssignedIdentityId: string
kubernetesVersion: string
linuxProfile:
adminUsername: string
sshKey:
keyData: string
localAccountDisabled: false
location: string
maintenanceWindow:
alloweds:
- day: string
hours:
- 0
notAlloweds:
- end: string
start: string
maintenanceWindowAutoUpgrade:
dayOfMonth: 0
dayOfWeek: string
duration: 0
frequency: string
interval: 0
notAlloweds:
- end: string
start: string
startDate: string
startTime: string
utcOffset: string
weekIndex: string
maintenanceWindowNodeOs:
dayOfMonth: 0
dayOfWeek: string
duration: 0
frequency: string
interval: 0
notAlloweds:
- end: string
start: string
startDate: string
startTime: string
utcOffset: string
weekIndex: string
microsoftDefender:
logAnalyticsWorkspaceId: string
monitorMetrics:
annotationsAllowed: string
labelsAllowed: string
name: string
networkProfile:
dnsServiceIp: string
ipVersions:
- string
loadBalancerProfile:
backendPoolType: string
effectiveOutboundIps:
- string
idleTimeoutInMinutes: 0
managedOutboundIpCount: 0
managedOutboundIpv6Count: 0
outboundIpAddressIds:
- string
outboundIpPrefixIds:
- string
outboundPortsAllocated: 0
loadBalancerSku: string
natGatewayProfile:
effectiveOutboundIps:
- string
idleTimeoutInMinutes: 0
managedOutboundIpCount: 0
networkDataPlane: string
networkMode: string
networkPlugin: string
networkPluginMode: string
networkPolicy: string
outboundType: string
podCidr: string
podCidrs:
- string
serviceCidr: string
serviceCidrs:
- string
nodeOsUpgradeChannel: string
nodeResourceGroup: string
oidcIssuerEnabled: false
omsAgent:
logAnalyticsWorkspaceId: string
msiAuthForMonitoringEnabled: false
omsAgentIdentities:
- clientId: string
objectId: string
userAssignedIdentityId: string
openServiceMeshEnabled: false
privateClusterEnabled: false
privateClusterPublicFqdnEnabled: false
privateDnsZoneId: string
resourceGroupName: string
roleBasedAccessControlEnabled: false
runCommandEnabled: false
serviceMeshProfile:
certificateAuthority:
certChainObjectName: string
certObjectName: string
keyObjectName: string
keyVaultId: string
rootCertObjectName: string
externalIngressGatewayEnabled: false
internalIngressGatewayEnabled: false
mode: string
revisions:
- string
servicePrincipal:
clientId: string
clientSecret: string
skuTier: string
storageProfile:
blobDriverEnabled: false
diskDriverEnabled: false
fileDriverEnabled: false
snapshotControllerEnabled: false
supportPlan: string
tags:
string: string
webAppRouting:
dnsZoneIds:
- string
webAppRoutingIdentities:
- clientId: string
objectId: string
userAssignedIdentityId: string
windowsProfile:
adminPassword: string
adminUsername: string
gmsa:
dnsServer: string
rootDomain: string
license: string
workloadAutoscalerProfile:
kedaEnabled: false
verticalPodAutoscalerEnabled: false
workloadIdentityEnabled: false
KubernetesCluster Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The KubernetesCluster resource accepts the following input properties:
- Default
Node KubernetesPool Cluster Default Node Pool - Specifies configuration for "System" mode node pool. A
default_node_pool
block as defined below. - Resource
Group stringName - Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- Aci
Connector KubernetesLinux Cluster Aci Connector Linux - A
aci_connector_linux
block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes. - Api
Server KubernetesAccess Profile Cluster Api Server Access Profile - An
api_server_access_profile
block as defined below. - Auto
Scaler KubernetesProfile Cluster Auto Scaler Profile - A
auto_scaler_profile
block as defined below. - Automatic
Upgrade stringChannel The upgrade channel for this Kubernetes Cluster. Possible values are
patch
,rapid
,node-image
andstable
. Omitting this field sets this value tonone
.!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.
- Azure
Active KubernetesDirectory Role Based Access Control Cluster Azure Active Directory Role Based Access Control - A
azure_active_directory_role_based_access_control
block as defined below. - Azure
Policy boolEnabled - Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
- Confidential
Computing KubernetesCluster Confidential Computing - A
confidential_computing
block as defined below. For more details please the documentation - Cost
Analysis boolEnabled - Should cost analysis be enabled for this Kubernetes Cluster? Defaults to
false
. Thesku_tier
must be set toStandard
orPremium
to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. - Disk
Encryption stringSet Id - The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
- Dns
Prefix string - DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
- Dns
Prefix stringPrivate Cluster Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Note: You must define either a
dns_prefix
or adns_prefix_private_cluster
field.In addition, one of either
identity
orservice_principal
blocks must be specified.- Edge
Zone string - Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- Http
Application boolRouting Enabled Should HTTP Application Routing be enabled?
Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.
- Http
Proxy KubernetesConfig Cluster Http Proxy Config - A
http_proxy_config
block as defined below. - Identity
Kubernetes
Cluster Identity An
identity
block as defined below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- Image
Cleaner boolEnabled - Specifies whether Image Cleaner is enabled.
- Image
Cleaner intInterval Hours - Specifies the interval in hours when images should be cleaned up. Defaults to
0
. - Ingress
Application KubernetesGateway Cluster Ingress Application Gateway A
ingress_application_gateway
block as defined below.Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/action
permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.- Key
Management KubernetesService Cluster Key Management Service - A
key_management_service
block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster. - Key
Vault KubernetesSecrets Provider Cluster Key Vault Secrets Provider - A
key_vault_secrets_provider
block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS. - Kubelet
Identity KubernetesCluster Kubelet Identity - A
kubelet_identity
block as defined below. - Kubernetes
Version string Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as
1.22
are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.Note: Upgrading your cluster may take up to 10 minutes per node.
- Linux
Profile KubernetesCluster Linux Profile - A
linux_profile
block as defined below. - Local
Account boolDisabled If
true
local accounts will be disabled. See the documentation for more information.Note: If
local_account_disabled
is set totrue
, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.- Location string
- The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
- Maintenance
Window KubernetesCluster Maintenance Window - A
maintenance_window
block as defined below. - Maintenance
Window KubernetesAuto Upgrade Cluster Maintenance Window Auto Upgrade - A
maintenance_window_auto_upgrade
block as defined below. - Maintenance
Window KubernetesNode Os Cluster Maintenance Window Node Os - A
maintenance_window_node_os
block as defined below. - Microsoft
Defender KubernetesCluster Microsoft Defender - A
microsoft_defender
block as defined below. - Monitor
Metrics KubernetesCluster Monitor Metrics Specifies a Prometheus add-on profile for the Kubernetes Cluster. A
monitor_metrics
block as defined below.Note: If deploying Managed Prometheus, the
monitor_metrics
properties are required to configure the cluster for metrics collection. If no value is needed, set properties tonull
.- Name string
- The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
- Network
Profile KubernetesCluster Network Profile A
network_profile
block as defined below. Changing this forces a new resource to be created.Note: If
network_profile
is not defined,kubenet
profile will be used by default.- Node
Os stringUpgrade Channel The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are
Unmanaged
,SecurityPatch
,NodeImage
andNone
. Defaults toNodeImage
.Note:
node_os_upgrade_channel
must be set toNodeImage
ifautomatic_upgrade_channel
has been set tonode-image
- Node
Resource stringGroup The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.
- Oidc
Issuer boolEnabled - Enable or Disable the OIDC issuer URL
- Oms
Agent KubernetesCluster Oms Agent - A
oms_agent
block as defined below. - Open
Service boolMesh Enabled - Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
- Private
Cluster boolEnabled - Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to
false
. Changing this forces a new resource to be created. - Private
Cluster boolPublic Fqdn Enabled Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to
false
.Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the
Private DNS Zone Contributor
role and access to this Private DNS Zone. IfUserAssigned
identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, }, { dependsOn: [exampleAssignment], });
import pulumi import pulumi_azure as azure example = azure.core.ResourceGroup("example", name="example", location="West Europe") example_zone = azure.privatedns.Zone("example", name="privatelink.eastus2.azmk8s.io", resource_group_name=example.name) example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example", name="aks-example-identity", resource_group_name=example.name, location=example.location) example_assignment = azure.authorization.Assignment("example", scope=example_zone.id, role_definition_name="Private DNS Zone Contributor", principal_id=example_user_assigned_identity.principal_id) example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example", name="aksexamplewithprivatednszone1", location=example.location, resource_group_name=example.name, dns_prefix="aksexamplednsprefix1", private_cluster_enabled=True, private_dns_zone_id=example_zone.id, opts = pulumi.ResourceOptions(depends_on=[example_assignment]))
using System.Collections.Generic; using System.Linq; using Pulumi; using Azure = Pulumi.Azure; return await Deployment.RunAsync(() => { var example = new Azure.Core.ResourceGroup("example", new() { Name = "example", Location = "West Europe", }); var exampleZone = new Azure.PrivateDns.Zone("example", new() { Name = "privatelink.eastus2.azmk8s.io", ResourceGroupName = example.Name, }); var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new() { Name = "aks-example-identity", ResourceGroupName = example.Name, Location = example.Location, }); var exampleAssignment = new Azure.Authorization.Assignment("example", new() { Scope = exampleZone.Id, RoleDefinitionName = "Private DNS Zone Contributor", PrincipalId = exampleUserAssignedIdentity.PrincipalId, }); var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new() { Name = "aksexamplewithprivatednszone1", Location = example.Location, ResourceGroupName = example.Name, DnsPrefix = "aksexamplednsprefix1", PrivateClusterEnabled = true, PrivateDnsZoneId = exampleZone.Id, }, new CustomResourceOptions { DependsOn = { exampleAssignment, }, }); });
package main import ( "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/privatedns" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{ Name: pulumi.String("example"), Location: pulumi.String("West Europe"), }) if err != nil { return err } exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{ Name: pulumi.String("privatelink.eastus2.azmk8s.io"), ResourceGroupName: example.Name, }) if err != nil { return err } exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{ Name: pulumi.String("aks-example-identity"), ResourceGroupName: example.Name, Location: example.Location, }) if err != nil { return err } exampleAssignment, err := authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{ Scope: exampleZone.ID(), RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"), PrincipalId: exampleUserAssignedIdentity.PrincipalId, }) if err != nil { return err } _, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{ Name: pulumi.String("aksexamplewithprivatednszone1"), Location: example.Location, ResourceGroupName: example.Name, DnsPrefix: pulumi.String("aksexamplednsprefix1"), PrivateClusterEnabled: pulumi.Bool(true), PrivateDnsZoneId: exampleZone.ID(), }, pulumi.DependsOn([]pulumi.Resource{ exampleAssignment, })) if err != nil { return err } return nil }) }
package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.azure.core.ResourceGroup; import com.pulumi.azure.core.ResourceGroupArgs; import com.pulumi.azure.privatedns.Zone; import com.pulumi.azure.privatedns.ZoneArgs; import com.pulumi.azure.authorization.UserAssignedIdentity; import com.pulumi.azure.authorization.UserAssignedIdentityArgs; import com.pulumi.azure.authorization.Assignment; import com.pulumi.azure.authorization.AssignmentArgs; import com.pulumi.azure.containerservice.KubernetesCluster; import com.pulumi.azure.containerservice.KubernetesClusterArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new ResourceGroup("example", ResourceGroupArgs.builder() .name("example") .location("West Europe") .build()); var exampleZone = new Zone("exampleZone", ZoneArgs.builder() .name("privatelink.eastus2.azmk8s.io") .resourceGroupName(example.name()) .build()); var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder() .name("aks-example-identity") .resourceGroupName(example.name()) .location(example.location()) .build()); var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder() .scope(exampleZone.id()) .roleDefinitionName("Private DNS Zone Contributor") .principalId(exampleUserAssignedIdentity.principalId()) .build()); var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder() .name("aksexamplewithprivatednszone1") .location(example.location()) .resourceGroupName(example.name()) .dnsPrefix("aksexamplednsprefix1") .privateClusterEnabled(true) .privateDnsZoneId(exampleZone.id()) .build(), CustomResourceOptions.builder() .dependsOn(exampleAssignment) .build()); } }
resources: example: type: azure:core:ResourceGroup properties: name: example location: West Europe exampleZone: type: azure:privatedns:Zone name: example properties: name: privatelink.eastus2.azmk8s.io resourceGroupName: ${example.name} exampleUserAssignedIdentity: type: azure:authorization:UserAssignedIdentity name: example properties: name: aks-example-identity resourceGroupName: ${example.name} location: ${example.location} exampleAssignment: type: azure:authorization:Assignment name: example properties: scope: ${exampleZone.id} roleDefinitionName: Private DNS Zone Contributor principalId: ${exampleUserAssignedIdentity.principalId} exampleKubernetesCluster: type: azure:containerservice:KubernetesCluster name: example properties: name: aksexamplewithprivatednszone1 location: ${example.location} resourceGroupName: ${example.name} dnsPrefix: aksexamplednsprefix1 privateClusterEnabled: true privateDnsZoneId: ${exampleZone.id} options: dependsOn: - ${exampleAssignment}
- Private
Dns stringZone Id - Either the ID of Private DNS Zone which should be delegated to this Cluster,
System
to have AKS manage this orNone
. In case ofNone
you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. - Role
Based boolAccess Control Enabled - Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to
true
. Changing this forces a new resource to be created. - Run
Command boolEnabled - Whether to enable run command for the cluster or not. Defaults to
true
. - Service
Mesh KubernetesProfile Cluster Service Mesh Profile - A
service_mesh_profile
block as defined below. - Service
Principal KubernetesCluster Service Principal A
service_principal
block as documented below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- Sku
Tier string The SKU Tier that should be used for this Kubernetes Cluster. Possible values are
Free
,Standard
(which includes the Uptime SLA) andPremium
. Defaults toFree
.Note: Whilst the AKS API previously supported the
Paid
SKU - the AKS API introduced a breaking change in API Version2023-02-01
(used in v3.51.0 and later) where the valuePaid
must now be set toStandard
.- Storage
Profile KubernetesCluster Storage Profile - A
storage_profile
block as defined below. - Support
Plan string - Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are
KubernetesOfficial
andAKSLongTermSupport
. Defaults toKubernetesOfficial
. - Dictionary<string, string>
- A mapping of tags to assign to the resource.
- Web
App KubernetesRouting Cluster Web App Routing - A
web_app_routing
block as defined below. - Windows
Profile KubernetesCluster Windows Profile - A
windows_profile
block as defined below. - Workload
Autoscaler KubernetesProfile Cluster Workload Autoscaler Profile - A
workload_autoscaler_profile
block defined below. - Workload
Identity boolEnabled Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to
false
.Note: To enable Azure AD Workload Identity
oidc_issuer_enabled
must be set totrue
.Note: Enabling this option will allocate Workload Identity resources to the
kube-system
namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.
- Default
Node KubernetesPool Cluster Default Node Pool Args - Specifies configuration for "System" mode node pool. A
default_node_pool
block as defined below. - Resource
Group stringName - Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- Aci
Connector KubernetesLinux Cluster Aci Connector Linux Args - A
aci_connector_linux
block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes. - Api
Server KubernetesAccess Profile Cluster Api Server Access Profile Args - An
api_server_access_profile
block as defined below. - Auto
Scaler KubernetesProfile Cluster Auto Scaler Profile Args - A
auto_scaler_profile
block as defined below. - Automatic
Upgrade stringChannel The upgrade channel for this Kubernetes Cluster. Possible values are
patch
,rapid
,node-image
andstable
. Omitting this field sets this value tonone
.!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.
- Azure
Active KubernetesDirectory Role Based Access Control Cluster Azure Active Directory Role Based Access Control Args - A
azure_active_directory_role_based_access_control
block as defined below. - Azure
Policy boolEnabled - Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
- Confidential
Computing KubernetesCluster Confidential Computing Args - A
confidential_computing
block as defined below. For more details please the documentation - Cost
Analysis boolEnabled - Should cost analysis be enabled for this Kubernetes Cluster? Defaults to
false
. Thesku_tier
must be set toStandard
orPremium
to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. - Disk
Encryption stringSet Id - The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
- Dns
Prefix string - DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
- Dns
Prefix stringPrivate Cluster Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Note: You must define either a
dns_prefix
or adns_prefix_private_cluster
field.In addition, one of either
identity
orservice_principal
blocks must be specified.- Edge
Zone string - Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- Http
Application boolRouting Enabled Should HTTP Application Routing be enabled?
Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.
- Http
Proxy KubernetesConfig Cluster Http Proxy Config Args - A
http_proxy_config
block as defined below. - Identity
Kubernetes
Cluster Identity Args An
identity
block as defined below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- Image
Cleaner boolEnabled - Specifies whether Image Cleaner is enabled.
- Image
Cleaner intInterval Hours - Specifies the interval in hours when images should be cleaned up. Defaults to
0
. - Ingress
Application KubernetesGateway Cluster Ingress Application Gateway Args A
ingress_application_gateway
block as defined below.Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/action
permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.- Key
Management KubernetesService Cluster Key Management Service Args - A
key_management_service
block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster. - Key
Vault KubernetesSecrets Provider Cluster Key Vault Secrets Provider Args - A
key_vault_secrets_provider
block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS. - Kubelet
Identity KubernetesCluster Kubelet Identity Args - A
kubelet_identity
block as defined below. - Kubernetes
Version string Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as
1.22
are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.Note: Upgrading your cluster may take up to 10 minutes per node.
- Linux
Profile KubernetesCluster Linux Profile Args - A
linux_profile
block as defined below. - Local
Account boolDisabled If
true
local accounts will be disabled. See the documentation for more information.Note: If
local_account_disabled
is set totrue
, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.- Location string
- The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
- Maintenance
Window KubernetesCluster Maintenance Window Args - A
maintenance_window
block as defined below. - Maintenance
Window KubernetesAuto Upgrade Cluster Maintenance Window Auto Upgrade Args - A
maintenance_window_auto_upgrade
block as defined below. - Maintenance
Window KubernetesNode Os Cluster Maintenance Window Node Os Args - A
maintenance_window_node_os
block as defined below. - Microsoft
Defender KubernetesCluster Microsoft Defender Args - A
microsoft_defender
block as defined below. - Monitor
Metrics KubernetesCluster Monitor Metrics Args Specifies a Prometheus add-on profile for the Kubernetes Cluster. A
monitor_metrics
block as defined below.Note: If deploying Managed Prometheus, the
monitor_metrics
properties are required to configure the cluster for metrics collection. If no value is needed, set properties tonull
.- Name string
- The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
- Network
Profile KubernetesCluster Network Profile Args A
network_profile
block as defined below. Changing this forces a new resource to be created.Note: If
network_profile
is not defined,kubenet
profile will be used by default.- Node
Os stringUpgrade Channel The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are
Unmanaged
,SecurityPatch
,NodeImage
andNone
. Defaults toNodeImage
.Note:
node_os_upgrade_channel
must be set toNodeImage
ifautomatic_upgrade_channel
has been set tonode-image
- Node
Resource stringGroup The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.
- Oidc
Issuer boolEnabled - Enable or Disable the OIDC issuer URL
- Oms
Agent KubernetesCluster Oms Agent Args - A
oms_agent
block as defined below. - Open
Service boolMesh Enabled - Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
- Private
Cluster boolEnabled - Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to
false
. Changing this forces a new resource to be created. - Private
Cluster boolPublic Fqdn Enabled Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to
false
.Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the
Private DNS Zone Contributor
role and access to this Private DNS Zone. IfUserAssigned
identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, }, { dependsOn: [exampleAssignment], });
import pulumi import pulumi_azure as azure example = azure.core.ResourceGroup("example", name="example", location="West Europe") example_zone = azure.privatedns.Zone("example", name="privatelink.eastus2.azmk8s.io", resource_group_name=example.name) example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example", name="aks-example-identity", resource_group_name=example.name, location=example.location) example_assignment = azure.authorization.Assignment("example", scope=example_zone.id, role_definition_name="Private DNS Zone Contributor", principal_id=example_user_assigned_identity.principal_id) example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example", name="aksexamplewithprivatednszone1", location=example.location, resource_group_name=example.name, dns_prefix="aksexamplednsprefix1", private_cluster_enabled=True, private_dns_zone_id=example_zone.id, opts = pulumi.ResourceOptions(depends_on=[example_assignment]))
using System.Collections.Generic; using System.Linq; using Pulumi; using Azure = Pulumi.Azure; return await Deployment.RunAsync(() => { var example = new Azure.Core.ResourceGroup("example", new() { Name = "example", Location = "West Europe", }); var exampleZone = new Azure.PrivateDns.Zone("example", new() { Name = "privatelink.eastus2.azmk8s.io", ResourceGroupName = example.Name, }); var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new() { Name = "aks-example-identity", ResourceGroupName = example.Name, Location = example.Location, }); var exampleAssignment = new Azure.Authorization.Assignment("example", new() { Scope = exampleZone.Id, RoleDefinitionName = "Private DNS Zone Contributor", PrincipalId = exampleUserAssignedIdentity.PrincipalId, }); var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new() { Name = "aksexamplewithprivatednszone1", Location = example.Location, ResourceGroupName = example.Name, DnsPrefix = "aksexamplednsprefix1", PrivateClusterEnabled = true, PrivateDnsZoneId = exampleZone.Id, }, new CustomResourceOptions { DependsOn = { exampleAssignment, }, }); });
package main import ( "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/privatedns" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{ Name: pulumi.String("example"), Location: pulumi.String("West Europe"), }) if err != nil { return err } exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{ Name: pulumi.String("privatelink.eastus2.azmk8s.io"), ResourceGroupName: example.Name, }) if err != nil { return err } exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{ Name: pulumi.String("aks-example-identity"), ResourceGroupName: example.Name, Location: example.Location, }) if err != nil { return err } exampleAssignment, err := authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{ Scope: exampleZone.ID(), RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"), PrincipalId: exampleUserAssignedIdentity.PrincipalId, }) if err != nil { return err } _, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{ Name: pulumi.String("aksexamplewithprivatednszone1"), Location: example.Location, ResourceGroupName: example.Name, DnsPrefix: pulumi.String("aksexamplednsprefix1"), PrivateClusterEnabled: pulumi.Bool(true), PrivateDnsZoneId: exampleZone.ID(), }, pulumi.DependsOn([]pulumi.Resource{ exampleAssignment, })) if err != nil { return err } return nil }) }
package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.azure.core.ResourceGroup; import com.pulumi.azure.core.ResourceGroupArgs; import com.pulumi.azure.privatedns.Zone; import com.pulumi.azure.privatedns.ZoneArgs; import com.pulumi.azure.authorization.UserAssignedIdentity; import com.pulumi.azure.authorization.UserAssignedIdentityArgs; import com.pulumi.azure.authorization.Assignment; import com.pulumi.azure.authorization.AssignmentArgs; import com.pulumi.azure.containerservice.KubernetesCluster; import com.pulumi.azure.containerservice.KubernetesClusterArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new ResourceGroup("example", ResourceGroupArgs.builder() .name("example") .location("West Europe") .build()); var exampleZone = new Zone("exampleZone", ZoneArgs.builder() .name("privatelink.eastus2.azmk8s.io") .resourceGroupName(example.name()) .build()); var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder() .name("aks-example-identity") .resourceGroupName(example.name()) .location(example.location()) .build()); var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder() .scope(exampleZone.id()) .roleDefinitionName("Private DNS Zone Contributor") .principalId(exampleUserAssignedIdentity.principalId()) .build()); var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder() .name("aksexamplewithprivatednszone1") .location(example.location()) .resourceGroupName(example.name()) .dnsPrefix("aksexamplednsprefix1") .privateClusterEnabled(true) .privateDnsZoneId(exampleZone.id()) .build(), CustomResourceOptions.builder() .dependsOn(exampleAssignment) .build()); } }
resources: example: type: azure:core:ResourceGroup properties: name: example location: West Europe exampleZone: type: azure:privatedns:Zone name: example properties: name: privatelink.eastus2.azmk8s.io resourceGroupName: ${example.name} exampleUserAssignedIdentity: type: azure:authorization:UserAssignedIdentity name: example properties: name: aks-example-identity resourceGroupName: ${example.name} location: ${example.location} exampleAssignment: type: azure:authorization:Assignment name: example properties: scope: ${exampleZone.id} roleDefinitionName: Private DNS Zone Contributor principalId: ${exampleUserAssignedIdentity.principalId} exampleKubernetesCluster: type: azure:containerservice:KubernetesCluster name: example properties: name: aksexamplewithprivatednszone1 location: ${example.location} resourceGroupName: ${example.name} dnsPrefix: aksexamplednsprefix1 privateClusterEnabled: true privateDnsZoneId: ${exampleZone.id} options: dependsOn: - ${exampleAssignment}
- Private
Dns stringZone Id - Either the ID of Private DNS Zone which should be delegated to this Cluster,
System
to have AKS manage this orNone
. In case ofNone
you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. - Role
Based boolAccess Control Enabled - Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to
true
. Changing this forces a new resource to be created. - Run
Command boolEnabled - Whether to enable run command for the cluster or not. Defaults to
true
. - Service
Mesh KubernetesProfile Cluster Service Mesh Profile Args - A
service_mesh_profile
block as defined below. - Service
Principal KubernetesCluster Service Principal Args A
service_principal
block as documented below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- Sku
Tier string The SKU Tier that should be used for this Kubernetes Cluster. Possible values are
Free
,Standard
(which includes the Uptime SLA) andPremium
. Defaults toFree
.Note: Whilst the AKS API previously supported the
Paid
SKU - the AKS API introduced a breaking change in API Version2023-02-01
(used in v3.51.0 and later) where the valuePaid
must now be set toStandard
.- Storage
Profile KubernetesCluster Storage Profile Args - A
storage_profile
block as defined below. - Support
Plan string - Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are
KubernetesOfficial
andAKSLongTermSupport
. Defaults toKubernetesOfficial
. - map[string]string
- A mapping of tags to assign to the resource.
- Web
App KubernetesRouting Cluster Web App Routing Args - A
web_app_routing
block as defined below. - Windows
Profile KubernetesCluster Windows Profile Args - A
windows_profile
block as defined below. - Workload
Autoscaler KubernetesProfile Cluster Workload Autoscaler Profile Args - A
workload_autoscaler_profile
block defined below. - Workload
Identity boolEnabled Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to
false
.Note: To enable Azure AD Workload Identity
oidc_issuer_enabled
must be set totrue
.Note: Enabling this option will allocate Workload Identity resources to the
kube-system
namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.
- default
Node KubernetesPool Cluster Default Node Pool - Specifies configuration for "System" mode node pool. A
default_node_pool
block as defined below. - resource
Group StringName - Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- aci
Connector KubernetesLinux Cluster Aci Connector Linux - A
aci_connector_linux
block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes. - api
Server KubernetesAccess Profile Cluster Api Server Access Profile - An
api_server_access_profile
block as defined below. - auto
Scaler KubernetesProfile Cluster Auto Scaler Profile - A
auto_scaler_profile
block as defined below. - automatic
Upgrade StringChannel The upgrade channel for this Kubernetes Cluster. Possible values are
patch
,rapid
,node-image
andstable
. Omitting this field sets this value tonone
.!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.
- azure
Active KubernetesDirectory Role Based Access Control Cluster Azure Active Directory Role Based Access Control - A
azure_active_directory_role_based_access_control
block as defined below. - azure
Policy BooleanEnabled - Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
- confidential
Computing KubernetesCluster Confidential Computing - A
confidential_computing
block as defined below. For more details please the documentation - cost
Analysis BooleanEnabled - Should cost analysis be enabled for this Kubernetes Cluster? Defaults to
false
. Thesku_tier
must be set toStandard
orPremium
to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. - disk
Encryption StringSet Id - The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
- dns
Prefix String - DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
- dns
Prefix StringPrivate Cluster Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Note: You must define either a
dns_prefix
or adns_prefix_private_cluster
field.In addition, one of either
identity
orservice_principal
blocks must be specified.- edge
Zone String - Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- http
Application BooleanRouting Enabled Should HTTP Application Routing be enabled?
Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.
- http
Proxy KubernetesConfig Cluster Http Proxy Config - A
http_proxy_config
block as defined below. - identity
Kubernetes
Cluster Identity An
identity
block as defined below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- image
Cleaner BooleanEnabled - Specifies whether Image Cleaner is enabled.
- image
Cleaner IntegerInterval Hours - Specifies the interval in hours when images should be cleaned up. Defaults to
0
. - ingress
Application KubernetesGateway Cluster Ingress Application Gateway A
ingress_application_gateway
block as defined below.Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/action
permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.- key
Management KubernetesService Cluster Key Management Service - A
key_management_service
block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster. - key
Vault KubernetesSecrets Provider Cluster Key Vault Secrets Provider - A
key_vault_secrets_provider
block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS. - kubelet
Identity KubernetesCluster Kubelet Identity - A
kubelet_identity
block as defined below. - kubernetes
Version String Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as
1.22
are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.Note: Upgrading your cluster may take up to 10 minutes per node.
- linux
Profile KubernetesCluster Linux Profile - A
linux_profile
block as defined below. - local
Account BooleanDisabled If
true
local accounts will be disabled. See the documentation for more information.Note: If
local_account_disabled
is set totrue
, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.- location String
- The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
- maintenance
Window KubernetesCluster Maintenance Window - A
maintenance_window
block as defined below. - maintenance
Window KubernetesAuto Upgrade Cluster Maintenance Window Auto Upgrade - A
maintenance_window_auto_upgrade
block as defined below. - maintenance
Window KubernetesNode Os Cluster Maintenance Window Node Os - A
maintenance_window_node_os
block as defined below. - microsoft
Defender KubernetesCluster Microsoft Defender - A
microsoft_defender
block as defined below. - monitor
Metrics KubernetesCluster Monitor Metrics Specifies a Prometheus add-on profile for the Kubernetes Cluster. A
monitor_metrics
block as defined below.Note: If deploying Managed Prometheus, the
monitor_metrics
properties are required to configure the cluster for metrics collection. If no value is needed, set properties tonull
.- name String
- The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
- network
Profile KubernetesCluster Network Profile A
network_profile
block as defined below. Changing this forces a new resource to be created.Note: If
network_profile
is not defined,kubenet
profile will be used by default.- node
Os StringUpgrade Channel The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are
Unmanaged
,SecurityPatch
,NodeImage
andNone
. Defaults toNodeImage
.Note:
node_os_upgrade_channel
must be set toNodeImage
ifautomatic_upgrade_channel
has been set tonode-image
- node
Resource StringGroup The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.
- oidc
Issuer BooleanEnabled - Enable or Disable the OIDC issuer URL
- oms
Agent KubernetesCluster Oms Agent - A
oms_agent
block as defined below. - open
Service BooleanMesh Enabled - Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
- private
Cluster BooleanEnabled - Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to
false
. Changing this forces a new resource to be created. - private
Cluster BooleanPublic Fqdn Enabled Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to
false
.Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the
Private DNS Zone Contributor
role and access to this Private DNS Zone. IfUserAssigned
identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, }, { dependsOn: [exampleAssignment], });
import pulumi import pulumi_azure as azure example = azure.core.ResourceGroup("example", name="example", location="West Europe") example_zone = azure.privatedns.Zone("example", name="privatelink.eastus2.azmk8s.io", resource_group_name=example.name) example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example", name="aks-example-identity", resource_group_name=example.name, location=example.location) example_assignment = azure.authorization.Assignment("example", scope=example_zone.id, role_definition_name="Private DNS Zone Contributor", principal_id=example_user_assigned_identity.principal_id) example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example", name="aksexamplewithprivatednszone1", location=example.location, resource_group_name=example.name, dns_prefix="aksexamplednsprefix1", private_cluster_enabled=True, private_dns_zone_id=example_zone.id, opts = pulumi.ResourceOptions(depends_on=[example_assignment]))
using System.Collections.Generic; using System.Linq; using Pulumi; using Azure = Pulumi.Azure; return await Deployment.RunAsync(() => { var example = new Azure.Core.ResourceGroup("example", new() { Name = "example", Location = "West Europe", }); var exampleZone = new Azure.PrivateDns.Zone("example", new() { Name = "privatelink.eastus2.azmk8s.io", ResourceGroupName = example.Name, }); var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new() { Name = "aks-example-identity", ResourceGroupName = example.Name, Location = example.Location, }); var exampleAssignment = new Azure.Authorization.Assignment("example", new() { Scope = exampleZone.Id, RoleDefinitionName = "Private DNS Zone Contributor", PrincipalId = exampleUserAssignedIdentity.PrincipalId, }); var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new() { Name = "aksexamplewithprivatednszone1", Location = example.Location, ResourceGroupName = example.Name, DnsPrefix = "aksexamplednsprefix1", PrivateClusterEnabled = true, PrivateDnsZoneId = exampleZone.Id, }, new CustomResourceOptions { DependsOn = { exampleAssignment, }, }); });
package main import ( "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/privatedns" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{ Name: pulumi.String("example"), Location: pulumi.String("West Europe"), }) if err != nil { return err } exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{ Name: pulumi.String("privatelink.eastus2.azmk8s.io"), ResourceGroupName: example.Name, }) if err != nil { return err } exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{ Name: pulumi.String("aks-example-identity"), ResourceGroupName: example.Name, Location: example.Location, }) if err != nil { return err } exampleAssignment, err := authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{ Scope: exampleZone.ID(), RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"), PrincipalId: exampleUserAssignedIdentity.PrincipalId, }) if err != nil { return err } _, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{ Name: pulumi.String("aksexamplewithprivatednszone1"), Location: example.Location, ResourceGroupName: example.Name, DnsPrefix: pulumi.String("aksexamplednsprefix1"), PrivateClusterEnabled: pulumi.Bool(true), PrivateDnsZoneId: exampleZone.ID(), }, pulumi.DependsOn([]pulumi.Resource{ exampleAssignment, })) if err != nil { return err } return nil }) }
package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.azure.core.ResourceGroup; import com.pulumi.azure.core.ResourceGroupArgs; import com.pulumi.azure.privatedns.Zone; import com.pulumi.azure.privatedns.ZoneArgs; import com.pulumi.azure.authorization.UserAssignedIdentity; import com.pulumi.azure.authorization.UserAssignedIdentityArgs; import com.pulumi.azure.authorization.Assignment; import com.pulumi.azure.authorization.AssignmentArgs; import com.pulumi.azure.containerservice.KubernetesCluster; import com.pulumi.azure.containerservice.KubernetesClusterArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new ResourceGroup("example", ResourceGroupArgs.builder() .name("example") .location("West Europe") .build()); var exampleZone = new Zone("exampleZone", ZoneArgs.builder() .name("privatelink.eastus2.azmk8s.io") .resourceGroupName(example.name()) .build()); var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder() .name("aks-example-identity") .resourceGroupName(example.name()) .location(example.location()) .build()); var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder() .scope(exampleZone.id()) .roleDefinitionName("Private DNS Zone Contributor") .principalId(exampleUserAssignedIdentity.principalId()) .build()); var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder() .name("aksexamplewithprivatednszone1") .location(example.location()) .resourceGroupName(example.name()) .dnsPrefix("aksexamplednsprefix1") .privateClusterEnabled(true) .privateDnsZoneId(exampleZone.id()) .build(), CustomResourceOptions.builder() .dependsOn(exampleAssignment) .build()); } }
resources: example: type: azure:core:ResourceGroup properties: name: example location: West Europe exampleZone: type: azure:privatedns:Zone name: example properties: name: privatelink.eastus2.azmk8s.io resourceGroupName: ${example.name} exampleUserAssignedIdentity: type: azure:authorization:UserAssignedIdentity name: example properties: name: aks-example-identity resourceGroupName: ${example.name} location: ${example.location} exampleAssignment: type: azure:authorization:Assignment name: example properties: scope: ${exampleZone.id} roleDefinitionName: Private DNS Zone Contributor principalId: ${exampleUserAssignedIdentity.principalId} exampleKubernetesCluster: type: azure:containerservice:KubernetesCluster name: example properties: name: aksexamplewithprivatednszone1 location: ${example.location} resourceGroupName: ${example.name} dnsPrefix: aksexamplednsprefix1 privateClusterEnabled: true privateDnsZoneId: ${exampleZone.id} options: dependsOn: - ${exampleAssignment}
- private
Dns StringZone Id - Either the ID of Private DNS Zone which should be delegated to this Cluster,
System
to have AKS manage this orNone
. In case ofNone
you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. - role
Based BooleanAccess Control Enabled - Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to
true
. Changing this forces a new resource to be created. - run
Command BooleanEnabled - Whether to enable run command for the cluster or not. Defaults to
true
. - service
Mesh KubernetesProfile Cluster Service Mesh Profile - A
service_mesh_profile
block as defined below. - service
Principal KubernetesCluster Service Principal A
service_principal
block as documented below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- sku
Tier String The SKU Tier that should be used for this Kubernetes Cluster. Possible values are
Free
,Standard
(which includes the Uptime SLA) andPremium
. Defaults toFree
.Note: Whilst the AKS API previously supported the
Paid
SKU - the AKS API introduced a breaking change in API Version2023-02-01
(used in v3.51.0 and later) where the valuePaid
must now be set toStandard
.- storage
Profile KubernetesCluster Storage Profile - A
storage_profile
block as defined below. - support
Plan String - Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are
KubernetesOfficial
andAKSLongTermSupport
. Defaults toKubernetesOfficial
. - Map<String,String>
- A mapping of tags to assign to the resource.
- web
App KubernetesRouting Cluster Web App Routing - A
web_app_routing
block as defined below. - windows
Profile KubernetesCluster Windows Profile - A
windows_profile
block as defined below. - workload
Autoscaler KubernetesProfile Cluster Workload Autoscaler Profile - A
workload_autoscaler_profile
block defined below. - workload
Identity BooleanEnabled Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to
false
.Note: To enable Azure AD Workload Identity
oidc_issuer_enabled
must be set totrue
.Note: Enabling this option will allocate Workload Identity resources to the
kube-system
namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.
- default
Node KubernetesPool Cluster Default Node Pool - Specifies configuration for "System" mode node pool. A
default_node_pool
block as defined below. - resource
Group stringName - Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- aci
Connector KubernetesLinux Cluster Aci Connector Linux - A
aci_connector_linux
block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes. - api
Server KubernetesAccess Profile Cluster Api Server Access Profile - An
api_server_access_profile
block as defined below. - auto
Scaler KubernetesProfile Cluster Auto Scaler Profile - A
auto_scaler_profile
block as defined below. - automatic
Upgrade stringChannel The upgrade channel for this Kubernetes Cluster. Possible values are
patch
,rapid
,node-image
andstable
. Omitting this field sets this value tonone
.!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.
- azure
Active KubernetesDirectory Role Based Access Control Cluster Azure Active Directory Role Based Access Control - A
azure_active_directory_role_based_access_control
block as defined below. - azure
Policy booleanEnabled - Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
- confidential
Computing KubernetesCluster Confidential Computing - A
confidential_computing
block as defined below. For more details please the documentation - cost
Analysis booleanEnabled - Should cost analysis be enabled for this Kubernetes Cluster? Defaults to
false
. Thesku_tier
must be set toStandard
orPremium
to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. - disk
Encryption stringSet Id - The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
- dns
Prefix string - DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
- dns
Prefix stringPrivate Cluster Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Note: You must define either a
dns_prefix
or adns_prefix_private_cluster
field.In addition, one of either
identity
orservice_principal
blocks must be specified.- edge
Zone string - Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- http
Application booleanRouting Enabled Should HTTP Application Routing be enabled?
Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.
- http
Proxy KubernetesConfig Cluster Http Proxy Config - A
http_proxy_config
block as defined below. - identity
Kubernetes
Cluster Identity An
identity
block as defined below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- image
Cleaner booleanEnabled - Specifies whether Image Cleaner is enabled.
- image
Cleaner numberInterval Hours - Specifies the interval in hours when images should be cleaned up. Defaults to
0
. - ingress
Application KubernetesGateway Cluster Ingress Application Gateway A
ingress_application_gateway
block as defined below.Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/action
permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.- key
Management KubernetesService Cluster Key Management Service - A
key_management_service
block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster. - key
Vault KubernetesSecrets Provider Cluster Key Vault Secrets Provider - A
key_vault_secrets_provider
block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS. - kubelet
Identity KubernetesCluster Kubelet Identity - A
kubelet_identity
block as defined below. - kubernetes
Version string Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as
1.22
are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.Note: Upgrading your cluster may take up to 10 minutes per node.
- linux
Profile KubernetesCluster Linux Profile - A
linux_profile
block as defined below. - local
Account booleanDisabled If
true
local accounts will be disabled. See the documentation for more information.Note: If
local_account_disabled
is set totrue
, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.- location string
- The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
- maintenance
Window KubernetesCluster Maintenance Window - A
maintenance_window
block as defined below. - maintenance
Window KubernetesAuto Upgrade Cluster Maintenance Window Auto Upgrade - A
maintenance_window_auto_upgrade
block as defined below. - maintenance
Window KubernetesNode Os Cluster Maintenance Window Node Os - A
maintenance_window_node_os
block as defined below. - microsoft
Defender KubernetesCluster Microsoft Defender - A
microsoft_defender
block as defined below. - monitor
Metrics KubernetesCluster Monitor Metrics Specifies a Prometheus add-on profile for the Kubernetes Cluster. A
monitor_metrics
block as defined below.Note: If deploying Managed Prometheus, the
monitor_metrics
properties are required to configure the cluster for metrics collection. If no value is needed, set properties tonull
.- name string
- The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
- network
Profile KubernetesCluster Network Profile A
network_profile
block as defined below. Changing this forces a new resource to be created.Note: If
network_profile
is not defined,kubenet
profile will be used by default.- node
Os stringUpgrade Channel The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are
Unmanaged
,SecurityPatch
,NodeImage
andNone
. Defaults toNodeImage
.Note:
node_os_upgrade_channel
must be set toNodeImage
ifautomatic_upgrade_channel
has been set tonode-image
- node
Resource stringGroup The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.
- oidc
Issuer booleanEnabled - Enable or Disable the OIDC issuer URL
- oms
Agent KubernetesCluster Oms Agent - A
oms_agent
block as defined below. - open
Service booleanMesh Enabled - Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
- private
Cluster booleanEnabled - Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to
false
. Changing this forces a new resource to be created. - private
Cluster booleanPublic Fqdn Enabled Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to
false
.Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the
Private DNS Zone Contributor
role and access to this Private DNS Zone. IfUserAssigned
identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, }, { dependsOn: [exampleAssignment], });
import pulumi import pulumi_azure as azure example = azure.core.ResourceGroup("example", name="example", location="West Europe") example_zone = azure.privatedns.Zone("example", name="privatelink.eastus2.azmk8s.io", resource_group_name=example.name) example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example", name="aks-example-identity", resource_group_name=example.name, location=example.location) example_assignment = azure.authorization.Assignment("example", scope=example_zone.id, role_definition_name="Private DNS Zone Contributor", principal_id=example_user_assigned_identity.principal_id) example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example", name="aksexamplewithprivatednszone1", location=example.location, resource_group_name=example.name, dns_prefix="aksexamplednsprefix1", private_cluster_enabled=True, private_dns_zone_id=example_zone.id, opts = pulumi.ResourceOptions(depends_on=[example_assignment]))
using System.Collections.Generic; using System.Linq; using Pulumi; using Azure = Pulumi.Azure; return await Deployment.RunAsync(() => { var example = new Azure.Core.ResourceGroup("example", new() { Name = "example", Location = "West Europe", }); var exampleZone = new Azure.PrivateDns.Zone("example", new() { Name = "privatelink.eastus2.azmk8s.io", ResourceGroupName = example.Name, }); var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new() { Name = "aks-example-identity", ResourceGroupName = example.Name, Location = example.Location, }); var exampleAssignment = new Azure.Authorization.Assignment("example", new() { Scope = exampleZone.Id, RoleDefinitionName = "Private DNS Zone Contributor", PrincipalId = exampleUserAssignedIdentity.PrincipalId, }); var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new() { Name = "aksexamplewithprivatednszone1", Location = example.Location, ResourceGroupName = example.Name, DnsPrefix = "aksexamplednsprefix1", PrivateClusterEnabled = true, PrivateDnsZoneId = exampleZone.Id, }, new CustomResourceOptions { DependsOn = { exampleAssignment, }, }); });
package main import ( "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/privatedns" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{ Name: pulumi.String("example"), Location: pulumi.String("West Europe"), }) if err != nil { return err } exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{ Name: pulumi.String("privatelink.eastus2.azmk8s.io"), ResourceGroupName: example.Name, }) if err != nil { return err } exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{ Name: pulumi.String("aks-example-identity"), ResourceGroupName: example.Name, Location: example.Location, }) if err != nil { return err } exampleAssignment, err := authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{ Scope: exampleZone.ID(), RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"), PrincipalId: exampleUserAssignedIdentity.PrincipalId, }) if err != nil { return err } _, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{ Name: pulumi.String("aksexamplewithprivatednszone1"), Location: example.Location, ResourceGroupName: example.Name, DnsPrefix: pulumi.String("aksexamplednsprefix1"), PrivateClusterEnabled: pulumi.Bool(true), PrivateDnsZoneId: exampleZone.ID(), }, pulumi.DependsOn([]pulumi.Resource{ exampleAssignment, })) if err != nil { return err } return nil }) }
package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.azure.core.ResourceGroup; import com.pulumi.azure.core.ResourceGroupArgs; import com.pulumi.azure.privatedns.Zone; import com.pulumi.azure.privatedns.ZoneArgs; import com.pulumi.azure.authorization.UserAssignedIdentity; import com.pulumi.azure.authorization.UserAssignedIdentityArgs; import com.pulumi.azure.authorization.Assignment; import com.pulumi.azure.authorization.AssignmentArgs; import com.pulumi.azure.containerservice.KubernetesCluster; import com.pulumi.azure.containerservice.KubernetesClusterArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new ResourceGroup("example", ResourceGroupArgs.builder() .name("example") .location("West Europe") .build()); var exampleZone = new Zone("exampleZone", ZoneArgs.builder() .name("privatelink.eastus2.azmk8s.io") .resourceGroupName(example.name()) .build()); var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder() .name("aks-example-identity") .resourceGroupName(example.name()) .location(example.location()) .build()); var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder() .scope(exampleZone.id()) .roleDefinitionName("Private DNS Zone Contributor") .principalId(exampleUserAssignedIdentity.principalId()) .build()); var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder() .name("aksexamplewithprivatednszone1") .location(example.location()) .resourceGroupName(example.name()) .dnsPrefix("aksexamplednsprefix1") .privateClusterEnabled(true) .privateDnsZoneId(exampleZone.id()) .build(), CustomResourceOptions.builder() .dependsOn(exampleAssignment) .build()); } }
resources: example: type: azure:core:ResourceGroup properties: name: example location: West Europe exampleZone: type: azure:privatedns:Zone name: example properties: name: privatelink.eastus2.azmk8s.io resourceGroupName: ${example.name} exampleUserAssignedIdentity: type: azure:authorization:UserAssignedIdentity name: example properties: name: aks-example-identity resourceGroupName: ${example.name} location: ${example.location} exampleAssignment: type: azure:authorization:Assignment name: example properties: scope: ${exampleZone.id} roleDefinitionName: Private DNS Zone Contributor principalId: ${exampleUserAssignedIdentity.principalId} exampleKubernetesCluster: type: azure:containerservice:KubernetesCluster name: example properties: name: aksexamplewithprivatednszone1 location: ${example.location} resourceGroupName: ${example.name} dnsPrefix: aksexamplednsprefix1 privateClusterEnabled: true privateDnsZoneId: ${exampleZone.id} options: dependsOn: - ${exampleAssignment}
- private
Dns stringZone Id - Either the ID of Private DNS Zone which should be delegated to this Cluster,
System
to have AKS manage this orNone
. In case ofNone
you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. - role
Based booleanAccess Control Enabled - Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to
true
. Changing this forces a new resource to be created. - run
Command booleanEnabled - Whether to enable run command for the cluster or not. Defaults to
true
. - service
Mesh KubernetesProfile Cluster Service Mesh Profile - A
service_mesh_profile
block as defined below. - service
Principal KubernetesCluster Service Principal A
service_principal
block as documented below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- sku
Tier string The SKU Tier that should be used for this Kubernetes Cluster. Possible values are
Free
,Standard
(which includes the Uptime SLA) andPremium
. Defaults toFree
.Note: Whilst the AKS API previously supported the
Paid
SKU - the AKS API introduced a breaking change in API Version2023-02-01
(used in v3.51.0 and later) where the valuePaid
must now be set toStandard
.- storage
Profile KubernetesCluster Storage Profile - A
storage_profile
block as defined below. - support
Plan string - Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are
KubernetesOfficial
andAKSLongTermSupport
. Defaults toKubernetesOfficial
. - {[key: string]: string}
- A mapping of tags to assign to the resource.
- web
App KubernetesRouting Cluster Web App Routing - A
web_app_routing
block as defined below. - windows
Profile KubernetesCluster Windows Profile - A
windows_profile
block as defined below. - workload
Autoscaler KubernetesProfile Cluster Workload Autoscaler Profile - A
workload_autoscaler_profile
block defined below. - workload
Identity booleanEnabled Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to
false
.Note: To enable Azure AD Workload Identity
oidc_issuer_enabled
must be set totrue
.Note: Enabling this option will allocate Workload Identity resources to the
kube-system
namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.
- default_
node_ Kubernetespool Cluster Default Node Pool Args - Specifies configuration for "System" mode node pool. A
default_node_pool
block as defined below. - resource_
group_ strname - Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- aci_
connector_ Kuberneteslinux Cluster Aci Connector Linux Args - A
aci_connector_linux
block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes. - api_
server_ Kubernetesaccess_ profile Cluster Api Server Access Profile Args - An
api_server_access_profile
block as defined below. - auto_
scaler_ Kubernetesprofile Cluster Auto Scaler Profile Args - A
auto_scaler_profile
block as defined below. - automatic_
upgrade_ strchannel The upgrade channel for this Kubernetes Cluster. Possible values are
patch
,rapid
,node-image
andstable
. Omitting this field sets this value tonone
.!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.
- azure_
active_ Kubernetesdirectory_ role_ based_ access_ control Cluster Azure Active Directory Role Based Access Control Args - A
azure_active_directory_role_based_access_control
block as defined below. - azure_
policy_ boolenabled - Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
- confidential_
computing KubernetesCluster Confidential Computing Args - A
confidential_computing
block as defined below. For more details please the documentation - cost_
analysis_ boolenabled - Should cost analysis be enabled for this Kubernetes Cluster? Defaults to
false
. Thesku_tier
must be set toStandard
orPremium
to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. - disk_
encryption_ strset_ id - The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
- dns_
prefix str - DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
- dns_
prefix_ strprivate_ cluster Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Note: You must define either a
dns_prefix
or adns_prefix_private_cluster
field.In addition, one of either
identity
orservice_principal
blocks must be specified.- edge_
zone str - Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- http_
application_ boolrouting_ enabled Should HTTP Application Routing be enabled?
Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.
- http_
proxy_ Kubernetesconfig Cluster Http Proxy Config Args - A
http_proxy_config
block as defined below. - identity
Kubernetes
Cluster Identity Args An
identity
block as defined below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- image_
cleaner_ boolenabled - Specifies whether Image Cleaner is enabled.
- image_
cleaner_ intinterval_ hours - Specifies the interval in hours when images should be cleaned up. Defaults to
0
. - ingress_
application_ Kubernetesgateway Cluster Ingress Application Gateway Args A
ingress_application_gateway
block as defined below.Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/action
permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.- key_
management_ Kubernetesservice Cluster Key Management Service Args - A
key_management_service
block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster. - key_
vault_ Kubernetessecrets_ provider Cluster Key Vault Secrets Provider Args - A
key_vault_secrets_provider
block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS. - kubelet_
identity KubernetesCluster Kubelet Identity Args - A
kubelet_identity
block as defined below. - kubernetes_
version str Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as
1.22
are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.Note: Upgrading your cluster may take up to 10 minutes per node.
- linux_
profile KubernetesCluster Linux Profile Args - A
linux_profile
block as defined below. - local_
account_ booldisabled If
true
local accounts will be disabled. See the documentation for more information.Note: If
local_account_disabled
is set totrue
, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.- location str
- The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
- maintenance_
window KubernetesCluster Maintenance Window Args - A
maintenance_window
block as defined below. - maintenance_
window_ Kubernetesauto_ upgrade Cluster Maintenance Window Auto Upgrade Args - A
maintenance_window_auto_upgrade
block as defined below. - maintenance_
window_ Kubernetesnode_ os Cluster Maintenance Window Node Os Args - A
maintenance_window_node_os
block as defined below. - microsoft_
defender KubernetesCluster Microsoft Defender Args - A
microsoft_defender
block as defined below. - monitor_
metrics KubernetesCluster Monitor Metrics Args Specifies a Prometheus add-on profile for the Kubernetes Cluster. A
monitor_metrics
block as defined below.Note: If deploying Managed Prometheus, the
monitor_metrics
properties are required to configure the cluster for metrics collection. If no value is needed, set properties tonull
.- name str
- The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
- network_
profile KubernetesCluster Network Profile Args A
network_profile
block as defined below. Changing this forces a new resource to be created.Note: If
network_profile
is not defined,kubenet
profile will be used by default.- node_
os_ strupgrade_ channel The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are
Unmanaged
,SecurityPatch
,NodeImage
andNone
. Defaults toNodeImage
.Note:
node_os_upgrade_channel
must be set toNodeImage
ifautomatic_upgrade_channel
has been set tonode-image
- node_
resource_ strgroup The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.
- oidc_
issuer_ boolenabled - Enable or Disable the OIDC issuer URL
- oms_
agent KubernetesCluster Oms Agent Args - A
oms_agent
block as defined below. - open_
service_ boolmesh_ enabled - Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
- private_
cluster_ boolenabled - Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to
false
. Changing this forces a new resource to be created. - private_
cluster_ boolpublic_ fqdn_ enabled Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to
false
.Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the
Private DNS Zone Contributor
role and access to this Private DNS Zone. IfUserAssigned
identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, }, { dependsOn: [exampleAssignment], });
import pulumi import pulumi_azure as azure example = azure.core.ResourceGroup("example", name="example", location="West Europe") example_zone = azure.privatedns.Zone("example", name="privatelink.eastus2.azmk8s.io", resource_group_name=example.name) example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example", name="aks-example-identity", resource_group_name=example.name, location=example.location) example_assignment = azure.authorization.Assignment("example", scope=example_zone.id, role_definition_name="Private DNS Zone Contributor", principal_id=example_user_assigned_identity.principal_id) example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example", name="aksexamplewithprivatednszone1", location=example.location, resource_group_name=example.name, dns_prefix="aksexamplednsprefix1", private_cluster_enabled=True, private_dns_zone_id=example_zone.id, opts = pulumi.ResourceOptions(depends_on=[example_assignment]))
using System.Collections.Generic; using System.Linq; using Pulumi; using Azure = Pulumi.Azure; return await Deployment.RunAsync(() => { var example = new Azure.Core.ResourceGroup("example", new() { Name = "example", Location = "West Europe", }); var exampleZone = new Azure.PrivateDns.Zone("example", new() { Name = "privatelink.eastus2.azmk8s.io", ResourceGroupName = example.Name, }); var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new() { Name = "aks-example-identity", ResourceGroupName = example.Name, Location = example.Location, }); var exampleAssignment = new Azure.Authorization.Assignment("example", new() { Scope = exampleZone.Id, RoleDefinitionName = "Private DNS Zone Contributor", PrincipalId = exampleUserAssignedIdentity.PrincipalId, }); var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new() { Name = "aksexamplewithprivatednszone1", Location = example.Location, ResourceGroupName = example.Name, DnsPrefix = "aksexamplednsprefix1", PrivateClusterEnabled = true, PrivateDnsZoneId = exampleZone.Id, }, new CustomResourceOptions { DependsOn = { exampleAssignment, }, }); });
package main import ( "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/privatedns" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{ Name: pulumi.String("example"), Location: pulumi.String("West Europe"), }) if err != nil { return err } exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{ Name: pulumi.String("privatelink.eastus2.azmk8s.io"), ResourceGroupName: example.Name, }) if err != nil { return err } exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{ Name: pulumi.String("aks-example-identity"), ResourceGroupName: example.Name, Location: example.Location, }) if err != nil { return err } exampleAssignment, err := authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{ Scope: exampleZone.ID(), RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"), PrincipalId: exampleUserAssignedIdentity.PrincipalId, }) if err != nil { return err } _, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{ Name: pulumi.String("aksexamplewithprivatednszone1"), Location: example.Location, ResourceGroupName: example.Name, DnsPrefix: pulumi.String("aksexamplednsprefix1"), PrivateClusterEnabled: pulumi.Bool(true), PrivateDnsZoneId: exampleZone.ID(), }, pulumi.DependsOn([]pulumi.Resource{ exampleAssignment, })) if err != nil { return err } return nil }) }
package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.azure.core.ResourceGroup; import com.pulumi.azure.core.ResourceGroupArgs; import com.pulumi.azure.privatedns.Zone; import com.pulumi.azure.privatedns.ZoneArgs; import com.pulumi.azure.authorization.UserAssignedIdentity; import com.pulumi.azure.authorization.UserAssignedIdentityArgs; import com.pulumi.azure.authorization.Assignment; import com.pulumi.azure.authorization.AssignmentArgs; import com.pulumi.azure.containerservice.KubernetesCluster; import com.pulumi.azure.containerservice.KubernetesClusterArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new ResourceGroup("example", ResourceGroupArgs.builder() .name("example") .location("West Europe") .build()); var exampleZone = new Zone("exampleZone", ZoneArgs.builder() .name("privatelink.eastus2.azmk8s.io") .resourceGroupName(example.name()) .build()); var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder() .name("aks-example-identity") .resourceGroupName(example.name()) .location(example.location()) .build()); var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder() .scope(exampleZone.id()) .roleDefinitionName("Private DNS Zone Contributor") .principalId(exampleUserAssignedIdentity.principalId()) .build()); var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder() .name("aksexamplewithprivatednszone1") .location(example.location()) .resourceGroupName(example.name()) .dnsPrefix("aksexamplednsprefix1") .privateClusterEnabled(true) .privateDnsZoneId(exampleZone.id()) .build(), CustomResourceOptions.builder() .dependsOn(exampleAssignment) .build()); } }
resources: example: type: azure:core:ResourceGroup properties: name: example location: West Europe exampleZone: type: azure:privatedns:Zone name: example properties: name: privatelink.eastus2.azmk8s.io resourceGroupName: ${example.name} exampleUserAssignedIdentity: type: azure:authorization:UserAssignedIdentity name: example properties: name: aks-example-identity resourceGroupName: ${example.name} location: ${example.location} exampleAssignment: type: azure:authorization:Assignment name: example properties: scope: ${exampleZone.id} roleDefinitionName: Private DNS Zone Contributor principalId: ${exampleUserAssignedIdentity.principalId} exampleKubernetesCluster: type: azure:containerservice:KubernetesCluster name: example properties: name: aksexamplewithprivatednszone1 location: ${example.location} resourceGroupName: ${example.name} dnsPrefix: aksexamplednsprefix1 privateClusterEnabled: true privateDnsZoneId: ${exampleZone.id} options: dependsOn: - ${exampleAssignment}
- private_
dns_ strzone_ id - Either the ID of Private DNS Zone which should be delegated to this Cluster,
System
to have AKS manage this orNone
. In case ofNone
you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. - role_
based_ boolaccess_ control_ enabled - Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to
true
. Changing this forces a new resource to be created. - run_
command_ boolenabled - Whether to enable run command for the cluster or not. Defaults to
true
. - service_
mesh_ Kubernetesprofile Cluster Service Mesh Profile Args - A
service_mesh_profile
block as defined below. - service_
principal KubernetesCluster Service Principal Args A
service_principal
block as documented below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- sku_
tier str The SKU Tier that should be used for this Kubernetes Cluster. Possible values are
Free
,Standard
(which includes the Uptime SLA) andPremium
. Defaults toFree
.Note: Whilst the AKS API previously supported the
Paid
SKU - the AKS API introduced a breaking change in API Version2023-02-01
(used in v3.51.0 and later) where the valuePaid
must now be set toStandard
.- storage_
profile KubernetesCluster Storage Profile Args - A
storage_profile
block as defined below. - support_
plan str - Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are
KubernetesOfficial
andAKSLongTermSupport
. Defaults toKubernetesOfficial
. - Mapping[str, str]
- A mapping of tags to assign to the resource.
- web_
app_ Kubernetesrouting Cluster Web App Routing Args - A
web_app_routing
block as defined below. - windows_
profile KubernetesCluster Windows Profile Args - A
windows_profile
block as defined below. - workload_
autoscaler_ Kubernetesprofile Cluster Workload Autoscaler Profile Args - A
workload_autoscaler_profile
block defined below. - workload_
identity_ boolenabled Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to
false
.Note: To enable Azure AD Workload Identity
oidc_issuer_enabled
must be set totrue
.Note: Enabling this option will allocate Workload Identity resources to the
kube-system
namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.
- default
Node Property MapPool - Specifies configuration for "System" mode node pool. A
default_node_pool
block as defined below. - resource
Group StringName - Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- aci
Connector Property MapLinux - A
aci_connector_linux
block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes. - api
Server Property MapAccess Profile - An
api_server_access_profile
block as defined below. - auto
Scaler Property MapProfile - A
auto_scaler_profile
block as defined below. - automatic
Upgrade StringChannel The upgrade channel for this Kubernetes Cluster. Possible values are
patch
,rapid
,node-image
andstable
. Omitting this field sets this value tonone
.!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.
- azure
Active Property MapDirectory Role Based Access Control - A
azure_active_directory_role_based_access_control
block as defined below. - azure
Policy BooleanEnabled - Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
- confidential
Computing Property Map - A
confidential_computing
block as defined below. For more details please the documentation - cost
Analysis BooleanEnabled - Should cost analysis be enabled for this Kubernetes Cluster? Defaults to
false
. Thesku_tier
must be set toStandard
orPremium
to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. - disk
Encryption StringSet Id - The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
- dns
Prefix String - DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
- dns
Prefix StringPrivate Cluster Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Note: You must define either a
dns_prefix
or adns_prefix_private_cluster
field.In addition, one of either
identity
orservice_principal
blocks must be specified.- edge
Zone String - Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- http
Application BooleanRouting Enabled Should HTTP Application Routing be enabled?
Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.
- http
Proxy Property MapConfig - A
http_proxy_config
block as defined below. - identity Property Map
An
identity
block as defined below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- image
Cleaner BooleanEnabled - Specifies whether Image Cleaner is enabled.
- image
Cleaner NumberInterval Hours - Specifies the interval in hours when images should be cleaned up. Defaults to
0
. - ingress
Application Property MapGateway A
ingress_application_gateway
block as defined below.Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/action
permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.- key
Management Property MapService - A
key_management_service
block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster. - key
Vault Property MapSecrets Provider - A
key_vault_secrets_provider
block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS. - kubelet
Identity Property Map - A
kubelet_identity
block as defined below. - kubernetes
Version String Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as
1.22
are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.Note: Upgrading your cluster may take up to 10 minutes per node.
- linux
Profile Property Map - A
linux_profile
block as defined below. - local
Account BooleanDisabled If
true
local accounts will be disabled. See the documentation for more information.Note: If
local_account_disabled
is set totrue
, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.- location String
- The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
- maintenance
Window Property Map - A
maintenance_window
block as defined below. - maintenance
Window Property MapAuto Upgrade - A
maintenance_window_auto_upgrade
block as defined below. - maintenance
Window Property MapNode Os - A
maintenance_window_node_os
block as defined below. - microsoft
Defender Property Map - A
microsoft_defender
block as defined below. - monitor
Metrics Property Map Specifies a Prometheus add-on profile for the Kubernetes Cluster. A
monitor_metrics
block as defined below.Note: If deploying Managed Prometheus, the
monitor_metrics
properties are required to configure the cluster for metrics collection. If no value is needed, set properties tonull
.- name String
- The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
- network
Profile Property Map A
network_profile
block as defined below. Changing this forces a new resource to be created.Note: If
network_profile
is not defined,kubenet
profile will be used by default.- node
Os StringUpgrade Channel The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are
Unmanaged
,SecurityPatch
,NodeImage
andNone
. Defaults toNodeImage
.Note:
node_os_upgrade_channel
must be set toNodeImage
ifautomatic_upgrade_channel
has been set tonode-image
- node
Resource StringGroup The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.
- oidc
Issuer BooleanEnabled - Enable or Disable the OIDC issuer URL
- oms
Agent Property Map - A
oms_agent
block as defined below. - open
Service BooleanMesh Enabled - Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
- private
Cluster BooleanEnabled - Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to
false
. Changing this forces a new resource to be created. - private
Cluster BooleanPublic Fqdn Enabled Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to
false
.Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the
Private DNS Zone Contributor
role and access to this Private DNS Zone. IfUserAssigned
identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, }, { dependsOn: [exampleAssignment], });
import pulumi import pulumi_azure as azure example = azure.core.ResourceGroup("example", name="example", location="West Europe") example_zone = azure.privatedns.Zone("example", name="privatelink.eastus2.azmk8s.io", resource_group_name=example.name) example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example", name="aks-example-identity", resource_group_name=example.name, location=example.location) example_assignment = azure.authorization.Assignment("example", scope=example_zone.id, role_definition_name="Private DNS Zone Contributor", principal_id=example_user_assigned_identity.principal_id) example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example", name="aksexamplewithprivatednszone1", location=example.location, resource_group_name=example.name, dns_prefix="aksexamplednsprefix1", private_cluster_enabled=True, private_dns_zone_id=example_zone.id, opts = pulumi.ResourceOptions(depends_on=[example_assignment]))
using System.Collections.Generic; using System.Linq; using Pulumi; using Azure = Pulumi.Azure; return await Deployment.RunAsync(() => { var example = new Azure.Core.ResourceGroup("example", new() { Name = "example", Location = "West Europe", }); var exampleZone = new Azure.PrivateDns.Zone("example", new() { Name = "privatelink.eastus2.azmk8s.io", ResourceGroupName = example.Name, }); var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new() { Name = "aks-example-identity", ResourceGroupName = example.Name, Location = example.Location, }); var exampleAssignment = new Azure.Authorization.Assignment("example", new() { Scope = exampleZone.Id, RoleDefinitionName = "Private DNS Zone Contributor", PrincipalId = exampleUserAssignedIdentity.PrincipalId, }); var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new() { Name = "aksexamplewithprivatednszone1", Location = example.Location, ResourceGroupName = example.Name, DnsPrefix = "aksexamplednsprefix1", PrivateClusterEnabled = true, PrivateDnsZoneId = exampleZone.Id, }, new CustomResourceOptions { DependsOn = { exampleAssignment, }, }); });
package main import ( "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/privatedns" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{ Name: pulumi.String("example"), Location: pulumi.String("West Europe"), }) if err != nil { return err } exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{ Name: pulumi.String("privatelink.eastus2.azmk8s.io"), ResourceGroupName: example.Name, }) if err != nil { return err } exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{ Name: pulumi.String("aks-example-identity"), ResourceGroupName: example.Name, Location: example.Location, }) if err != nil { return err } exampleAssignment, err := authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{ Scope: exampleZone.ID(), RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"), PrincipalId: exampleUserAssignedIdentity.PrincipalId, }) if err != nil { return err } _, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{ Name: pulumi.String("aksexamplewithprivatednszone1"), Location: example.Location, ResourceGroupName: example.Name, DnsPrefix: pulumi.String("aksexamplednsprefix1"), PrivateClusterEnabled: pulumi.Bool(true), PrivateDnsZoneId: exampleZone.ID(), }, pulumi.DependsOn([]pulumi.Resource{ exampleAssignment, })) if err != nil { return err } return nil }) }
package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.azure.core.ResourceGroup; import com.pulumi.azure.core.ResourceGroupArgs; import com.pulumi.azure.privatedns.Zone; import com.pulumi.azure.privatedns.ZoneArgs; import com.pulumi.azure.authorization.UserAssignedIdentity; import com.pulumi.azure.authorization.UserAssignedIdentityArgs; import com.pulumi.azure.authorization.Assignment; import com.pulumi.azure.authorization.AssignmentArgs; import com.pulumi.azure.containerservice.KubernetesCluster; import com.pulumi.azure.containerservice.KubernetesClusterArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new ResourceGroup("example", ResourceGroupArgs.builder() .name("example") .location("West Europe") .build()); var exampleZone = new Zone("exampleZone", ZoneArgs.builder() .name("privatelink.eastus2.azmk8s.io") .resourceGroupName(example.name()) .build()); var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder() .name("aks-example-identity") .resourceGroupName(example.name()) .location(example.location()) .build()); var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder() .scope(exampleZone.id()) .roleDefinitionName("Private DNS Zone Contributor") .principalId(exampleUserAssignedIdentity.principalId()) .build()); var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder() .name("aksexamplewithprivatednszone1") .location(example.location()) .resourceGroupName(example.name()) .dnsPrefix("aksexamplednsprefix1") .privateClusterEnabled(true) .privateDnsZoneId(exampleZone.id()) .build(), CustomResourceOptions.builder() .dependsOn(exampleAssignment) .build()); } }
resources: example: type: azure:core:ResourceGroup properties: name: example location: West Europe exampleZone: type: azure:privatedns:Zone name: example properties: name: privatelink.eastus2.azmk8s.io resourceGroupName: ${example.name} exampleUserAssignedIdentity: type: azure:authorization:UserAssignedIdentity name: example properties: name: aks-example-identity resourceGroupName: ${example.name} location: ${example.location} exampleAssignment: type: azure:authorization:Assignment name: example properties: scope: ${exampleZone.id} roleDefinitionName: Private DNS Zone Contributor principalId: ${exampleUserAssignedIdentity.principalId} exampleKubernetesCluster: type: azure:containerservice:KubernetesCluster name: example properties: name: aksexamplewithprivatednszone1 location: ${example.location} resourceGroupName: ${example.name} dnsPrefix: aksexamplednsprefix1 privateClusterEnabled: true privateDnsZoneId: ${exampleZone.id} options: dependsOn: - ${exampleAssignment}
- private
Dns StringZone Id - Either the ID of Private DNS Zone which should be delegated to this Cluster,
System
to have AKS manage this orNone
. In case ofNone
you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. - role
Based BooleanAccess Control Enabled - Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to
true
. Changing this forces a new resource to be created. - run
Command BooleanEnabled - Whether to enable run command for the cluster or not. Defaults to
true
. - service
Mesh Property MapProfile - A
service_mesh_profile
block as defined below. - service
Principal Property Map A
service_principal
block as documented below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- sku
Tier String The SKU Tier that should be used for this Kubernetes Cluster. Possible values are
Free
,Standard
(which includes the Uptime SLA) andPremium
. Defaults toFree
.Note: Whilst the AKS API previously supported the
Paid
SKU - the AKS API introduced a breaking change in API Version2023-02-01
(used in v3.51.0 and later) where the valuePaid
must now be set toStandard
.- storage
Profile Property Map - A
storage_profile
block as defined below. - support
Plan String - Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are
KubernetesOfficial
andAKSLongTermSupport
. Defaults toKubernetesOfficial
. - Map<String>
- A mapping of tags to assign to the resource.
- web
App Property MapRouting - A
web_app_routing
block as defined below. - windows
Profile Property Map - A
windows_profile
block as defined below. - workload
Autoscaler Property MapProfile - A
workload_autoscaler_profile
block defined below. - workload
Identity BooleanEnabled Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to
false
.Note: To enable Azure AD Workload Identity
oidc_issuer_enabled
must be set totrue
.Note: Enabling this option will allocate Workload Identity resources to the
kube-system
namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.
Outputs
All input properties are implicitly available as output properties. Additionally, the KubernetesCluster resource produces the following output properties:
- Current
Kubernetes stringVersion - The current version running on the Azure Kubernetes Managed Cluster.
- Fqdn string
- The FQDN of the Azure Kubernetes Managed Cluster.
- Http
Application stringRouting Zone Name - The Zone Name of the HTTP Application Routing.
- Id string
- The provider-assigned unique ID for this managed resource.
- Kube
Admin stringConfig Raw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
- Kube
Admin List<KubernetesConfigs Cluster Kube Admin Config> - A
kube_admin_config
block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. - Kube
Config stringRaw - Raw Kubernetes config to be used by kubectl and other compatible tools.
- Kube
Configs List<KubernetesCluster Kube Config> - A
kube_config
block as defined below. - Node
Resource stringGroup Id - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
- Oidc
Issuer stringUrl - The OIDC issuer URL that is associated with the cluster.
- Portal
Fqdn string - The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- Private
Fqdn string - The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- Current
Kubernetes stringVersion - The current version running on the Azure Kubernetes Managed Cluster.
- Fqdn string
- The FQDN of the Azure Kubernetes Managed Cluster.
- Http
Application stringRouting Zone Name - The Zone Name of the HTTP Application Routing.
- Id string
- The provider-assigned unique ID for this managed resource.
- Kube
Admin stringConfig Raw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
- Kube
Admin []KubernetesConfigs Cluster Kube Admin Config - A
kube_admin_config
block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. - Kube
Config stringRaw - Raw Kubernetes config to be used by kubectl and other compatible tools.
- Kube
Configs []KubernetesCluster Kube Config - A
kube_config
block as defined below. - Node
Resource stringGroup Id - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
- Oidc
Issuer stringUrl - The OIDC issuer URL that is associated with the cluster.
- Portal
Fqdn string - The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- Private
Fqdn string - The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- current
Kubernetes StringVersion - The current version running on the Azure Kubernetes Managed Cluster.
- fqdn String
- The FQDN of the Azure Kubernetes Managed Cluster.
- http
Application StringRouting Zone Name - The Zone Name of the HTTP Application Routing.
- id String
- The provider-assigned unique ID for this managed resource.
- kube
Admin StringConfig Raw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
- kube
Admin List<KubernetesConfigs Cluster Kube Admin Config> - A
kube_admin_config
block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. - kube
Config StringRaw - Raw Kubernetes config to be used by kubectl and other compatible tools.
- kube
Configs List<KubernetesCluster Kube Config> - A
kube_config
block as defined below. - node
Resource StringGroup Id - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
- oidc
Issuer StringUrl - The OIDC issuer URL that is associated with the cluster.
- portal
Fqdn String - The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- private
Fqdn String - The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- current
Kubernetes stringVersion - The current version running on the Azure Kubernetes Managed Cluster.
- fqdn string
- The FQDN of the Azure Kubernetes Managed Cluster.
- http
Application stringRouting Zone Name - The Zone Name of the HTTP Application Routing.
- id string
- The provider-assigned unique ID for this managed resource.
- kube
Admin stringConfig Raw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
- kube
Admin KubernetesConfigs Cluster Kube Admin Config[] - A
kube_admin_config
block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. - kube
Config stringRaw - Raw Kubernetes config to be used by kubectl and other compatible tools.
- kube
Configs KubernetesCluster Kube Config[] - A
kube_config
block as defined below. - node
Resource stringGroup Id - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
- oidc
Issuer stringUrl - The OIDC issuer URL that is associated with the cluster.
- portal
Fqdn string - The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- private
Fqdn string - The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- current_
kubernetes_ strversion - The current version running on the Azure Kubernetes Managed Cluster.
- fqdn str
- The FQDN of the Azure Kubernetes Managed Cluster.
- http_
application_ strrouting_ zone_ name - The Zone Name of the HTTP Application Routing.
- id str
- The provider-assigned unique ID for this managed resource.
- kube_
admin_ strconfig_ raw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
- kube_
admin_ Sequence[Kubernetesconfigs Cluster Kube Admin Config] - A
kube_admin_config
block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. - kube_
config_ strraw - Raw Kubernetes config to be used by kubectl and other compatible tools.
- kube_
configs Sequence[KubernetesCluster Kube Config] - A
kube_config
block as defined below. - node_
resource_ strgroup_ id - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
- oidc_
issuer_ strurl - The OIDC issuer URL that is associated with the cluster.
- portal_
fqdn str - The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- private_
fqdn str - The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- current
Kubernetes StringVersion - The current version running on the Azure Kubernetes Managed Cluster.
- fqdn String
- The FQDN of the Azure Kubernetes Managed Cluster.
- http
Application StringRouting Zone Name - The Zone Name of the HTTP Application Routing.
- id String
- The provider-assigned unique ID for this managed resource.
- kube
Admin StringConfig Raw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
- kube
Admin List<Property Map>Configs - A
kube_admin_config
block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. - kube
Config StringRaw - Raw Kubernetes config to be used by kubectl and other compatible tools.
- kube
Configs List<Property Map> - A
kube_config
block as defined below. - node
Resource StringGroup Id - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
- oidc
Issuer StringUrl - The OIDC issuer URL that is associated with the cluster.
- portal
Fqdn String - The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- private
Fqdn String - The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
Look up Existing KubernetesCluster Resource
Get an existing KubernetesCluster resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: KubernetesClusterState, opts?: CustomResourceOptions): KubernetesCluster
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
aci_connector_linux: Optional[KubernetesClusterAciConnectorLinuxArgs] = None,
api_server_access_profile: Optional[KubernetesClusterApiServerAccessProfileArgs] = None,
auto_scaler_profile: Optional[KubernetesClusterAutoScalerProfileArgs] = None,
automatic_upgrade_channel: Optional[str] = None,
azure_active_directory_role_based_access_control: Optional[KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs] = None,
azure_policy_enabled: Optional[bool] = None,
confidential_computing: Optional[KubernetesClusterConfidentialComputingArgs] = None,
cost_analysis_enabled: Optional[bool] = None,
current_kubernetes_version: Optional[str] = None,
default_node_pool: Optional[KubernetesClusterDefaultNodePoolArgs] = None,
disk_encryption_set_id: Optional[str] = None,
dns_prefix: Optional[str] = None,
dns_prefix_private_cluster: Optional[str] = None,
edge_zone: Optional[str] = None,
fqdn: Optional[str] = None,
http_application_routing_enabled: Optional[bool] = None,
http_application_routing_zone_name: Optional[str] = None,
http_proxy_config: Optional[KubernetesClusterHttpProxyConfigArgs] = None,
identity: Optional[KubernetesClusterIdentityArgs] = None,
image_cleaner_enabled: Optional[bool] = None,
image_cleaner_interval_hours: Optional[int] = None,
ingress_application_gateway: Optional[KubernetesClusterIngressApplicationGatewayArgs] = None,
key_management_service: Optional[KubernetesClusterKeyManagementServiceArgs] = None,
key_vault_secrets_provider: Optional[KubernetesClusterKeyVaultSecretsProviderArgs] = None,
kube_admin_config_raw: Optional[str] = None,
kube_admin_configs: Optional[Sequence[KubernetesClusterKubeAdminConfigArgs]] = None,
kube_config_raw: Optional[str] = None,
kube_configs: Optional[Sequence[KubernetesClusterKubeConfigArgs]] = None,
kubelet_identity: Optional[KubernetesClusterKubeletIdentityArgs] = None,
kubernetes_version: Optional[str] = None,
linux_profile: Optional[KubernetesClusterLinuxProfileArgs] = None,
local_account_disabled: Optional[bool] = None,
location: Optional[str] = None,
maintenance_window: Optional[KubernetesClusterMaintenanceWindowArgs] = None,
maintenance_window_auto_upgrade: Optional[KubernetesClusterMaintenanceWindowAutoUpgradeArgs] = None,
maintenance_window_node_os: Optional[KubernetesClusterMaintenanceWindowNodeOsArgs] = None,
microsoft_defender: Optional[KubernetesClusterMicrosoftDefenderArgs] = None,
monitor_metrics: Optional[KubernetesClusterMonitorMetricsArgs] = None,
name: Optional[str] = None,
network_profile: Optional[KubernetesClusterNetworkProfileArgs] = None,
node_os_upgrade_channel: Optional[str] = None,
node_resource_group: Optional[str] = None,
node_resource_group_id: Optional[str] = None,
oidc_issuer_enabled: Optional[bool] = None,
oidc_issuer_url: Optional[str] = None,
oms_agent: Optional[KubernetesClusterOmsAgentArgs] = None,
open_service_mesh_enabled: Optional[bool] = None,
portal_fqdn: Optional[str] = None,
private_cluster_enabled: Optional[bool] = None,
private_cluster_public_fqdn_enabled: Optional[bool] = None,
private_dns_zone_id: Optional[str] = None,
private_fqdn: Optional[str] = None,
resource_group_name: Optional[str] = None,
role_based_access_control_enabled: Optional[bool] = None,
run_command_enabled: Optional[bool] = None,
service_mesh_profile: Optional[KubernetesClusterServiceMeshProfileArgs] = None,
service_principal: Optional[KubernetesClusterServicePrincipalArgs] = None,
sku_tier: Optional[str] = None,
storage_profile: Optional[KubernetesClusterStorageProfileArgs] = None,
support_plan: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
web_app_routing: Optional[KubernetesClusterWebAppRoutingArgs] = None,
windows_profile: Optional[KubernetesClusterWindowsProfileArgs] = None,
workload_autoscaler_profile: Optional[KubernetesClusterWorkloadAutoscalerProfileArgs] = None,
workload_identity_enabled: Optional[bool] = None) -> KubernetesCluster
func GetKubernetesCluster(ctx *Context, name string, id IDInput, state *KubernetesClusterState, opts ...ResourceOption) (*KubernetesCluster, error)
public static KubernetesCluster Get(string name, Input<string> id, KubernetesClusterState? state, CustomResourceOptions? opts = null)
public static KubernetesCluster get(String name, Output<String> id, KubernetesClusterState state, CustomResourceOptions options)
resources: _: type: azure:containerservice:KubernetesCluster get: id: ${id}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Aci
Connector KubernetesLinux Cluster Aci Connector Linux - A
aci_connector_linux
block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes. - Api
Server KubernetesAccess Profile Cluster Api Server Access Profile - An
api_server_access_profile
block as defined below. - Auto
Scaler KubernetesProfile Cluster Auto Scaler Profile - A
auto_scaler_profile
block as defined below. - Automatic
Upgrade stringChannel The upgrade channel for this Kubernetes Cluster. Possible values are
patch
,rapid
,node-image
andstable
. Omitting this field sets this value tonone
.!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.
- Azure
Active KubernetesDirectory Role Based Access Control Cluster Azure Active Directory Role Based Access Control - A
azure_active_directory_role_based_access_control
block as defined below. - Azure
Policy boolEnabled - Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
- Confidential
Computing KubernetesCluster Confidential Computing - A
confidential_computing
block as defined below. For more details please the documentation - Cost
Analysis boolEnabled - Should cost analysis be enabled for this Kubernetes Cluster? Defaults to
false
. Thesku_tier
must be set toStandard
orPremium
to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. - Current
Kubernetes stringVersion - The current version running on the Azure Kubernetes Managed Cluster.
- Default
Node KubernetesPool Cluster Default Node Pool - Specifies configuration for "System" mode node pool. A
default_node_pool
block as defined below. - Disk
Encryption stringSet Id - The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
- Dns
Prefix string - DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
- Dns
Prefix stringPrivate Cluster Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Note: You must define either a
dns_prefix
or adns_prefix_private_cluster
field.In addition, one of either
identity
orservice_principal
blocks must be specified.- Edge
Zone string - Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- Fqdn string
- The FQDN of the Azure Kubernetes Managed Cluster.
- Http
Application boolRouting Enabled Should HTTP Application Routing be enabled?
Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.
- Http
Application stringRouting Zone Name - The Zone Name of the HTTP Application Routing.
- Http
Proxy KubernetesConfig Cluster Http Proxy Config - A
http_proxy_config
block as defined below. - Identity
Kubernetes
Cluster Identity An
identity
block as defined below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- Image
Cleaner boolEnabled - Specifies whether Image Cleaner is enabled.
- Image
Cleaner intInterval Hours - Specifies the interval in hours when images should be cleaned up. Defaults to
0
. - Ingress
Application KubernetesGateway Cluster Ingress Application Gateway A
ingress_application_gateway
block as defined below.Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/action
permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.- Key
Management KubernetesService Cluster Key Management Service - A
key_management_service
block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster. - Key
Vault KubernetesSecrets Provider Cluster Key Vault Secrets Provider - A
key_vault_secrets_provider
block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS. - Kube
Admin stringConfig Raw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
- Kube
Admin List<KubernetesConfigs Cluster Kube Admin Config> - A
kube_admin_config
block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. - Kube
Config stringRaw - Raw Kubernetes config to be used by kubectl and other compatible tools.
- Kube
Configs List<KubernetesCluster Kube Config> - A
kube_config
block as defined below. - Kubelet
Identity KubernetesCluster Kubelet Identity - A
kubelet_identity
block as defined below. - Kubernetes
Version string Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as
1.22
are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.Note: Upgrading your cluster may take up to 10 minutes per node.
- Linux
Profile KubernetesCluster Linux Profile - A
linux_profile
block as defined below. - Local
Account boolDisabled If
true
local accounts will be disabled. See the documentation for more information.Note: If
local_account_disabled
is set totrue
, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.- Location string
- The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
- Maintenance
Window KubernetesCluster Maintenance Window - A
maintenance_window
block as defined below. - Maintenance
Window KubernetesAuto Upgrade Cluster Maintenance Window Auto Upgrade - A
maintenance_window_auto_upgrade
block as defined below. - Maintenance
Window KubernetesNode Os Cluster Maintenance Window Node Os - A
maintenance_window_node_os
block as defined below. - Microsoft
Defender KubernetesCluster Microsoft Defender - A
microsoft_defender
block as defined below. - Monitor
Metrics KubernetesCluster Monitor Metrics Specifies a Prometheus add-on profile for the Kubernetes Cluster. A
monitor_metrics
block as defined below.Note: If deploying Managed Prometheus, the
monitor_metrics
properties are required to configure the cluster for metrics collection. If no value is needed, set properties tonull
.- Name string
- The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
- Network
Profile KubernetesCluster Network Profile A
network_profile
block as defined below. Changing this forces a new resource to be created.Note: If
network_profile
is not defined,kubenet
profile will be used by default.- Node
Os stringUpgrade Channel The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are
Unmanaged
,SecurityPatch
,NodeImage
andNone
. Defaults toNodeImage
.Note:
node_os_upgrade_channel
must be set toNodeImage
ifautomatic_upgrade_channel
has been set tonode-image
- Node
Resource stringGroup The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.
- Node
Resource stringGroup Id - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
- Oidc
Issuer boolEnabled - Enable or Disable the OIDC issuer URL
- Oidc
Issuer stringUrl - The OIDC issuer URL that is associated with the cluster.
- Oms
Agent KubernetesCluster Oms Agent - A
oms_agent
block as defined below. - Open
Service boolMesh Enabled - Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
- Portal
Fqdn string - The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- Private
Cluster boolEnabled - Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to
false
. Changing this forces a new resource to be created. - Private
Cluster boolPublic Fqdn Enabled Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to
false
.Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the
Private DNS Zone Contributor
role and access to this Private DNS Zone. IfUserAssigned
identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, }, { dependsOn: [exampleAssignment], });
import pulumi import pulumi_azure as azure example = azure.core.ResourceGroup("example", name="example", location="West Europe") example_zone = azure.privatedns.Zone("example", name="privatelink.eastus2.azmk8s.io", resource_group_name=example.name) example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example", name="aks-example-identity", resource_group_name=example.name, location=example.location) example_assignment = azure.authorization.Assignment("example", scope=example_zone.id, role_definition_name="Private DNS Zone Contributor", principal_id=example_user_assigned_identity.principal_id) example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example", name="aksexamplewithprivatednszone1", location=example.location, resource_group_name=example.name, dns_prefix="aksexamplednsprefix1", private_cluster_enabled=True, private_dns_zone_id=example_zone.id, opts = pulumi.ResourceOptions(depends_on=[example_assignment]))
using System.Collections.Generic; using System.Linq; using Pulumi; using Azure = Pulumi.Azure; return await Deployment.RunAsync(() => { var example = new Azure.Core.ResourceGroup("example", new() { Name = "example", Location = "West Europe", }); var exampleZone = new Azure.PrivateDns.Zone("example", new() { Name = "privatelink.eastus2.azmk8s.io", ResourceGroupName = example.Name, }); var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new() { Name = "aks-example-identity", ResourceGroupName = example.Name, Location = example.Location, }); var exampleAssignment = new Azure.Authorization.Assignment("example", new() { Scope = exampleZone.Id, RoleDefinitionName = "Private DNS Zone Contributor", PrincipalId = exampleUserAssignedIdentity.PrincipalId, }); var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new() { Name = "aksexamplewithprivatednszone1", Location = example.Location, ResourceGroupName = example.Name, DnsPrefix = "aksexamplednsprefix1", PrivateClusterEnabled = true, PrivateDnsZoneId = exampleZone.Id, }, new CustomResourceOptions { DependsOn = { exampleAssignment, }, }); });
package main import ( "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/privatedns" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{ Name: pulumi.String("example"), Location: pulumi.String("West Europe"), }) if err != nil { return err } exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{ Name: pulumi.String("privatelink.eastus2.azmk8s.io"), ResourceGroupName: example.Name, }) if err != nil { return err } exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{ Name: pulumi.String("aks-example-identity"), ResourceGroupName: example.Name, Location: example.Location, }) if err != nil { return err } exampleAssignment, err := authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{ Scope: exampleZone.ID(), RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"), PrincipalId: exampleUserAssignedIdentity.PrincipalId, }) if err != nil { return err } _, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{ Name: pulumi.String("aksexamplewithprivatednszone1"), Location: example.Location, ResourceGroupName: example.Name, DnsPrefix: pulumi.String("aksexamplednsprefix1"), PrivateClusterEnabled: pulumi.Bool(true), PrivateDnsZoneId: exampleZone.ID(), }, pulumi.DependsOn([]pulumi.Resource{ exampleAssignment, })) if err != nil { return err } return nil }) }
package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.azure.core.ResourceGroup; import com.pulumi.azure.core.ResourceGroupArgs; import com.pulumi.azure.privatedns.Zone; import com.pulumi.azure.privatedns.ZoneArgs; import com.pulumi.azure.authorization.UserAssignedIdentity; import com.pulumi.azure.authorization.UserAssignedIdentityArgs; import com.pulumi.azure.authorization.Assignment; import com.pulumi.azure.authorization.AssignmentArgs; import com.pulumi.azure.containerservice.KubernetesCluster; import com.pulumi.azure.containerservice.KubernetesClusterArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new ResourceGroup("example", ResourceGroupArgs.builder() .name("example") .location("West Europe") .build()); var exampleZone = new Zone("exampleZone", ZoneArgs.builder() .name("privatelink.eastus2.azmk8s.io") .resourceGroupName(example.name()) .build()); var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder() .name("aks-example-identity") .resourceGroupName(example.name()) .location(example.location()) .build()); var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder() .scope(exampleZone.id()) .roleDefinitionName("Private DNS Zone Contributor") .principalId(exampleUserAssignedIdentity.principalId()) .build()); var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder() .name("aksexamplewithprivatednszone1") .location(example.location()) .resourceGroupName(example.name()) .dnsPrefix("aksexamplednsprefix1") .privateClusterEnabled(true) .privateDnsZoneId(exampleZone.id()) .build(), CustomResourceOptions.builder() .dependsOn(exampleAssignment) .build()); } }
resources: example: type: azure:core:ResourceGroup properties: name: example location: West Europe exampleZone: type: azure:privatedns:Zone name: example properties: name: privatelink.eastus2.azmk8s.io resourceGroupName: ${example.name} exampleUserAssignedIdentity: type: azure:authorization:UserAssignedIdentity name: example properties: name: aks-example-identity resourceGroupName: ${example.name} location: ${example.location} exampleAssignment: type: azure:authorization:Assignment name: example properties: scope: ${exampleZone.id} roleDefinitionName: Private DNS Zone Contributor principalId: ${exampleUserAssignedIdentity.principalId} exampleKubernetesCluster: type: azure:containerservice:KubernetesCluster name: example properties: name: aksexamplewithprivatednszone1 location: ${example.location} resourceGroupName: ${example.name} dnsPrefix: aksexamplednsprefix1 privateClusterEnabled: true privateDnsZoneId: ${exampleZone.id} options: dependsOn: - ${exampleAssignment}
- Private
Dns stringZone Id - Either the ID of Private DNS Zone which should be delegated to this Cluster,
System
to have AKS manage this orNone
. In case ofNone
you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. - Private
Fqdn string - The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- Resource
Group stringName - Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- Role
Based boolAccess Control Enabled - Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to
true
. Changing this forces a new resource to be created. - Run
Command boolEnabled - Whether to enable run command for the cluster or not. Defaults to
true
. - Service
Mesh KubernetesProfile Cluster Service Mesh Profile - A
service_mesh_profile
block as defined below. - Service
Principal KubernetesCluster Service Principal A
service_principal
block as documented below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- Sku
Tier string The SKU Tier that should be used for this Kubernetes Cluster. Possible values are
Free
,Standard
(which includes the Uptime SLA) andPremium
. Defaults toFree
.Note: Whilst the AKS API previously supported the
Paid
SKU - the AKS API introduced a breaking change in API Version2023-02-01
(used in v3.51.0 and later) where the valuePaid
must now be set toStandard
.- Storage
Profile KubernetesCluster Storage Profile - A
storage_profile
block as defined below. - Support
Plan string - Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are
KubernetesOfficial
andAKSLongTermSupport
. Defaults toKubernetesOfficial
. - Dictionary<string, string>
- A mapping of tags to assign to the resource.
- Web
App KubernetesRouting Cluster Web App Routing - A
web_app_routing
block as defined below. - Windows
Profile KubernetesCluster Windows Profile - A
windows_profile
block as defined below. - Workload
Autoscaler KubernetesProfile Cluster Workload Autoscaler Profile - A
workload_autoscaler_profile
block defined below. - Workload
Identity boolEnabled Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to
false
.Note: To enable Azure AD Workload Identity
oidc_issuer_enabled
must be set totrue
.Note: Enabling this option will allocate Workload Identity resources to the
kube-system
namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.
- Aci
Connector KubernetesLinux Cluster Aci Connector Linux Args - A
aci_connector_linux
block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes. - Api
Server KubernetesAccess Profile Cluster Api Server Access Profile Args - An
api_server_access_profile
block as defined below. - Auto
Scaler KubernetesProfile Cluster Auto Scaler Profile Args - A
auto_scaler_profile
block as defined below. - Automatic
Upgrade stringChannel The upgrade channel for this Kubernetes Cluster. Possible values are
patch
,rapid
,node-image
andstable
. Omitting this field sets this value tonone
.!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.
- Azure
Active KubernetesDirectory Role Based Access Control Cluster Azure Active Directory Role Based Access Control Args - A
azure_active_directory_role_based_access_control
block as defined below. - Azure
Policy boolEnabled - Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
- Confidential
Computing KubernetesCluster Confidential Computing Args - A
confidential_computing
block as defined below. For more details please the documentation - Cost
Analysis boolEnabled - Should cost analysis be enabled for this Kubernetes Cluster? Defaults to
false
. Thesku_tier
must be set toStandard
orPremium
to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. - Current
Kubernetes stringVersion - The current version running on the Azure Kubernetes Managed Cluster.
- Default
Node KubernetesPool Cluster Default Node Pool Args - Specifies configuration for "System" mode node pool. A
default_node_pool
block as defined below. - Disk
Encryption stringSet Id - The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
- Dns
Prefix string - DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
- Dns
Prefix stringPrivate Cluster Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Note: You must define either a
dns_prefix
or adns_prefix_private_cluster
field.In addition, one of either
identity
orservice_principal
blocks must be specified.- Edge
Zone string - Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- Fqdn string
- The FQDN of the Azure Kubernetes Managed Cluster.
- Http
Application boolRouting Enabled Should HTTP Application Routing be enabled?
Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.
- Http
Application stringRouting Zone Name - The Zone Name of the HTTP Application Routing.
- Http
Proxy KubernetesConfig Cluster Http Proxy Config Args - A
http_proxy_config
block as defined below. - Identity
Kubernetes
Cluster Identity Args An
identity
block as defined below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- Image
Cleaner boolEnabled - Specifies whether Image Cleaner is enabled.
- Image
Cleaner intInterval Hours - Specifies the interval in hours when images should be cleaned up. Defaults to
0
. - Ingress
Application KubernetesGateway Cluster Ingress Application Gateway Args A
ingress_application_gateway
block as defined below.Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/action
permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.- Key
Management KubernetesService Cluster Key Management Service Args - A
key_management_service
block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster. - Key
Vault KubernetesSecrets Provider Cluster Key Vault Secrets Provider Args - A
key_vault_secrets_provider
block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS. - Kube
Admin stringConfig Raw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
- Kube
Admin []KubernetesConfigs Cluster Kube Admin Config Args - A
kube_admin_config
block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. - Kube
Config stringRaw - Raw Kubernetes config to be used by kubectl and other compatible tools.
- Kube
Configs []KubernetesCluster Kube Config Args - A
kube_config
block as defined below. - Kubelet
Identity KubernetesCluster Kubelet Identity Args - A
kubelet_identity
block as defined below. - Kubernetes
Version string Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as
1.22
are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.Note: Upgrading your cluster may take up to 10 minutes per node.
- Linux
Profile KubernetesCluster Linux Profile Args - A
linux_profile
block as defined below. - Local
Account boolDisabled If
true
local accounts will be disabled. See the documentation for more information.Note: If
local_account_disabled
is set totrue
, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.- Location string
- The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
- Maintenance
Window KubernetesCluster Maintenance Window Args - A
maintenance_window
block as defined below. - Maintenance
Window KubernetesAuto Upgrade Cluster Maintenance Window Auto Upgrade Args - A
maintenance_window_auto_upgrade
block as defined below. - Maintenance
Window KubernetesNode Os Cluster Maintenance Window Node Os Args - A
maintenance_window_node_os
block as defined below. - Microsoft
Defender KubernetesCluster Microsoft Defender Args - A
microsoft_defender
block as defined below. - Monitor
Metrics KubernetesCluster Monitor Metrics Args Specifies a Prometheus add-on profile for the Kubernetes Cluster. A
monitor_metrics
block as defined below.Note: If deploying Managed Prometheus, the
monitor_metrics
properties are required to configure the cluster for metrics collection. If no value is needed, set properties tonull
.- Name string
- The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
- Network
Profile KubernetesCluster Network Profile Args A
network_profile
block as defined below. Changing this forces a new resource to be created.Note: If
network_profile
is not defined,kubenet
profile will be used by default.- Node
Os stringUpgrade Channel The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are
Unmanaged
,SecurityPatch
,NodeImage
andNone
. Defaults toNodeImage
.Note:
node_os_upgrade_channel
must be set toNodeImage
ifautomatic_upgrade_channel
has been set tonode-image
- Node
Resource stringGroup The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.
- Node
Resource stringGroup Id - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
- Oidc
Issuer boolEnabled - Enable or Disable the OIDC issuer URL
- Oidc
Issuer stringUrl - The OIDC issuer URL that is associated with the cluster.
- Oms
Agent KubernetesCluster Oms Agent Args - A
oms_agent
block as defined below. - Open
Service boolMesh Enabled - Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
- Portal
Fqdn string - The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- Private
Cluster boolEnabled - Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to
false
. Changing this forces a new resource to be created. - Private
Cluster boolPublic Fqdn Enabled Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to
false
.Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the
Private DNS Zone Contributor
role and access to this Private DNS Zone. IfUserAssigned
identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, }, { dependsOn: [exampleAssignment], });
import pulumi import pulumi_azure as azure example = azure.core.ResourceGroup("example", name="example", location="West Europe") example_zone = azure.privatedns.Zone("example", name="privatelink.eastus2.azmk8s.io", resource_group_name=example.name) example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example", name="aks-example-identity", resource_group_name=example.name, location=example.location) example_assignment = azure.authorization.Assignment("example", scope=example_zone.id, role_definition_name="Private DNS Zone Contributor", principal_id=example_user_assigned_identity.principal_id) example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example", name="aksexamplewithprivatednszone1", location=example.location, resource_group_name=example.name, dns_prefix="aksexamplednsprefix1", private_cluster_enabled=True, private_dns_zone_id=example_zone.id, opts = pulumi.ResourceOptions(depends_on=[example_assignment]))
using System.Collections.Generic; using System.Linq; using Pulumi; using Azure = Pulumi.Azure; return await Deployment.RunAsync(() => { var example = new Azure.Core.ResourceGroup("example", new() { Name = "example", Location = "West Europe", }); var exampleZone = new Azure.PrivateDns.Zone("example", new() { Name = "privatelink.eastus2.azmk8s.io", ResourceGroupName = example.Name, }); var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new() { Name = "aks-example-identity", ResourceGroupName = example.Name, Location = example.Location, }); var exampleAssignment = new Azure.Authorization.Assignment("example", new() { Scope = exampleZone.Id, RoleDefinitionName = "Private DNS Zone Contributor", PrincipalId = exampleUserAssignedIdentity.PrincipalId, }); var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new() { Name = "aksexamplewithprivatednszone1", Location = example.Location, ResourceGroupName = example.Name, DnsPrefix = "aksexamplednsprefix1", PrivateClusterEnabled = true, PrivateDnsZoneId = exampleZone.Id, }, new CustomResourceOptions { DependsOn = { exampleAssignment, }, }); });
package main import ( "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/privatedns" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{ Name: pulumi.String("example"), Location: pulumi.String("West Europe"), }) if err != nil { return err } exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{ Name: pulumi.String("privatelink.eastus2.azmk8s.io"), ResourceGroupName: example.Name, }) if err != nil { return err } exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{ Name: pulumi.String("aks-example-identity"), ResourceGroupName: example.Name, Location: example.Location, }) if err != nil { return err } exampleAssignment, err := authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{ Scope: exampleZone.ID(), RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"), PrincipalId: exampleUserAssignedIdentity.PrincipalId, }) if err != nil { return err } _, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{ Name: pulumi.String("aksexamplewithprivatednszone1"), Location: example.Location, ResourceGroupName: example.Name, DnsPrefix: pulumi.String("aksexamplednsprefix1"), PrivateClusterEnabled: pulumi.Bool(true), PrivateDnsZoneId: exampleZone.ID(), }, pulumi.DependsOn([]pulumi.Resource{ exampleAssignment, })) if err != nil { return err } return nil }) }
package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.azure.core.ResourceGroup; import com.pulumi.azure.core.ResourceGroupArgs; import com.pulumi.azure.privatedns.Zone; import com.pulumi.azure.privatedns.ZoneArgs; import com.pulumi.azure.authorization.UserAssignedIdentity; import com.pulumi.azure.authorization.UserAssignedIdentityArgs; import com.pulumi.azure.authorization.Assignment; import com.pulumi.azure.authorization.AssignmentArgs; import com.pulumi.azure.containerservice.KubernetesCluster; import com.pulumi.azure.containerservice.KubernetesClusterArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new ResourceGroup("example", ResourceGroupArgs.builder() .name("example") .location("West Europe") .build()); var exampleZone = new Zone("exampleZone", ZoneArgs.builder() .name("privatelink.eastus2.azmk8s.io") .resourceGroupName(example.name()) .build()); var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder() .name("aks-example-identity") .resourceGroupName(example.name()) .location(example.location()) .build()); var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder() .scope(exampleZone.id()) .roleDefinitionName("Private DNS Zone Contributor") .principalId(exampleUserAssignedIdentity.principalId()) .build()); var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder() .name("aksexamplewithprivatednszone1") .location(example.location()) .resourceGroupName(example.name()) .dnsPrefix("aksexamplednsprefix1") .privateClusterEnabled(true) .privateDnsZoneId(exampleZone.id()) .build(), CustomResourceOptions.builder() .dependsOn(exampleAssignment) .build()); } }
resources: example: type: azure:core:ResourceGroup properties: name: example location: West Europe exampleZone: type: azure:privatedns:Zone name: example properties: name: privatelink.eastus2.azmk8s.io resourceGroupName: ${example.name} exampleUserAssignedIdentity: type: azure:authorization:UserAssignedIdentity name: example properties: name: aks-example-identity resourceGroupName: ${example.name} location: ${example.location} exampleAssignment: type: azure:authorization:Assignment name: example properties: scope: ${exampleZone.id} roleDefinitionName: Private DNS Zone Contributor principalId: ${exampleUserAssignedIdentity.principalId} exampleKubernetesCluster: type: azure:containerservice:KubernetesCluster name: example properties: name: aksexamplewithprivatednszone1 location: ${example.location} resourceGroupName: ${example.name} dnsPrefix: aksexamplednsprefix1 privateClusterEnabled: true privateDnsZoneId: ${exampleZone.id} options: dependsOn: - ${exampleAssignment}
- Private
Dns stringZone Id - Either the ID of Private DNS Zone which should be delegated to this Cluster,
System
to have AKS manage this orNone
. In case ofNone
you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. - Private
Fqdn string - The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- Resource
Group stringName - Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- Role
Based boolAccess Control Enabled - Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to
true
. Changing this forces a new resource to be created. - Run
Command boolEnabled - Whether to enable run command for the cluster or not. Defaults to
true
. - Service
Mesh KubernetesProfile Cluster Service Mesh Profile Args - A
service_mesh_profile
block as defined below. - Service
Principal KubernetesCluster Service Principal Args A
service_principal
block as documented below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- Sku
Tier string The SKU Tier that should be used for this Kubernetes Cluster. Possible values are
Free
,Standard
(which includes the Uptime SLA) andPremium
. Defaults toFree
.Note: Whilst the AKS API previously supported the
Paid
SKU - the AKS API introduced a breaking change in API Version2023-02-01
(used in v3.51.0 and later) where the valuePaid
must now be set toStandard
.- Storage
Profile KubernetesCluster Storage Profile Args - A
storage_profile
block as defined below. - Support
Plan string - Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are
KubernetesOfficial
andAKSLongTermSupport
. Defaults toKubernetesOfficial
. - map[string]string
- A mapping of tags to assign to the resource.
- Web
App KubernetesRouting Cluster Web App Routing Args - A
web_app_routing
block as defined below. - Windows
Profile KubernetesCluster Windows Profile Args - A
windows_profile
block as defined below. - Workload
Autoscaler KubernetesProfile Cluster Workload Autoscaler Profile Args - A
workload_autoscaler_profile
block defined below. - Workload
Identity boolEnabled Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to
false
.Note: To enable Azure AD Workload Identity
oidc_issuer_enabled
must be set totrue
.Note: Enabling this option will allocate Workload Identity resources to the
kube-system
namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.
- aci
Connector KubernetesLinux Cluster Aci Connector Linux - A
aci_connector_linux
block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes. - api
Server KubernetesAccess Profile Cluster Api Server Access Profile - An
api_server_access_profile
block as defined below. - auto
Scaler KubernetesProfile Cluster Auto Scaler Profile - A
auto_scaler_profile
block as defined below. - automatic
Upgrade StringChannel The upgrade channel for this Kubernetes Cluster. Possible values are
patch
,rapid
,node-image
andstable
. Omitting this field sets this value tonone
.!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.
- azure
Active KubernetesDirectory Role Based Access Control Cluster Azure Active Directory Role Based Access Control - A
azure_active_directory_role_based_access_control
block as defined below. - azure
Policy BooleanEnabled - Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
- confidential
Computing KubernetesCluster Confidential Computing - A
confidential_computing
block as defined below. For more details please the documentation - cost
Analysis BooleanEnabled - Should cost analysis be enabled for this Kubernetes Cluster? Defaults to
false
. Thesku_tier
must be set toStandard
orPremium
to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. - current
Kubernetes StringVersion - The current version running on the Azure Kubernetes Managed Cluster.
- default
Node KubernetesPool Cluster Default Node Pool - Specifies configuration for "System" mode node pool. A
default_node_pool
block as defined below. - disk
Encryption StringSet Id - The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
- dns
Prefix String - DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
- dns
Prefix StringPrivate Cluster Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Note: You must define either a
dns_prefix
or adns_prefix_private_cluster
field.In addition, one of either
identity
orservice_principal
blocks must be specified.- edge
Zone String - Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- fqdn String
- The FQDN of the Azure Kubernetes Managed Cluster.
- http
Application BooleanRouting Enabled Should HTTP Application Routing be enabled?
Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.
- http
Application StringRouting Zone Name - The Zone Name of the HTTP Application Routing.
- http
Proxy KubernetesConfig Cluster Http Proxy Config - A
http_proxy_config
block as defined below. - identity
Kubernetes
Cluster Identity An
identity
block as defined below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- image
Cleaner BooleanEnabled - Specifies whether Image Cleaner is enabled.
- image
Cleaner IntegerInterval Hours - Specifies the interval in hours when images should be cleaned up. Defaults to
0
. - ingress
Application KubernetesGateway Cluster Ingress Application Gateway A
ingress_application_gateway
block as defined below.Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/action
permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.- key
Management KubernetesService Cluster Key Management Service - A
key_management_service
block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster. - key
Vault KubernetesSecrets Provider Cluster Key Vault Secrets Provider - A
key_vault_secrets_provider
block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS. - kube
Admin StringConfig Raw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
- kube
Admin List<KubernetesConfigs Cluster Kube Admin Config> - A
kube_admin_config
block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. - kube
Config StringRaw - Raw Kubernetes config to be used by kubectl and other compatible tools.
- kube
Configs List<KubernetesCluster Kube Config> - A
kube_config
block as defined below. - kubelet
Identity KubernetesCluster Kubelet Identity - A
kubelet_identity
block as defined below. - kubernetes
Version String Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as
1.22
are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.Note: Upgrading your cluster may take up to 10 minutes per node.
- linux
Profile KubernetesCluster Linux Profile - A
linux_profile
block as defined below. - local
Account BooleanDisabled If
true
local accounts will be disabled. See the documentation for more information.Note: If
local_account_disabled
is set totrue
, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.- location String
- The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
- maintenance
Window KubernetesCluster Maintenance Window - A
maintenance_window
block as defined below. - maintenance
Window KubernetesAuto Upgrade Cluster Maintenance Window Auto Upgrade - A
maintenance_window_auto_upgrade
block as defined below. - maintenance
Window KubernetesNode Os Cluster Maintenance Window Node Os - A
maintenance_window_node_os
block as defined below. - microsoft
Defender KubernetesCluster Microsoft Defender - A
microsoft_defender
block as defined below. - monitor
Metrics KubernetesCluster Monitor Metrics Specifies a Prometheus add-on profile for the Kubernetes Cluster. A
monitor_metrics
block as defined below.Note: If deploying Managed Prometheus, the
monitor_metrics
properties are required to configure the cluster for metrics collection. If no value is needed, set properties tonull
.- name String
- The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
- network
Profile KubernetesCluster Network Profile A
network_profile
block as defined below. Changing this forces a new resource to be created.Note: If
network_profile
is not defined,kubenet
profile will be used by default.- node
Os StringUpgrade Channel The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are
Unmanaged
,SecurityPatch
,NodeImage
andNone
. Defaults toNodeImage
.Note:
node_os_upgrade_channel
must be set toNodeImage
ifautomatic_upgrade_channel
has been set tonode-image
- node
Resource StringGroup The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.
- node
Resource StringGroup Id - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
- oidc
Issuer BooleanEnabled - Enable or Disable the OIDC issuer URL
- oidc
Issuer StringUrl - The OIDC issuer URL that is associated with the cluster.
- oms
Agent KubernetesCluster Oms Agent - A
oms_agent
block as defined below. - open
Service BooleanMesh Enabled - Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
- portal
Fqdn String - The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- private
Cluster BooleanEnabled - Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to
false
. Changing this forces a new resource to be created. - private
Cluster BooleanPublic Fqdn Enabled Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to
false
.Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the
Private DNS Zone Contributor
role and access to this Private DNS Zone. IfUserAssigned
identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, }, { dependsOn: [exampleAssignment], });
import pulumi import pulumi_azure as azure example = azure.core.ResourceGroup("example", name="example", location="West Europe") example_zone = azure.privatedns.Zone("example", name="privatelink.eastus2.azmk8s.io", resource_group_name=example.name) example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example", name="aks-example-identity", resource_group_name=example.name, location=example.location) example_assignment = azure.authorization.Assignment("example", scope=example_zone.id, role_definition_name="Private DNS Zone Contributor", principal_id=example_user_assigned_identity.principal_id) example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example", name="aksexamplewithprivatednszone1", location=example.location, resource_group_name=example.name, dns_prefix="aksexamplednsprefix1", private_cluster_enabled=True, private_dns_zone_id=example_zone.id, opts = pulumi.ResourceOptions(depends_on=[example_assignment]))
using System.Collections.Generic; using System.Linq; using Pulumi; using Azure = Pulumi.Azure; return await Deployment.RunAsync(() => { var example = new Azure.Core.ResourceGroup("example", new() { Name = "example", Location = "West Europe", }); var exampleZone = new Azure.PrivateDns.Zone("example", new() { Name = "privatelink.eastus2.azmk8s.io", ResourceGroupName = example.Name, }); var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new() { Name = "aks-example-identity", ResourceGroupName = example.Name, Location = example.Location, }); var exampleAssignment = new Azure.Authorization.Assignment("example", new() { Scope = exampleZone.Id, RoleDefinitionName = "Private DNS Zone Contributor", PrincipalId = exampleUserAssignedIdentity.PrincipalId, }); var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new() { Name = "aksexamplewithprivatednszone1", Location = example.Location, ResourceGroupName = example.Name, DnsPrefix = "aksexamplednsprefix1", PrivateClusterEnabled = true, PrivateDnsZoneId = exampleZone.Id, }, new CustomResourceOptions { DependsOn = { exampleAssignment, }, }); });
package main import ( "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/privatedns" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{ Name: pulumi.String("example"), Location: pulumi.String("West Europe"), }) if err != nil { return err } exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{ Name: pulumi.String("privatelink.eastus2.azmk8s.io"), ResourceGroupName: example.Name, }) if err != nil { return err } exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{ Name: pulumi.String("aks-example-identity"), ResourceGroupName: example.Name, Location: example.Location, }) if err != nil { return err } exampleAssignment, err := authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{ Scope: exampleZone.ID(), RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"), PrincipalId: exampleUserAssignedIdentity.PrincipalId, }) if err != nil { return err } _, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{ Name: pulumi.String("aksexamplewithprivatednszone1"), Location: example.Location, ResourceGroupName: example.Name, DnsPrefix: pulumi.String("aksexamplednsprefix1"), PrivateClusterEnabled: pulumi.Bool(true), PrivateDnsZoneId: exampleZone.ID(), }, pulumi.DependsOn([]pulumi.Resource{ exampleAssignment, })) if err != nil { return err } return nil }) }
package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.azure.core.ResourceGroup; import com.pulumi.azure.core.ResourceGroupArgs; import com.pulumi.azure.privatedns.Zone; import com.pulumi.azure.privatedns.ZoneArgs; import com.pulumi.azure.authorization.UserAssignedIdentity; import com.pulumi.azure.authorization.UserAssignedIdentityArgs; import com.pulumi.azure.authorization.Assignment; import com.pulumi.azure.authorization.AssignmentArgs; import com.pulumi.azure.containerservice.KubernetesCluster; import com.pulumi.azure.containerservice.KubernetesClusterArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new ResourceGroup("example", ResourceGroupArgs.builder() .name("example") .location("West Europe") .build()); var exampleZone = new Zone("exampleZone", ZoneArgs.builder() .name("privatelink.eastus2.azmk8s.io") .resourceGroupName(example.name()) .build()); var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder() .name("aks-example-identity") .resourceGroupName(example.name()) .location(example.location()) .build()); var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder() .scope(exampleZone.id()) .roleDefinitionName("Private DNS Zone Contributor") .principalId(exampleUserAssignedIdentity.principalId()) .build()); var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder() .name("aksexamplewithprivatednszone1") .location(example.location()) .resourceGroupName(example.name()) .dnsPrefix("aksexamplednsprefix1") .privateClusterEnabled(true) .privateDnsZoneId(exampleZone.id()) .build(), CustomResourceOptions.builder() .dependsOn(exampleAssignment) .build()); } }
resources: example: type: azure:core:ResourceGroup properties: name: example location: West Europe exampleZone: type: azure:privatedns:Zone name: example properties: name: privatelink.eastus2.azmk8s.io resourceGroupName: ${example.name} exampleUserAssignedIdentity: type: azure:authorization:UserAssignedIdentity name: example properties: name: aks-example-identity resourceGroupName: ${example.name} location: ${example.location} exampleAssignment: type: azure:authorization:Assignment name: example properties: scope: ${exampleZone.id} roleDefinitionName: Private DNS Zone Contributor principalId: ${exampleUserAssignedIdentity.principalId} exampleKubernetesCluster: type: azure:containerservice:KubernetesCluster name: example properties: name: aksexamplewithprivatednszone1 location: ${example.location} resourceGroupName: ${example.name} dnsPrefix: aksexamplednsprefix1 privateClusterEnabled: true privateDnsZoneId: ${exampleZone.id} options: dependsOn: - ${exampleAssignment}
- private
Dns StringZone Id - Either the ID of Private DNS Zone which should be delegated to this Cluster,
System
to have AKS manage this orNone
. In case ofNone
you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. - private
Fqdn String - The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- resource
Group StringName - Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- role
Based BooleanAccess Control Enabled - Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to
true
. Changing this forces a new resource to be created. - run
Command BooleanEnabled - Whether to enable run command for the cluster or not. Defaults to
true
. - service
Mesh KubernetesProfile Cluster Service Mesh Profile - A
service_mesh_profile
block as defined below. - service
Principal KubernetesCluster Service Principal A
service_principal
block as documented below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- sku
Tier String The SKU Tier that should be used for this Kubernetes Cluster. Possible values are
Free
,Standard
(which includes the Uptime SLA) andPremium
. Defaults toFree
.Note: Whilst the AKS API previously supported the
Paid
SKU - the AKS API introduced a breaking change in API Version2023-02-01
(used in v3.51.0 and later) where the valuePaid
must now be set toStandard
.- storage
Profile KubernetesCluster Storage Profile - A
storage_profile
block as defined below. - support
Plan String - Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are
KubernetesOfficial
andAKSLongTermSupport
. Defaults toKubernetesOfficial
. - Map<String,String>
- A mapping of tags to assign to the resource.
- web
App KubernetesRouting Cluster Web App Routing - A
web_app_routing
block as defined below. - windows
Profile KubernetesCluster Windows Profile - A
windows_profile
block as defined below. - workload
Autoscaler KubernetesProfile Cluster Workload Autoscaler Profile - A
workload_autoscaler_profile
block defined below. - workload
Identity BooleanEnabled Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to
false
.Note: To enable Azure AD Workload Identity
oidc_issuer_enabled
must be set totrue
.Note: Enabling this option will allocate Workload Identity resources to the
kube-system
namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.
- aci
Connector KubernetesLinux Cluster Aci Connector Linux - A
aci_connector_linux
block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes. - api
Server KubernetesAccess Profile Cluster Api Server Access Profile - An
api_server_access_profile
block as defined below. - auto
Scaler KubernetesProfile Cluster Auto Scaler Profile - A
auto_scaler_profile
block as defined below. - automatic
Upgrade stringChannel The upgrade channel for this Kubernetes Cluster. Possible values are
patch
,rapid
,node-image
andstable
. Omitting this field sets this value tonone
.!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.
- azure
Active KubernetesDirectory Role Based Access Control Cluster Azure Active Directory Role Based Access Control - A
azure_active_directory_role_based_access_control
block as defined below. - azure
Policy booleanEnabled - Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
- confidential
Computing KubernetesCluster Confidential Computing - A
confidential_computing
block as defined below. For more details please the documentation - cost
Analysis booleanEnabled - Should cost analysis be enabled for this Kubernetes Cluster? Defaults to
false
. Thesku_tier
must be set toStandard
orPremium
to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. - current
Kubernetes stringVersion - The current version running on the Azure Kubernetes Managed Cluster.
- default
Node KubernetesPool Cluster Default Node Pool - Specifies configuration for "System" mode node pool. A
default_node_pool
block as defined below. - disk
Encryption stringSet Id - The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
- dns
Prefix string - DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
- dns
Prefix stringPrivate Cluster Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Note: You must define either a
dns_prefix
or adns_prefix_private_cluster
field.In addition, one of either
identity
orservice_principal
blocks must be specified.- edge
Zone string - Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- fqdn string
- The FQDN of the Azure Kubernetes Managed Cluster.
- http
Application booleanRouting Enabled Should HTTP Application Routing be enabled?
Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.
- http
Application stringRouting Zone Name - The Zone Name of the HTTP Application Routing.
- http
Proxy KubernetesConfig Cluster Http Proxy Config - A
http_proxy_config
block as defined below. - identity
Kubernetes
Cluster Identity An
identity
block as defined below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- image
Cleaner booleanEnabled - Specifies whether Image Cleaner is enabled.
- image
Cleaner numberInterval Hours - Specifies the interval in hours when images should be cleaned up. Defaults to
0
. - ingress
Application KubernetesGateway Cluster Ingress Application Gateway A
ingress_application_gateway
block as defined below.Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/action
permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.- key
Management KubernetesService Cluster Key Management Service - A
key_management_service
block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster. - key
Vault KubernetesSecrets Provider Cluster Key Vault Secrets Provider - A
key_vault_secrets_provider
block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS. - kube
Admin stringConfig Raw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
- kube
Admin KubernetesConfigs Cluster Kube Admin Config[] - A
kube_admin_config
block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. - kube
Config stringRaw - Raw Kubernetes config to be used by kubectl and other compatible tools.
- kube
Configs KubernetesCluster Kube Config[] - A
kube_config
block as defined below. - kubelet
Identity KubernetesCluster Kubelet Identity - A
kubelet_identity
block as defined below. - kubernetes
Version string Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as
1.22
are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.Note: Upgrading your cluster may take up to 10 minutes per node.
- linux
Profile KubernetesCluster Linux Profile - A
linux_profile
block as defined below. - local
Account booleanDisabled If
true
local accounts will be disabled. See the documentation for more information.Note: If
local_account_disabled
is set totrue
, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.- location string
- The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
- maintenance
Window KubernetesCluster Maintenance Window - A
maintenance_window
block as defined below. - maintenance
Window KubernetesAuto Upgrade Cluster Maintenance Window Auto Upgrade - A
maintenance_window_auto_upgrade
block as defined below. - maintenance
Window KubernetesNode Os Cluster Maintenance Window Node Os - A
maintenance_window_node_os
block as defined below. - microsoft
Defender KubernetesCluster Microsoft Defender - A
microsoft_defender
block as defined below. - monitor
Metrics KubernetesCluster Monitor Metrics Specifies a Prometheus add-on profile for the Kubernetes Cluster. A
monitor_metrics
block as defined below.Note: If deploying Managed Prometheus, the
monitor_metrics
properties are required to configure the cluster for metrics collection. If no value is needed, set properties tonull
.- name string
- The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
- network
Profile KubernetesCluster Network Profile A
network_profile
block as defined below. Changing this forces a new resource to be created.Note: If
network_profile
is not defined,kubenet
profile will be used by default.- node
Os stringUpgrade Channel The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are
Unmanaged
,SecurityPatch
,NodeImage
andNone
. Defaults toNodeImage
.Note:
node_os_upgrade_channel
must be set toNodeImage
ifautomatic_upgrade_channel
has been set tonode-image
- node
Resource stringGroup The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.
- node
Resource stringGroup Id - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
- oidc
Issuer booleanEnabled - Enable or Disable the OIDC issuer URL
- oidc
Issuer stringUrl - The OIDC issuer URL that is associated with the cluster.
- oms
Agent KubernetesCluster Oms Agent - A
oms_agent
block as defined below. - open
Service booleanMesh Enabled - Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
- portal
Fqdn string - The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- private
Cluster booleanEnabled - Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to
false
. Changing this forces a new resource to be created. - private
Cluster booleanPublic Fqdn Enabled Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to
false
.Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the
Private DNS Zone Contributor
role and access to this Private DNS Zone. IfUserAssigned
identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, }, { dependsOn: [exampleAssignment], });
import pulumi import pulumi_azure as azure example = azure.core.ResourceGroup("example", name="example", location="West Europe") example_zone = azure.privatedns.Zone("example", name="privatelink.eastus2.azmk8s.io", resource_group_name=example.name) example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example", name="aks-example-identity", resource_group_name=example.name, location=example.location) example_assignment = azure.authorization.Assignment("example", scope=example_zone.id, role_definition_name="Private DNS Zone Contributor", principal_id=example_user_assigned_identity.principal_id) example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example", name="aksexamplewithprivatednszone1", location=example.location, resource_group_name=example.name, dns_prefix="aksexamplednsprefix1", private_cluster_enabled=True, private_dns_zone_id=example_zone.id, opts = pulumi.ResourceOptions(depends_on=[example_assignment]))
using System.Collections.Generic; using System.Linq; using Pulumi; using Azure = Pulumi.Azure; return await Deployment.RunAsync(() => { var example = new Azure.Core.ResourceGroup("example", new() { Name = "example", Location = "West Europe", }); var exampleZone = new Azure.PrivateDns.Zone("example", new() { Name = "privatelink.eastus2.azmk8s.io", ResourceGroupName = example.Name, }); var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new() { Name = "aks-example-identity", ResourceGroupName = example.Name, Location = example.Location, }); var exampleAssignment = new Azure.Authorization.Assignment("example", new() { Scope = exampleZone.Id, RoleDefinitionName = "Private DNS Zone Contributor", PrincipalId = exampleUserAssignedIdentity.PrincipalId, }); var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new() { Name = "aksexamplewithprivatednszone1", Location = example.Location, ResourceGroupName = example.Name, DnsPrefix = "aksexamplednsprefix1", PrivateClusterEnabled = true, PrivateDnsZoneId = exampleZone.Id, }, new CustomResourceOptions { DependsOn = { exampleAssignment, }, }); });
package main import ( "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core" "github.com/pulumi/pulumi-azure/sdk/v6/go/azure/privatedns" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{ Name: pulumi.String("example"), Location: pulumi.String("West Europe"), }) if err != nil { return err } exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{ Name: pulumi.String("privatelink.eastus2.azmk8s.io"), ResourceGroupName: example.Name, }) if err != nil { return err } exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{ Name: pulumi.String("aks-example-identity"), ResourceGroupName: example.Name, Location: example.Location, }) if err != nil { return err } exampleAssignment, err := authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{ Scope: exampleZone.ID(), RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"), PrincipalId: exampleUserAssignedIdentity.PrincipalId, }) if err != nil { return err } _, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{ Name: pulumi.String("aksexamplewithprivatednszone1"), Location: example.Location, ResourceGroupName: example.Name, DnsPrefix: pulumi.String("aksexamplednsprefix1"), PrivateClusterEnabled: pulumi.Bool(true), PrivateDnsZoneId: exampleZone.ID(), }, pulumi.DependsOn([]pulumi.Resource{ exampleAssignment, })) if err != nil { return err } return nil }) }
package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.azure.core.ResourceGroup; import com.pulumi.azure.core.ResourceGroupArgs; import com.pulumi.azure.privatedns.Zone; import com.pulumi.azure.privatedns.ZoneArgs; import com.pulumi.azure.authorization.UserAssignedIdentity; import com.pulumi.azure.authorization.UserAssignedIdentityArgs; import com.pulumi.azure.authorization.Assignment; import com.pulumi.azure.authorization.AssignmentArgs; import com.pulumi.azure.containerservice.KubernetesCluster; import com.pulumi.azure.containerservice.KubernetesClusterArgs; import com.pulumi.resources.CustomResourceOptions; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var example = new ResourceGroup("example", ResourceGroupArgs.builder() .name("example") .location("West Europe") .build()); var exampleZone = new Zone("exampleZone", ZoneArgs.builder() .name("privatelink.eastus2.azmk8s.io") .resourceGroupName(example.name()) .build()); var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder() .name("aks-example-identity") .resourceGroupName(example.name()) .location(example.location()) .build()); var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder() .scope(exampleZone.id()) .roleDefinitionName("Private DNS Zone Contributor") .principalId(exampleUserAssignedIdentity.principalId()) .build()); var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder() .name("aksexamplewithprivatednszone1") .location(example.location()) .resourceGroupName(example.name()) .dnsPrefix("aksexamplednsprefix1") .privateClusterEnabled(true) .privateDnsZoneId(exampleZone.id()) .build(), CustomResourceOptions.builder() .dependsOn(exampleAssignment) .build()); } }
resources: example: type: azure:core:ResourceGroup properties: name: example location: West Europe exampleZone: type: azure:privatedns:Zone name: example properties: name: privatelink.eastus2.azmk8s.io resourceGroupName: ${example.name} exampleUserAssignedIdentity: type: azure:authorization:UserAssignedIdentity name: example properties: name: aks-example-identity resourceGroupName: ${example.name} location: ${example.location} exampleAssignment: type: azure:authorization:Assignment name: example properties: scope: ${exampleZone.id} roleDefinitionName: Private DNS Zone Contributor principalId: ${exampleUserAssignedIdentity.principalId} exampleKubernetesCluster: type: azure:containerservice:KubernetesCluster name: example properties: name: aksexamplewithprivatednszone1 location: ${example.location} resourceGroupName: ${example.name} dnsPrefix: aksexamplednsprefix1 privateClusterEnabled: true privateDnsZoneId: ${exampleZone.id} options: dependsOn: - ${exampleAssignment}
- private
Dns stringZone Id - Either the ID of Private DNS Zone which should be delegated to this Cluster,
System
to have AKS manage this orNone
. In case ofNone
you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. - private
Fqdn string - The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
- resource
Group stringName - Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- role
Based booleanAccess Control Enabled - Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to
true
. Changing this forces a new resource to be created. - run
Command booleanEnabled - Whether to enable run command for the cluster or not. Defaults to
true
. - service
Mesh KubernetesProfile Cluster Service Mesh Profile - A
service_mesh_profile
block as defined below. - service
Principal KubernetesCluster Service Principal A
service_principal
block as documented below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- sku
Tier string The SKU Tier that should be used for this Kubernetes Cluster. Possible values are
Free
,Standard
(which includes the Uptime SLA) andPremium
. Defaults toFree
.Note: Whilst the AKS API previously supported the
Paid
SKU - the AKS API introduced a breaking change in API Version2023-02-01
(used in v3.51.0 and later) where the valuePaid
must now be set toStandard
.- storage
Profile KubernetesCluster Storage Profile - A
storage_profile
block as defined below. - support
Plan string - Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are
KubernetesOfficial
andAKSLongTermSupport
. Defaults toKubernetesOfficial
. - {[key: string]: string}
- A mapping of tags to assign to the resource.
- web
App KubernetesRouting Cluster Web App Routing - A
web_app_routing
block as defined below. - windows
Profile KubernetesCluster Windows Profile - A
windows_profile
block as defined below. - workload
Autoscaler KubernetesProfile Cluster Workload Autoscaler Profile - A
workload_autoscaler_profile
block defined below. - workload
Identity booleanEnabled Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to
false
.Note: To enable Azure AD Workload Identity
oidc_issuer_enabled
must be set totrue
.Note: Enabling this option will allocate Workload Identity resources to the
kube-system
namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.
- aci_
connector_ Kuberneteslinux Cluster Aci Connector Linux Args - A
aci_connector_linux
block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes. - api_
server_ Kubernetesaccess_ profile Cluster Api Server Access Profile Args - An
api_server_access_profile
block as defined below. - auto_
scaler_ Kubernetesprofile Cluster Auto Scaler Profile Args - A
auto_scaler_profile
block as defined below. - automatic_
upgrade_ strchannel The upgrade channel for this Kubernetes Cluster. Possible values are
patch
,rapid
,node-image
andstable
. Omitting this field sets this value tonone
.!> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.
- azure_
active_ Kubernetesdirectory_ role_ based_ access_ control Cluster Azure Active Directory Role Based Access Control Args - A
azure_active_directory_role_based_access_control
block as defined below. - azure_
policy_ boolenabled - Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
- confidential_
computing KubernetesCluster Confidential Computing Args - A
confidential_computing
block as defined below. For more details please the documentation - cost_
analysis_ boolenabled - Should cost analysis be enabled for this Kubernetes Cluster? Defaults to
false
. Thesku_tier
must be set toStandard
orPremium
to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. - current_
kubernetes_ strversion - The current version running on the Azure Kubernetes Managed Cluster.
- default_
node_ Kubernetespool Cluster Default Node Pool Args - Specifies configuration for "System" mode node pool. A
default_node_pool
block as defined below. - disk_
encryption_ strset_ id - The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
- dns_
prefix str - DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
- dns_
prefix_ strprivate_ cluster Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Note: You must define either a
dns_prefix
or adns_prefix_private_cluster
field.In addition, one of either
identity
orservice_principal
blocks must be specified.- edge_
zone str - Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
- fqdn str
- The FQDN of the Azure Kubernetes Managed Cluster.
- http_
application_ boolrouting_ enabled Should HTTP Application Routing be enabled?
Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.
- http_
application_ strrouting_ zone_ name - The Zone Name of the HTTP Application Routing.
- http_
proxy_ Kubernetesconfig Cluster Http Proxy Config Args - A
http_proxy_config
block as defined below. - identity
Kubernetes
Cluster Identity Args An
identity
block as defined below. One of eitheridentity
orservice_principal
must be specified.!> Note: A migration scenario from
service_principal
toidentity
is supported. When upgradingservice_principal
toidentity
, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configuredservice_principal
until you upgrade your Node Pool.- image_
cleaner_ boolenabled - Specifies whether Image Cleaner is enabled.
- image_
cleaner_ intinterval_ hours - Specifies the interval in hours when images should be cleaned up. Defaults to
0
. - ingress_
application_ Kubernetesgateway Cluster Ingress Application Gateway Args A
ingress_application_gateway
block as defined below.Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the
Microsoft.Network/virtualNetworks/subnets/join/action
permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.- key_
management_ Kubernetesservice Cluster Key Management Service Args - A
key_management_service
block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster. - key_
vault_ Kubernetessecrets_ provider Cluster Key Vault Secrets Provider Args - A
key_vault_secrets_provider
block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS. - kube_
admin_ strconfig_ raw - Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
- kube_
admin_ Sequence[Kubernetesconfigs Cluster Kube Admin Config Args] - A
kube_admin_config
block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. - kube_
config_ strraw - Raw Kubernetes config to be used by kubectl and other compatible tools.
- kube_
configs Sequence[KubernetesCluster Kube Config Args] - A
kube_config
block as defined below. - kubelet_
identity KubernetesCluster Kubelet Identity Args - A
kubelet_identity
block as defined below. - kubernetes_
version str Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as
1.22
are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.Note: Upgrading your cluster may take up to 10 minutes per node.
- linux_
profile KubernetesCluster Linux Profile Args - A
linux_profile
block as defined below. - local_
account_ booldisabled If
true
local accounts will be disabled. See the documentation for more information.Note: If
local_account_disabled
is set totrue
, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.- location str
- The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
- maintenance_
window KubernetesCluster Maintenance Window Args - A
maintenance_window
block as defined below. - maintenance_
window_ Kubernetesauto_ upgrade Cluster Maintenance Window Auto Upgrade Args - A
maintenance_window_auto_upgrade
block as defined below. - maintenance_
window_ Kubernetesnode_ os Cluster Maintenance Window Node Os Args - A
maintenance_window_node_os
block as defined below. - microsoft_
defender KubernetesCluster Microsoft Defender Args - A
microsoft_defender
block as defined below. - monitor_
metrics KubernetesCluster Monitor Metrics Args Specifies a Prometheus add-on profile for the Kubernetes Cluster. A
monitor_metrics
block as defined below.Note: If deploying Managed Prometheus, the
monitor_metrics
properties are required to configure the cluster for metrics collection. If no value is needed, set properties tonull
.- name str
- The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
- network_
profile KubernetesCluster Network Profile Args A
network_profile
block as defined below. Changing this forces a new resource to be created.Note: If
network_profile
is not defined,kubenet
profile will be used by default.- node_
os_ strupgrade_ channel The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are
Unmanaged
,SecurityPatch
,NodeImage
andNone
. Defaults toNodeImage
.Note:
node_os_upgrade_channel
must be set toNodeImage
ifautomatic_upgrade_channel
has been set tonode-image
- node_
resource_ strgroup The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.
- node_
resource_ strgroup_ id - The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
- oidc_
issuer_ boolenabled - Enable or Disable the OIDC issuer URL