Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
- Latest
- 2025-08-02-preview
- 2025-08-01
- 2025-07-02-preview
- 2025-07-01
- 2025-06-02-preview
- 2025-05-02-preview
- 2025-05-01
- 2025-04-02-preview
- 2025-04-01
- 2025-03-02-preview
- 2025-03-01
- 2025-02-02-preview
- 2025-02-01
- 2025-01-02-preview
- 2025-01-01
- 2024-10-02-preview
- 2024-10-01
- 2024-09-02-preview
- 2024-09-01
- 2024-08-01
- 2024-07-02-preview
- 2024-07-01
- 2024-06-02-preview
- 2024-05-02-preview
- 2024-05-01
- 2024-04-02-preview
- 2024-03-02-preview
- 2024-02-02-preview
- 2024-02-01
- 2024-01-02-preview
- 2024-01-01
- 2023-11-02-preview
- 2023-11-01
- 2023-10-02-preview
- 2023-10-01
- 2023-09-02-preview
- 2023-09-01
- 2023-08-02-preview
- 2023-08-01
- 2023-07-02-preview
- 2023-07-01
- 2023-06-02-preview
- 2023-06-01
- 2023-05-02-preview
- 2023-05-01
- 2023-04-02-preview
- 2023-04-01
- 2023-03-02-preview
- 2023-03-01
- 2023-02-02-preview
- 2023-02-01
- 2023-01-02-preview
- 2023-01-01
- 2022-11-02-preview
- 2022-11-01
- 2022-10-02-preview
- 2022-09-02-preview
- 2022-09-01
- 2022-08-03-preview
- 2022-08-02-preview
- 2022-07-02-preview
- 2022-07-01
- 2022-06-02-preview
- 2022-06-01
- 2022-05-02-preview
- 2022-04-02-preview
- 2022-04-01
- 2022-03-02-preview
- 2022-03-01
- 2022-02-02-preview
- 2022-02-01
- 2022-01-02-preview
- 2022-01-01
- 2021-11-01-preview
- 2021-10-01
- 2021-09-01
- 2021-08-01
- 2021-07-01
- 2021-05-01
- 2021-03-01
- 2021-02-01
- 2020-12-01
- 2020-11-01
- 2020-09-01
- 2020-07-01
- 2020-06-01
- 2020-04-01
- 2020-03-01
- 2020-02-01
- 2020-01-01
- 2019-11-01
- 2019-10-01
- 2019-08-01
- 2019-06-01
- 2019-04-01
- 2019-02-01
- 2018-08-01-preview
- 2018-03-31
- 2017-08-31
Remarks
For information about available add-ons, see Add-ons, extensions, and other integrations with Azure Kubernetes Service.
Bicep resource definition
The managedClusters resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.ContainerService/managedClusters@2022-02-02-preview' = {
  scope: resourceSymbolicName or scope
  extendedLocation: {
    name: 'string'
    type: 'string'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    aadProfile: {
      adminGroupObjectIDs: [
        'string'
      ]
      clientAppID: 'string'
      enableAzureRBAC: bool
      managed: bool
      serverAppID: 'string'
      serverAppSecret: 'string'
      tenantID: 'string'
    }
    addonProfiles: {
      {customized property}: {
        config: {
          {customized property}: 'string'
        }
        enabled: bool
      }
    }
    agentPoolProfiles: [
      {
        availabilityZones: [
          'string'
        ]
        capacityReservationGroupID: 'string'
        count: int
        creationData: {
          sourceResourceId: 'string'
        }
        enableAutoScaling: bool
        enableEncryptionAtHost: bool
        enableFIPS: bool
        enableNodePublicIP: bool
        enableUltraSSD: bool
        gpuInstanceProfile: 'string'
        hostGroupID: 'string'
        kubeletConfig: {
          allowedUnsafeSysctls: [
            'string'
          ]
          containerLogMaxFiles: int
          containerLogMaxSizeMB: int
          cpuCfsQuota: bool
          cpuCfsQuotaPeriod: 'string'
          cpuManagerPolicy: 'string'
          failSwapOn: bool
          imageGcHighThreshold: int
          imageGcLowThreshold: int
          podMaxPids: int
          topologyManagerPolicy: 'string'
        }
        kubeletDiskType: 'string'
        linuxOSConfig: {
          swapFileSizeMB: int
          sysctls: {
            fsAioMaxNr: int
            fsFileMax: int
            fsInotifyMaxUserWatches: int
            fsNrOpen: int
            kernelThreadsMax: int
            netCoreNetdevMaxBacklog: int
            netCoreOptmemMax: int
            netCoreRmemDefault: int
            netCoreRmemMax: int
            netCoreSomaxconn: int
            netCoreWmemDefault: int
            netCoreWmemMax: int
            netIpv4IpLocalPortRange: 'string'
            netIpv4NeighDefaultGcThresh1: int
            netIpv4NeighDefaultGcThresh2: int
            netIpv4NeighDefaultGcThresh3: int
            netIpv4TcpFinTimeout: int
            netIpv4TcpkeepaliveIntvl: int
            netIpv4TcpKeepaliveProbes: int
            netIpv4TcpKeepaliveTime: int
            netIpv4TcpMaxSynBacklog: int
            netIpv4TcpMaxTwBuckets: int
            netIpv4TcpTwReuse: bool
            netNetfilterNfConntrackBuckets: int
            netNetfilterNfConntrackMax: int
            vmMaxMapCount: int
            vmSwappiness: int
            vmVfsCachePressure: int
          }
          transparentHugePageDefrag: 'string'
          transparentHugePageEnabled: 'string'
        }
        maxCount: int
        maxPods: int
        messageOfTheDay: 'string'
        minCount: int
        mode: 'string'
        name: 'string'
        nodeLabels: {
          {customized property}: 'string'
        }
        nodePublicIPPrefixID: 'string'
        nodeTaints: [
          'string'
        ]
        orchestratorVersion: 'string'
        osDiskSizeGB: int
        osDiskType: 'string'
        osSKU: 'string'
        osType: 'string'
        podSubnetID: 'string'
        powerState: {
          code: 'string'
        }
        proximityPlacementGroupID: 'string'
        scaleDownMode: 'string'
        scaleSetEvictionPolicy: 'string'
        scaleSetPriority: 'string'
        spotMaxPrice: int
        tags: {
          {customized property}: 'string'
        }
        type: 'string'
        upgradeSettings: {
          maxSurge: 'string'
        }
        vmSize: 'string'
        vnetSubnetID: 'string'
        workloadRuntime: 'string'
      }
    ]
    apiServerAccessProfile: {
      authorizedIPRanges: [
        'string'
      ]
      disableRunCommand: bool
      enablePrivateCluster: bool
      enablePrivateClusterPublicFQDN: bool
      privateDNSZone: 'string'
    }
    autoScalerProfile: {
      balance-similar-node-groups: 'string'
      expander: 'string'
      max-empty-bulk-delete: 'string'
      max-graceful-termination-sec: 'string'
      max-node-provision-time: 'string'
      max-total-unready-percentage: 'string'
      new-pod-scale-up-delay: 'string'
      ok-total-unready-count: 'string'
      scale-down-delay-after-add: 'string'
      scale-down-delay-after-delete: 'string'
      scale-down-delay-after-failure: 'string'
      scale-down-unneeded-time: 'string'
      scale-down-unready-time: 'string'
      scale-down-utilization-threshold: 'string'
      scan-interval: 'string'
      skip-nodes-with-local-storage: 'string'
      skip-nodes-with-system-pods: 'string'
    }
    autoUpgradeProfile: {
      upgradeChannel: 'string'
    }
    disableLocalAccounts: bool
    diskEncryptionSetID: 'string'
    dnsPrefix: 'string'
    enableNamespaceResources: bool
    enablePodSecurityPolicy: bool
    enableRBAC: bool
    fqdnSubdomain: 'string'
    httpProxyConfig: {
      httpProxy: 'string'
      httpsProxy: 'string'
      noProxy: [
        'string'
      ]
      trustedCa: 'string'
    }
    identityProfile: {
      {customized property}: {
        clientId: 'string'
        objectId: 'string'
        resourceId: 'string'
      }
    }
    kubernetesVersion: 'string'
    linuxProfile: {
      adminUsername: 'string'
      ssh: {
        publicKeys: [
          {
            keyData: 'string'
          }
        ]
      }
    }
    networkProfile: {
      dnsServiceIP: 'string'
      dockerBridgeCidr: 'string'
      ipFamilies: [
        'string'
      ]
      loadBalancerProfile: {
        allocatedOutboundPorts: int
        effectiveOutboundIPs: [
          {
            id: 'string'
          }
        ]
        enableMultipleStandardLoadBalancers: bool
        idleTimeoutInMinutes: int
        managedOutboundIPs: {
          count: int
          countIPv6: int
        }
        outboundIPPrefixes: {
          publicIPPrefixes: [
            {
              id: 'string'
            }
          ]
        }
        outboundIPs: {
          publicIPs: [
            {
              id: 'string'
            }
          ]
        }
      }
      loadBalancerSku: 'string'
      natGatewayProfile: {
        effectiveOutboundIPs: [
          {
            id: 'string'
          }
        ]
        idleTimeoutInMinutes: int
        managedOutboundIPProfile: {
          count: int
        }
      }
      networkMode: 'string'
      networkPlugin: 'string'
      networkPolicy: 'string'
      outboundType: 'string'
      podCidr: 'string'
      podCidrs: [
        'string'
      ]
      serviceCidr: 'string'
      serviceCidrs: [
        'string'
      ]
    }
    nodeResourceGroup: 'string'
    oidcIssuerProfile: {
      enabled: bool
    }
    podIdentityProfile: {
      allowNetworkPluginKubenet: bool
      enabled: bool
      userAssignedIdentities: [
        {
          bindingSelector: 'string'
          identity: {
            clientId: 'string'
            objectId: 'string'
            resourceId: 'string'
          }
          name: 'string'
          namespace: 'string'
        }
      ]
      userAssignedIdentityExceptions: [
        {
          name: 'string'
          namespace: 'string'
          podLabels: {
            {customized property}: 'string'
          }
        }
      ]
    }
    privateLinkResources: [
      {
        groupId: 'string'
        id: 'string'
        name: 'string'
        requiredMembers: [
          'string'
        ]
        type: 'string'
      }
    ]
    publicNetworkAccess: 'string'
    securityProfile: {
      azureDefender: {
        enabled: bool
        logAnalyticsWorkspaceResourceId: 'string'
      }
      azureKeyVaultKms: {
        enabled: bool
        keyId: 'string'
      }
    }
    servicePrincipalProfile: {
      clientId: 'string'
      secret: 'string'
    }
    windowsProfile: {
      adminPassword: 'string'
      adminUsername: 'string'
      enableCSIProxy: bool
      gmsaProfile: {
        dnsServer: 'string'
        enabled: bool
        rootDomainName: 'string'
      }
      licenseType: 'string'
    }
  }
  sku: {
    name: 'string'
    tier: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}
Property Values
Microsoft.ContainerService/managedClusters
| Name | Description | Value | 
|---|---|---|
| extendedLocation | The extended location of the Virtual Machine. | ExtendedLocation | 
| identity | The identity of the managed cluster, if configured. | ManagedClusterIdentity | 
| location | Resource location | string (required) | 
| name | The resource name | string Constraints: Min length = 1 Max length = 63 Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$(required) | 
| properties | Properties of a managed cluster. | ManagedClusterProperties | 
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. | 
| sku | The managed cluster SKU. | ManagedClusterSKU | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
AgentPoolUpgradeSettings
| Name | Description | Value | 
|---|---|---|
| maxSurge | This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade | string | 
AzureKeyVaultKms
| Name | Description | Value | 
|---|---|---|
| enabled | Whether to enable Azure Key Vault key management service. The default is false. | bool | 
| keyId | Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. | string | 
ContainerServiceLinuxProfile
| Name | Description | Value | 
|---|---|---|
| adminUsername | The administrator username to use for Linux VMs. | string Constraints: Pattern = ^[A-Za-z][-A-Za-z0-9_]*$(required) | 
| ssh | The SSH configuration for Linux-based VMs running on Azure. | ContainerServiceSshConfiguration (required) | 
ContainerServiceNetworkProfile
| Name | Description | Value | 
|---|---|---|
| dnsServiceIP | An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | string Constraints: Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ | 
| dockerBridgeCidr | A CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| ipFamilies | IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. | String array containing any of: 'IPv4' 'IPv6' | 
| loadBalancerProfile | Profile of the cluster load balancer. | ManagedClusterLoadBalancerProfile | 
| loadBalancerSku | The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. | 'basic' 'standard' | 
| natGatewayProfile | Profile of the cluster NAT gateway. | ManagedClusterNATGatewayProfile | 
| networkMode | This cannot be specified if networkPlugin is anything other than 'azure'. | 'bridge' 'transparent' | 
| networkPlugin | Network plugin used for building the Kubernetes network. | 'azure' 'kubenet' 'none' | 
| networkPolicy | Network policy used for building the Kubernetes network. | 'azure' 'calico' | 
| outboundType | This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. | 'loadBalancer' 'managedNATGateway' 'userAssignedNATGateway' 'userDefinedRouting' | 
| podCidr | A CIDR notation IP range from which to assign pod IPs when kubenet is used. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| podCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. | string[] | 
| serviceCidr | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| serviceCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. | string[] | 
ContainerServiceSshConfiguration
| Name | Description | Value | 
|---|---|---|
| publicKeys | The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. | ContainerServiceSshPublicKey[] (required) | 
ContainerServiceSshPublicKey
| Name | Description | Value | 
|---|---|---|
| keyData | Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. | string (required) | 
CreationData
| Name | Description | Value | 
|---|---|---|
| sourceResourceId | This is the ARM ID of the source object to be used to create the target object. | string | 
ExtendedLocation
| Name | Description | Value | 
|---|---|---|
| name | The name of the extended location. | string | 
| type | The type of the extended location. | 'EdgeZone' | 
KubeletConfig
| Name | Description | Value | 
|---|---|---|
| allowedUnsafeSysctls | Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *). | string[] | 
| containerLogMaxFiles | The maximum number of container log files that can be present for a container. The number must be ≥ 2. | int Constraints: Min value = 2 | 
| containerLogMaxSizeMB | The maximum size (e.g. 10Mi) of container log file before it is rotated. | int | 
| cpuCfsQuota | The default is true. | bool | 
| cpuCfsQuotaPeriod | The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. | string | 
| cpuManagerPolicy | The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. | string | 
| failSwapOn | If set to true it will make the Kubelet fail to start if swap is enabled on the node. | bool | 
| imageGcHighThreshold | To disable image garbage collection, set to 100. The default is 85% | int | 
| imageGcLowThreshold | This cannot be set higher than imageGcHighThreshold. The default is 80% | int | 
| podMaxPids | The maximum number of processes per pod. | int | 
| topologyManagerPolicy | For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. | string | 
LinuxOSConfig
| Name | Description | Value | 
|---|---|---|
| swapFileSizeMB | The size in MB of a swap file that will be created on each node. | int | 
| sysctls | Sysctl settings for Linux agent nodes. | SysctlConfig | 
| transparentHugePageDefrag | Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. | string | 
| transparentHugePageEnabled | Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. | string | 
ManagedClusterAADProfile
| Name | Description | Value | 
|---|---|---|
| adminGroupObjectIDs | The list of AAD group object IDs that will have admin role of the cluster. | string[] | 
| clientAppID | The client AAD application ID. | string | 
| enableAzureRBAC | Whether to enable Azure RBAC for Kubernetes authorization. | bool | 
| managed | Whether to enable managed AAD. | bool | 
| serverAppID | The server AAD application ID. | string | 
| serverAppSecret | The server AAD application secret. | string | 
| tenantID | The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. | string | 
ManagedClusterAddonProfile
| Name | Description | Value | 
|---|---|---|
| config | Key-value pairs for configuring an add-on. | ManagedClusterAddonProfileConfig | 
| enabled | Whether the add-on is enabled or not. | bool (required) | 
ManagedClusterAddonProfileConfig
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfile
| Name | Description | Value | 
|---|---|---|
| availabilityZones | The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. | string[] | 
| capacityReservationGroupID | AKS will associate the specified agent pool with the Capacity Reservation Group. | string | 
| count | Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. | int | 
| creationData | CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. | CreationData | 
| enableAutoScaling | Whether to enable auto-scaler | bool | 
| enableEncryptionAtHost | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption | bool | 
| enableFIPS | See Add a FIPS-enabled node pool for more details. | bool | 
| enableNodePublicIP | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. | bool | 
| enableUltraSSD | Whether to enable UltraSSD | bool | 
| gpuInstanceProfile | GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. | 'MIG1g' 'MIG2g' 'MIG3g' 'MIG4g' 'MIG7g' | 
| hostGroupID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts. | string | 
| kubeletConfig | The Kubelet configuration on the agent pool nodes. | KubeletConfig | 
| kubeletDiskType | Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. | 'OS' 'Temporary' | 
| linuxOSConfig | The OS configuration of Linux agent nodes. | LinuxOSConfig | 
| maxCount | The maximum number of nodes for auto-scaling | int | 
| maxPods | The maximum number of pods that can run on a node. | int | 
| messageOfTheDay | A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). | string | 
| minCount | The minimum number of nodes for auto-scaling | int | 
| mode | A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools | 'System' 'User' | 
| name | Windows agent pool names must be 6 characters or less. | string Constraints: Pattern = ^[a-z][a-z0-9]{0,11}$(required) | 
| nodeLabels | The node labels to be persisted across all nodes in agent pool. | ManagedClusterAgentPoolProfilePropertiesNodeLabels | 
| nodePublicIPPrefixID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} | string | 
| nodeTaints | The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | string[] | 
| orchestratorVersion | As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. | string | 
| osDiskSizeGB | OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | int Constraints: Min value = 0 Max value = 2048 | 
| osDiskType | The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. | 'Ephemeral' 'Managed' | 
| osSKU | Specifies an OS SKU. This value must not be specified if OSType is Windows. | 'CBLMariner' 'Ubuntu' | 
| osType | The operating system type. The default is Linux. | 'Linux' 'Windows' | 
| podSubnetID | If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string | 
| powerState | When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded | PowerState | 
| proximityPlacementGroupID | The ID for Proximity Placement Group. | string | 
| scaleDownMode | This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. | 'Deallocate' 'Delete' | 
| scaleSetEvictionPolicy | This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. | 'Deallocate' 'Delete' | 
| scaleSetPriority | The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. | 'Regular' 'Spot' | 
| spotMaxPrice | Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing | int | 
| tags | The tags to be persisted on the agent pool virtual machine scale set. | ManagedClusterAgentPoolProfilePropertiesTags | 
| type | The type of Agent Pool. | 'AvailabilitySet' 'VirtualMachineScaleSets' | 
| upgradeSettings | Settings for upgrading the agentpool | AgentPoolUpgradeSettings | 
| vmSize | VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions | string | 
| vnetSubnetID | If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string | 
| workloadRuntime | Determines the type of workload a node can run. | 'OCIContainer' 'WasmWasi' | 
ManagedClusterAgentPoolProfilePropertiesNodeLabels
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfilePropertiesTags
| Name | Description | Value | 
|---|
ManagedClusterAPIServerAccessProfile
| Name | Description | Value | 
|---|---|---|
| authorizedIPRanges | IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges. | string[] | 
| disableRunCommand | Whether to disable run command for the cluster or not. | bool | 
| enablePrivateCluster | For more details, see Creating a private AKS cluster. | bool | 
| enablePrivateClusterPublicFQDN | Whether to create additional public FQDN for private cluster or not. | bool | 
| privateDNSZone | The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'. | string | 
ManagedClusterAutoUpgradeProfile
| Name | Description | Value | 
|---|---|---|
| upgradeChannel | For more information see setting the AKS cluster auto-upgrade channel. | 'node-image' 'none' 'patch' 'rapid' 'stable' | 
ManagedClusterHttpProxyConfig
| Name | Description | Value | 
|---|---|---|
| httpProxy | The HTTP proxy server endpoint to use. | string | 
| httpsProxy | The HTTPS proxy server endpoint to use. | string | 
| noProxy | The endpoints that should not go through proxy. | string[] | 
| trustedCa | Alternative CA cert to use for connecting to proxy servers. | string | 
ManagedClusterIdentity
| Name | Description | Value | 
|---|---|---|
| type | For more information see use managed identities in AKS. | 'None' 'SystemAssigned' 'UserAssigned' | 
| userAssignedIdentities | The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedClusterIdentityUserAssignedIdentities | 
ManagedClusterIdentityUserAssignedIdentities
| Name | Description | Value | 
|---|
ManagedClusterLoadBalancerProfile
| Name | Description | Value | 
|---|---|---|
| allocatedOutboundPorts | The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. | int Constraints: Min value = 0 Max value = 64000 | 
| effectiveOutboundIPs | The effective outbound IP resources of the cluster load balancer. | ResourceReference[] | 
| enableMultipleStandardLoadBalancers | Enable multiple standard load balancers per AKS cluster or not. | bool | 
| idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. | int Constraints: Min value = 4 Max value = 120 | 
| managedOutboundIPs | Desired managed outbound IPs for the cluster load balancer. | ManagedClusterLoadBalancerProfileManagedOutboundIPs | 
| outboundIPPrefixes | Desired outbound IP Prefix resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPPrefixes | 
| outboundIPs | Desired outbound IP resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPs | 
ManagedClusterLoadBalancerProfileManagedOutboundIPs
| Name | Description | Value | 
|---|---|---|
| count | The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 100 | 
| countIPv6 | The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. | int Constraints: Min value = 0 Max value = 100 | 
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
| Name | Description | Value | 
|---|---|---|
| publicIPPrefixes | A list of public IP prefix resources. | ResourceReference[] | 
ManagedClusterLoadBalancerProfileOutboundIPs
| Name | Description | Value | 
|---|---|---|
| publicIPs | A list of public IP resources. | ResourceReference[] | 
ManagedClusterManagedOutboundIPProfile
| Name | Description | Value | 
|---|---|---|
| count | The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 16 | 
ManagedClusterNATGatewayProfile
| Name | Description | Value | 
|---|---|---|
| effectiveOutboundIPs | The effective outbound IP resources of the cluster NAT gateway. | ResourceReference[] | 
| idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. | int Constraints: Min value = 4 Max value = 120 | 
| managedOutboundIPProfile | Profile of the managed outbound IP resources of the cluster NAT gateway. | ManagedClusterManagedOutboundIPProfile | 
ManagedClusterOidcIssuerProfile
| Name | Description | Value | 
|---|---|---|
| enabled | Whether the OIDC issuer is enabled. | bool | 
ManagedClusterPodIdentity
| Name | Description | Value | 
|---|---|---|
| bindingSelector | The binding selector to use for the AzureIdentityBinding resource. | string | 
| identity | The user assigned identity details. | UserAssignedIdentity (required) | 
| name | The name of the pod identity. | string (required) | 
| namespace | The namespace of the pod identity. | string (required) | 
ManagedClusterPodIdentityException
| Name | Description | Value | 
|---|---|---|
| name | The name of the pod identity exception. | string (required) | 
| namespace | The namespace of the pod identity exception. | string (required) | 
| podLabels | The pod labels to match. | ManagedClusterPodIdentityExceptionPodLabels (required) | 
ManagedClusterPodIdentityExceptionPodLabels
| Name | Description | Value | 
|---|
ManagedClusterPodIdentityProfile
| Name | Description | Value | 
|---|---|---|
| allowNetworkPluginKubenet | Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information. | bool | 
| enabled | Whether the pod identity addon is enabled. | bool | 
| userAssignedIdentities | The pod identities to use in the cluster. | ManagedClusterPodIdentity[] | 
| userAssignedIdentityExceptions | The pod identity exceptions to allow. | ManagedClusterPodIdentityException[] | 
ManagedClusterProperties
| Name | Description | Value | 
|---|---|---|
| aadProfile | The Azure Active Directory configuration. | ManagedClusterAADProfile | 
| addonProfiles | The profile of managed cluster add-on. | ManagedClusterPropertiesAddonProfiles | 
| agentPoolProfiles | The agent pool properties. | ManagedClusterAgentPoolProfile[] | 
| apiServerAccessProfile | The access profile for managed cluster API server. | ManagedClusterAPIServerAccessProfile | 
| autoScalerProfile | Parameters to be applied to the cluster-autoscaler when enabled | ManagedClusterPropertiesAutoScalerProfile | 
| autoUpgradeProfile | The auto upgrade configuration. | ManagedClusterAutoUpgradeProfile | 
| disableLocalAccounts | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts. | bool | 
| diskEncryptionSetID | This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' | string | 
| dnsPrefix | This cannot be updated once the Managed Cluster has been created. | string | 
| enableNamespaceResources | The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See https://aka.ms/NamespaceARMResource for more details on Namespace as a ARM Resource. | bool | 
| enablePodSecurityPolicy | (DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy. | bool | 
| enableRBAC | Whether to enable Kubernetes Role-Based Access Control. | bool | 
| fqdnSubdomain | This cannot be updated once the Managed Cluster has been created. | string | 
| httpProxyConfig | Configurations for provisioning the cluster with HTTP proxy servers. | ManagedClusterHttpProxyConfig | 
| identityProfile | Identities associated with the cluster. | ManagedClusterPropertiesIdentityProfile | 
| kubernetesVersion | When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details. | string | 
| linuxProfile | The profile for Linux VMs in the Managed Cluster. | ContainerServiceLinuxProfile | 
| networkProfile | The network configuration profile. | ContainerServiceNetworkProfile | 
| nodeResourceGroup | The name of the resource group containing agent pool nodes. | string | 
| oidcIssuerProfile | The OIDC issuer profile of the Managed Cluster. | ManagedClusterOidcIssuerProfile | 
| podIdentityProfile | See use AAD pod identity for more details on AAD pod identity integration. | ManagedClusterPodIdentityProfile | 
| privateLinkResources | Private link resources associated with the cluster. | PrivateLinkResource[] | 
| publicNetworkAccess | Allow or deny public network access for AKS | 'Disabled' 'Enabled' | 
| securityProfile | Security profile for the managed cluster. | ManagedClusterSecurityProfile | 
| servicePrincipalProfile | Information about a service principal identity for the cluster to use for manipulating Azure APIs. | ManagedClusterServicePrincipalProfile | 
| windowsProfile | The profile for Windows VMs in the Managed Cluster. | ManagedClusterWindowsProfile | 
ManagedClusterPropertiesAddonProfiles
| Name | Description | Value | 
|---|
ManagedClusterPropertiesAutoScalerProfile
| Name | Description | Value | 
|---|---|---|
| balance-similar-node-groups | Valid values are 'true' and 'false' | string | 
| expander | If not specified, the default is 'random'. See expanders for more information. | 'least-waste' 'most-pods' 'priority' 'random' | 
| max-empty-bulk-delete | The default is 10. | string | 
| max-graceful-termination-sec | The default is 600. | string | 
| max-node-provision-time | The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| max-total-unready-percentage | The default is 45. The maximum is 100 and the minimum is 0. | string | 
| new-pod-scale-up-delay | For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). | string | 
| ok-total-unready-count | This must be an integer. The default is 3. | string | 
| scale-down-delay-after-add | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-delay-after-delete | The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-delay-after-failure | The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-unneeded-time | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-unready-time | The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-utilization-threshold | The default is '0.5'. | string | 
| scan-interval | The default is '10'. Values must be an integer number of seconds. | string | 
| skip-nodes-with-local-storage | The default is true. | string | 
| skip-nodes-with-system-pods | The default is true. | string | 
ManagedClusterPropertiesIdentityProfile
| Name | Description | Value | 
|---|
ManagedClusterSecurityProfile
| Name | Description | Value | 
|---|---|---|
| azureDefender | Azure Defender settings for the security profile. | ManagedClusterSecurityProfileAzureDefender | 
| azureKeyVaultKms | Azure Key Vault key management service settings for the security profile. | AzureKeyVaultKms | 
ManagedClusterSecurityProfileAzureDefender
| Name | Description | Value | 
|---|---|---|
| enabled | Whether to enable Azure Defender | bool | 
| logAnalyticsWorkspaceResourceId | Resource ID of the Log Analytics workspace to be associated with Azure Defender. When Azure Defender is enabled, this field is required and must be a valid workspace resource ID. When Azure Defender is disabled, leave the field empty. | string | 
ManagedClusterServicePrincipalProfile
| Name | Description | Value | 
|---|---|---|
| clientId | The ID for the service principal. | string (required) | 
| secret | The secret password associated with the service principal in plain text. | string | 
ManagedClusterSKU
| Name | Description | Value | 
|---|---|---|
| name | The name of a managed cluster SKU. | 'Basic' | 
| tier | If not specified, the default is 'Free'. See uptime SLA for more details. | 'Free' 'Paid' | 
ManagedClusterWindowsProfile
| Name | Description | Value | 
|---|---|---|
| adminPassword | Specifies the password of the administrator account. Minimum-length: 8 characters Max-length: 123 characters Complexity requirements: 3 out of 4 conditions below need to be fulfilled Has lower characters Has upper characters Has a digit Has a special character (Regex match [\W_]) Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" | string | 
| adminUsername | Specifies the name of the administrator account. Restriction: Cannot end in "." Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". Minimum-length: 1 character Max-length: 20 characters | string (required) | 
| enableCSIProxy | For more details on CSI proxy, see the CSI proxy GitHub repo. | bool | 
| gmsaProfile | The Windows gMSA Profile in the Managed Cluster. | WindowsGmsaProfile | 
| licenseType | The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. | 'None' 'Windows_Server' | 
ManagedServiceIdentityUserAssignedIdentitiesValue
| Name | Description | Value | 
|---|
PowerState
| Name | Description | Value | 
|---|---|---|
| code | Tells whether the cluster is Running or Stopped | 'Running' 'Stopped' | 
PrivateLinkResource
| Name | Description | Value | 
|---|---|---|
| groupId | The group ID of the resource. | string | 
| id | The ID of the private link resource. | string | 
| name | The name of the private link resource. | string | 
| requiredMembers | The RequiredMembers of the resource | string[] | 
| type | The resource type. | string | 
ResourceReference
| Name | Description | Value | 
|---|---|---|
| id | The fully qualified Azure resource id. | string | 
ResourceTags
| Name | Description | Value | 
|---|
SysctlConfig
| Name | Description | Value | 
|---|---|---|
| fsAioMaxNr | Sysctl setting fs.aio-max-nr. | int | 
| fsFileMax | Sysctl setting fs.file-max. | int | 
| fsInotifyMaxUserWatches | Sysctl setting fs.inotify.max_user_watches. | int | 
| fsNrOpen | Sysctl setting fs.nr_open. | int | 
| kernelThreadsMax | Sysctl setting kernel.threads-max. | int | 
| netCoreNetdevMaxBacklog | Sysctl setting net.core.netdev_max_backlog. | int | 
| netCoreOptmemMax | Sysctl setting net.core.optmem_max. | int | 
| netCoreRmemDefault | Sysctl setting net.core.rmem_default. | int | 
| netCoreRmemMax | Sysctl setting net.core.rmem_max. | int | 
| netCoreSomaxconn | Sysctl setting net.core.somaxconn. | int | 
| netCoreWmemDefault | Sysctl setting net.core.wmem_default. | int | 
| netCoreWmemMax | Sysctl setting net.core.wmem_max. | int | 
| netIpv4IpLocalPortRange | Sysctl setting net.ipv4.ip_local_port_range. | string | 
| netIpv4NeighDefaultGcThresh1 | Sysctl setting net.ipv4.neigh.default.gc_thresh1. | int | 
| netIpv4NeighDefaultGcThresh2 | Sysctl setting net.ipv4.neigh.default.gc_thresh2. | int | 
| netIpv4NeighDefaultGcThresh3 | Sysctl setting net.ipv4.neigh.default.gc_thresh3. | int | 
| netIpv4TcpFinTimeout | Sysctl setting net.ipv4.tcp_fin_timeout. | int | 
| netIpv4TcpkeepaliveIntvl | Sysctl setting net.ipv4.tcp_keepalive_intvl. | int | 
| netIpv4TcpKeepaliveProbes | Sysctl setting net.ipv4.tcp_keepalive_probes. | int | 
| netIpv4TcpKeepaliveTime | Sysctl setting net.ipv4.tcp_keepalive_time. | int | 
| netIpv4TcpMaxSynBacklog | Sysctl setting net.ipv4.tcp_max_syn_backlog. | int | 
| netIpv4TcpMaxTwBuckets | Sysctl setting net.ipv4.tcp_max_tw_buckets. | int | 
| netIpv4TcpTwReuse | Sysctl setting net.ipv4.tcp_tw_reuse. | bool | 
| netNetfilterNfConntrackBuckets | Sysctl setting net.netfilter.nf_conntrack_buckets. | int | 
| netNetfilterNfConntrackMax | Sysctl setting net.netfilter.nf_conntrack_max. | int | 
| vmMaxMapCount | Sysctl setting vm.max_map_count. | int | 
| vmSwappiness | Sysctl setting vm.swappiness. | int | 
| vmVfsCachePressure | Sysctl setting vm.vfs_cache_pressure. | int | 
UserAssignedIdentity
| Name | Description | Value | 
|---|---|---|
| clientId | The client ID of the user assigned identity. | string | 
| objectId | The object ID of the user assigned identity. | string | 
| resourceId | The resource ID of the user assigned identity. | string | 
WindowsGmsaProfile
| Name | Description | Value | 
|---|---|---|
| dnsServer | Specifies the DNS server for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. | string | 
| enabled | Specifies whether to enable Windows gMSA in the managed cluster. | bool | 
| rootDomainName | Specifies the root domain name for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. | string | 
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description | 
|---|---|
| Azure Kubernetes Service (AKS) Managed Cluster | AVM Resource Module for Azure Kubernetes Service (AKS) Managed Cluster | 
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description | 
|---|---|
| AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. | 
| AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault | 
| Azure Container Service (AKS) | Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts | 
| Azure Container Service (AKS) | Deploy a managed cluster with Azure Container Service (AKS) | 
| Azure Container Service (AKS) with Helm | Deploy a managed cluster with Azure Container Service (AKS) with Helm | 
| Azure Kubernetes Service (AKS) | Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS) | 
| Azure Machine Learning end-to-end secure setup | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| Azure Machine Learning end-to-end secure setup (legacy) | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| Create a Private AKS Cluster | This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. | 
| Create AKS with Prometheus and Grafana with privae link | This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard | 
ARM template resource definition
The managedClusters resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following JSON to your template.
{
  "type": "Microsoft.ContainerService/managedClusters",
  "apiVersion": "2022-02-02-preview",
  "name": "string",
  "extendedLocation": {
    "name": "string",
    "type": "string"
  },
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "aadProfile": {
      "adminGroupObjectIDs": [ "string" ],
      "clientAppID": "string",
      "enableAzureRBAC": "bool",
      "managed": "bool",
      "serverAppID": "string",
      "serverAppSecret": "string",
      "tenantID": "string"
    },
    "addonProfiles": {
      "{customized property}": {
        "config": {
          "{customized property}": "string"
        },
        "enabled": "bool"
      }
    },
    "agentPoolProfiles": [
      {
        "availabilityZones": [ "string" ],
        "capacityReservationGroupID": "string",
        "count": "int",
        "creationData": {
          "sourceResourceId": "string"
        },
        "enableAutoScaling": "bool",
        "enableEncryptionAtHost": "bool",
        "enableFIPS": "bool",
        "enableNodePublicIP": "bool",
        "enableUltraSSD": "bool",
        "gpuInstanceProfile": "string",
        "hostGroupID": "string",
        "kubeletConfig": {
          "allowedUnsafeSysctls": [ "string" ],
          "containerLogMaxFiles": "int",
          "containerLogMaxSizeMB": "int",
          "cpuCfsQuota": "bool",
          "cpuCfsQuotaPeriod": "string",
          "cpuManagerPolicy": "string",
          "failSwapOn": "bool",
          "imageGcHighThreshold": "int",
          "imageGcLowThreshold": "int",
          "podMaxPids": "int",
          "topologyManagerPolicy": "string"
        },
        "kubeletDiskType": "string",
        "linuxOSConfig": {
          "swapFileSizeMB": "int",
          "sysctls": {
            "fsAioMaxNr": "int",
            "fsFileMax": "int",
            "fsInotifyMaxUserWatches": "int",
            "fsNrOpen": "int",
            "kernelThreadsMax": "int",
            "netCoreNetdevMaxBacklog": "int",
            "netCoreOptmemMax": "int",
            "netCoreRmemDefault": "int",
            "netCoreRmemMax": "int",
            "netCoreSomaxconn": "int",
            "netCoreWmemDefault": "int",
            "netCoreWmemMax": "int",
            "netIpv4IpLocalPortRange": "string",
            "netIpv4NeighDefaultGcThresh1": "int",
            "netIpv4NeighDefaultGcThresh2": "int",
            "netIpv4NeighDefaultGcThresh3": "int",
            "netIpv4TcpFinTimeout": "int",
            "netIpv4TcpkeepaliveIntvl": "int",
            "netIpv4TcpKeepaliveProbes": "int",
            "netIpv4TcpKeepaliveTime": "int",
            "netIpv4TcpMaxSynBacklog": "int",
            "netIpv4TcpMaxTwBuckets": "int",
            "netIpv4TcpTwReuse": "bool",
            "netNetfilterNfConntrackBuckets": "int",
            "netNetfilterNfConntrackMax": "int",
            "vmMaxMapCount": "int",
            "vmSwappiness": "int",
            "vmVfsCachePressure": "int"
          },
          "transparentHugePageDefrag": "string",
          "transparentHugePageEnabled": "string"
        },
        "maxCount": "int",
        "maxPods": "int",
        "messageOfTheDay": "string",
        "minCount": "int",
        "mode": "string",
        "name": "string",
        "nodeLabels": {
          "{customized property}": "string"
        },
        "nodePublicIPPrefixID": "string",
        "nodeTaints": [ "string" ],
        "orchestratorVersion": "string",
        "osDiskSizeGB": "int",
        "osDiskType": "string",
        "osSKU": "string",
        "osType": "string",
        "podSubnetID": "string",
        "powerState": {
          "code": "string"
        },
        "proximityPlacementGroupID": "string",
        "scaleDownMode": "string",
        "scaleSetEvictionPolicy": "string",
        "scaleSetPriority": "string",
        "spotMaxPrice": "int",
        "tags": {
          "{customized property}": "string"
        },
        "type": "string",
        "upgradeSettings": {
          "maxSurge": "string"
        },
        "vmSize": "string",
        "vnetSubnetID": "string",
        "workloadRuntime": "string"
      }
    ],
    "apiServerAccessProfile": {
      "authorizedIPRanges": [ "string" ],
      "disableRunCommand": "bool",
      "enablePrivateCluster": "bool",
      "enablePrivateClusterPublicFQDN": "bool",
      "privateDNSZone": "string"
    },
    "autoScalerProfile": {
      "balance-similar-node-groups": "string",
      "expander": "string",
      "max-empty-bulk-delete": "string",
      "max-graceful-termination-sec": "string",
      "max-node-provision-time": "string",
      "max-total-unready-percentage": "string",
      "new-pod-scale-up-delay": "string",
      "ok-total-unready-count": "string",
      "scale-down-delay-after-add": "string",
      "scale-down-delay-after-delete": "string",
      "scale-down-delay-after-failure": "string",
      "scale-down-unneeded-time": "string",
      "scale-down-unready-time": "string",
      "scale-down-utilization-threshold": "string",
      "scan-interval": "string",
      "skip-nodes-with-local-storage": "string",
      "skip-nodes-with-system-pods": "string"
    },
    "autoUpgradeProfile": {
      "upgradeChannel": "string"
    },
    "disableLocalAccounts": "bool",
    "diskEncryptionSetID": "string",
    "dnsPrefix": "string",
    "enableNamespaceResources": "bool",
    "enablePodSecurityPolicy": "bool",
    "enableRBAC": "bool",
    "fqdnSubdomain": "string",
    "httpProxyConfig": {
      "httpProxy": "string",
      "httpsProxy": "string",
      "noProxy": [ "string" ],
      "trustedCa": "string"
    },
    "identityProfile": {
      "{customized property}": {
        "clientId": "string",
        "objectId": "string",
        "resourceId": "string"
      }
    },
    "kubernetesVersion": "string",
    "linuxProfile": {
      "adminUsername": "string",
      "ssh": {
        "publicKeys": [
          {
            "keyData": "string"
          }
        ]
      }
    },
    "networkProfile": {
      "dnsServiceIP": "string",
      "dockerBridgeCidr": "string",
      "ipFamilies": [ "string" ],
      "loadBalancerProfile": {
        "allocatedOutboundPorts": "int",
        "effectiveOutboundIPs": [
          {
            "id": "string"
          }
        ],
        "enableMultipleStandardLoadBalancers": "bool",
        "idleTimeoutInMinutes": "int",
        "managedOutboundIPs": {
          "count": "int",
          "countIPv6": "int"
        },
        "outboundIPPrefixes": {
          "publicIPPrefixes": [
            {
              "id": "string"
            }
          ]
        },
        "outboundIPs": {
          "publicIPs": [
            {
              "id": "string"
            }
          ]
        }
      },
      "loadBalancerSku": "string",
      "natGatewayProfile": {
        "effectiveOutboundIPs": [
          {
            "id": "string"
          }
        ],
        "idleTimeoutInMinutes": "int",
        "managedOutboundIPProfile": {
          "count": "int"
        }
      },
      "networkMode": "string",
      "networkPlugin": "string",
      "networkPolicy": "string",
      "outboundType": "string",
      "podCidr": "string",
      "podCidrs": [ "string" ],
      "serviceCidr": "string",
      "serviceCidrs": [ "string" ]
    },
    "nodeResourceGroup": "string",
    "oidcIssuerProfile": {
      "enabled": "bool"
    },
    "podIdentityProfile": {
      "allowNetworkPluginKubenet": "bool",
      "enabled": "bool",
      "userAssignedIdentities": [
        {
          "bindingSelector": "string",
          "identity": {
            "clientId": "string",
            "objectId": "string",
            "resourceId": "string"
          },
          "name": "string",
          "namespace": "string"
        }
      ],
      "userAssignedIdentityExceptions": [
        {
          "name": "string",
          "namespace": "string",
          "podLabels": {
            "{customized property}": "string"
          }
        }
      ]
    },
    "privateLinkResources": [
      {
        "groupId": "string",
        "id": "string",
        "name": "string",
        "requiredMembers": [ "string" ],
        "type": "string"
      }
    ],
    "publicNetworkAccess": "string",
    "securityProfile": {
      "azureDefender": {
        "enabled": "bool",
        "logAnalyticsWorkspaceResourceId": "string"
      },
      "azureKeyVaultKms": {
        "enabled": "bool",
        "keyId": "string"
      }
    },
    "servicePrincipalProfile": {
      "clientId": "string",
      "secret": "string"
    },
    "windowsProfile": {
      "adminPassword": "string",
      "adminUsername": "string",
      "enableCSIProxy": "bool",
      "gmsaProfile": {
        "dnsServer": "string",
        "enabled": "bool",
        "rootDomainName": "string"
      },
      "licenseType": "string"
    }
  },
  "sku": {
    "name": "string",
    "tier": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}
Property Values
Microsoft.ContainerService/managedClusters
| Name | Description | Value | 
|---|---|---|
| apiVersion | The api version | '2022-02-02-preview' | 
| extendedLocation | The extended location of the Virtual Machine. | ExtendedLocation | 
| identity | The identity of the managed cluster, if configured. | ManagedClusterIdentity | 
| location | Resource location | string (required) | 
| name | The resource name | string Constraints: Min length = 1 Max length = 63 Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$(required) | 
| properties | Properties of a managed cluster. | ManagedClusterProperties | 
| sku | The managed cluster SKU. | ManagedClusterSKU | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
| type | The resource type | 'Microsoft.ContainerService/managedClusters' | 
AgentPoolUpgradeSettings
| Name | Description | Value | 
|---|---|---|
| maxSurge | This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade | string | 
AzureKeyVaultKms
| Name | Description | Value | 
|---|---|---|
| enabled | Whether to enable Azure Key Vault key management service. The default is false. | bool | 
| keyId | Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. | string | 
ContainerServiceLinuxProfile
| Name | Description | Value | 
|---|---|---|
| adminUsername | The administrator username to use for Linux VMs. | string Constraints: Pattern = ^[A-Za-z][-A-Za-z0-9_]*$(required) | 
| ssh | The SSH configuration for Linux-based VMs running on Azure. | ContainerServiceSshConfiguration (required) | 
ContainerServiceNetworkProfile
| Name | Description | Value | 
|---|---|---|
| dnsServiceIP | An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | string Constraints: Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ | 
| dockerBridgeCidr | A CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| ipFamilies | IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. | String array containing any of: 'IPv4' 'IPv6' | 
| loadBalancerProfile | Profile of the cluster load balancer. | ManagedClusterLoadBalancerProfile | 
| loadBalancerSku | The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. | 'basic' 'standard' | 
| natGatewayProfile | Profile of the cluster NAT gateway. | ManagedClusterNATGatewayProfile | 
| networkMode | This cannot be specified if networkPlugin is anything other than 'azure'. | 'bridge' 'transparent' | 
| networkPlugin | Network plugin used for building the Kubernetes network. | 'azure' 'kubenet' 'none' | 
| networkPolicy | Network policy used for building the Kubernetes network. | 'azure' 'calico' | 
| outboundType | This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. | 'loadBalancer' 'managedNATGateway' 'userAssignedNATGateway' 'userDefinedRouting' | 
| podCidr | A CIDR notation IP range from which to assign pod IPs when kubenet is used. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| podCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. | string[] | 
| serviceCidr | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| serviceCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. | string[] | 
ContainerServiceSshConfiguration
| Name | Description | Value | 
|---|---|---|
| publicKeys | The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. | ContainerServiceSshPublicKey[] (required) | 
ContainerServiceSshPublicKey
| Name | Description | Value | 
|---|---|---|
| keyData | Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. | string (required) | 
CreationData
| Name | Description | Value | 
|---|---|---|
| sourceResourceId | This is the ARM ID of the source object to be used to create the target object. | string | 
ExtendedLocation
| Name | Description | Value | 
|---|---|---|
| name | The name of the extended location. | string | 
| type | The type of the extended location. | 'EdgeZone' | 
KubeletConfig
| Name | Description | Value | 
|---|---|---|
| allowedUnsafeSysctls | Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *). | string[] | 
| containerLogMaxFiles | The maximum number of container log files that can be present for a container. The number must be ≥ 2. | int Constraints: Min value = 2 | 
| containerLogMaxSizeMB | The maximum size (e.g. 10Mi) of container log file before it is rotated. | int | 
| cpuCfsQuota | The default is true. | bool | 
| cpuCfsQuotaPeriod | The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. | string | 
| cpuManagerPolicy | The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. | string | 
| failSwapOn | If set to true it will make the Kubelet fail to start if swap is enabled on the node. | bool | 
| imageGcHighThreshold | To disable image garbage collection, set to 100. The default is 85% | int | 
| imageGcLowThreshold | This cannot be set higher than imageGcHighThreshold. The default is 80% | int | 
| podMaxPids | The maximum number of processes per pod. | int | 
| topologyManagerPolicy | For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. | string | 
LinuxOSConfig
| Name | Description | Value | 
|---|---|---|
| swapFileSizeMB | The size in MB of a swap file that will be created on each node. | int | 
| sysctls | Sysctl settings for Linux agent nodes. | SysctlConfig | 
| transparentHugePageDefrag | Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. | string | 
| transparentHugePageEnabled | Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. | string | 
ManagedClusterAADProfile
| Name | Description | Value | 
|---|---|---|
| adminGroupObjectIDs | The list of AAD group object IDs that will have admin role of the cluster. | string[] | 
| clientAppID | The client AAD application ID. | string | 
| enableAzureRBAC | Whether to enable Azure RBAC for Kubernetes authorization. | bool | 
| managed | Whether to enable managed AAD. | bool | 
| serverAppID | The server AAD application ID. | string | 
| serverAppSecret | The server AAD application secret. | string | 
| tenantID | The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. | string | 
ManagedClusterAddonProfile
| Name | Description | Value | 
|---|---|---|
| config | Key-value pairs for configuring an add-on. | ManagedClusterAddonProfileConfig | 
| enabled | Whether the add-on is enabled or not. | bool (required) | 
ManagedClusterAddonProfileConfig
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfile
| Name | Description | Value | 
|---|---|---|
| availabilityZones | The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. | string[] | 
| capacityReservationGroupID | AKS will associate the specified agent pool with the Capacity Reservation Group. | string | 
| count | Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. | int | 
| creationData | CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. | CreationData | 
| enableAutoScaling | Whether to enable auto-scaler | bool | 
| enableEncryptionAtHost | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption | bool | 
| enableFIPS | See Add a FIPS-enabled node pool for more details. | bool | 
| enableNodePublicIP | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. | bool | 
| enableUltraSSD | Whether to enable UltraSSD | bool | 
| gpuInstanceProfile | GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. | 'MIG1g' 'MIG2g' 'MIG3g' 'MIG4g' 'MIG7g' | 
| hostGroupID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts. | string | 
| kubeletConfig | The Kubelet configuration on the agent pool nodes. | KubeletConfig | 
| kubeletDiskType | Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. | 'OS' 'Temporary' | 
| linuxOSConfig | The OS configuration of Linux agent nodes. | LinuxOSConfig | 
| maxCount | The maximum number of nodes for auto-scaling | int | 
| maxPods | The maximum number of pods that can run on a node. | int | 
| messageOfTheDay | A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). | string | 
| minCount | The minimum number of nodes for auto-scaling | int | 
| mode | A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools | 'System' 'User' | 
| name | Windows agent pool names must be 6 characters or less. | string Constraints: Pattern = ^[a-z][a-z0-9]{0,11}$(required) | 
| nodeLabels | The node labels to be persisted across all nodes in agent pool. | ManagedClusterAgentPoolProfilePropertiesNodeLabels | 
| nodePublicIPPrefixID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} | string | 
| nodeTaints | The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | string[] | 
| orchestratorVersion | As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. | string | 
| osDiskSizeGB | OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | int Constraints: Min value = 0 Max value = 2048 | 
| osDiskType | The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. | 'Ephemeral' 'Managed' | 
| osSKU | Specifies an OS SKU. This value must not be specified if OSType is Windows. | 'CBLMariner' 'Ubuntu' | 
| osType | The operating system type. The default is Linux. | 'Linux' 'Windows' | 
| podSubnetID | If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string | 
| powerState | When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded | PowerState | 
| proximityPlacementGroupID | The ID for Proximity Placement Group. | string | 
| scaleDownMode | This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. | 'Deallocate' 'Delete' | 
| scaleSetEvictionPolicy | This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. | 'Deallocate' 'Delete' | 
| scaleSetPriority | The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. | 'Regular' 'Spot' | 
| spotMaxPrice | Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing | int | 
| tags | The tags to be persisted on the agent pool virtual machine scale set. | ManagedClusterAgentPoolProfilePropertiesTags | 
| type | The type of Agent Pool. | 'AvailabilitySet' 'VirtualMachineScaleSets' | 
| upgradeSettings | Settings for upgrading the agentpool | AgentPoolUpgradeSettings | 
| vmSize | VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions | string | 
| vnetSubnetID | If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string | 
| workloadRuntime | Determines the type of workload a node can run. | 'OCIContainer' 'WasmWasi' | 
ManagedClusterAgentPoolProfilePropertiesNodeLabels
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfilePropertiesTags
| Name | Description | Value | 
|---|
ManagedClusterAPIServerAccessProfile
| Name | Description | Value | 
|---|---|---|
| authorizedIPRanges | IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges. | string[] | 
| disableRunCommand | Whether to disable run command for the cluster or not. | bool | 
| enablePrivateCluster | For more details, see Creating a private AKS cluster. | bool | 
| enablePrivateClusterPublicFQDN | Whether to create additional public FQDN for private cluster or not. | bool | 
| privateDNSZone | The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'. | string | 
ManagedClusterAutoUpgradeProfile
| Name | Description | Value | 
|---|---|---|
| upgradeChannel | For more information see setting the AKS cluster auto-upgrade channel. | 'node-image' 'none' 'patch' 'rapid' 'stable' | 
ManagedClusterHttpProxyConfig
| Name | Description | Value | 
|---|---|---|
| httpProxy | The HTTP proxy server endpoint to use. | string | 
| httpsProxy | The HTTPS proxy server endpoint to use. | string | 
| noProxy | The endpoints that should not go through proxy. | string[] | 
| trustedCa | Alternative CA cert to use for connecting to proxy servers. | string | 
ManagedClusterIdentity
| Name | Description | Value | 
|---|---|---|
| type | For more information see use managed identities in AKS. | 'None' 'SystemAssigned' 'UserAssigned' | 
| userAssignedIdentities | The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedClusterIdentityUserAssignedIdentities | 
ManagedClusterIdentityUserAssignedIdentities
| Name | Description | Value | 
|---|
ManagedClusterLoadBalancerProfile
| Name | Description | Value | 
|---|---|---|
| allocatedOutboundPorts | The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. | int Constraints: Min value = 0 Max value = 64000 | 
| effectiveOutboundIPs | The effective outbound IP resources of the cluster load balancer. | ResourceReference[] | 
| enableMultipleStandardLoadBalancers | Enable multiple standard load balancers per AKS cluster or not. | bool | 
| idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. | int Constraints: Min value = 4 Max value = 120 | 
| managedOutboundIPs | Desired managed outbound IPs for the cluster load balancer. | ManagedClusterLoadBalancerProfileManagedOutboundIPs | 
| outboundIPPrefixes | Desired outbound IP Prefix resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPPrefixes | 
| outboundIPs | Desired outbound IP resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPs | 
ManagedClusterLoadBalancerProfileManagedOutboundIPs
| Name | Description | Value | 
|---|---|---|
| count | The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 100 | 
| countIPv6 | The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. | int Constraints: Min value = 0 Max value = 100 | 
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
| Name | Description | Value | 
|---|---|---|
| publicIPPrefixes | A list of public IP prefix resources. | ResourceReference[] | 
ManagedClusterLoadBalancerProfileOutboundIPs
| Name | Description | Value | 
|---|---|---|
| publicIPs | A list of public IP resources. | ResourceReference[] | 
ManagedClusterManagedOutboundIPProfile
| Name | Description | Value | 
|---|---|---|
| count | The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 16 | 
ManagedClusterNATGatewayProfile
| Name | Description | Value | 
|---|---|---|
| effectiveOutboundIPs | The effective outbound IP resources of the cluster NAT gateway. | ResourceReference[] | 
| idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. | int Constraints: Min value = 4 Max value = 120 | 
| managedOutboundIPProfile | Profile of the managed outbound IP resources of the cluster NAT gateway. | ManagedClusterManagedOutboundIPProfile | 
ManagedClusterOidcIssuerProfile
| Name | Description | Value | 
|---|---|---|
| enabled | Whether the OIDC issuer is enabled. | bool | 
ManagedClusterPodIdentity
| Name | Description | Value | 
|---|---|---|
| bindingSelector | The binding selector to use for the AzureIdentityBinding resource. | string | 
| identity | The user assigned identity details. | UserAssignedIdentity (required) | 
| name | The name of the pod identity. | string (required) | 
| namespace | The namespace of the pod identity. | string (required) | 
ManagedClusterPodIdentityException
| Name | Description | Value | 
|---|---|---|
| name | The name of the pod identity exception. | string (required) | 
| namespace | The namespace of the pod identity exception. | string (required) | 
| podLabels | The pod labels to match. | ManagedClusterPodIdentityExceptionPodLabels (required) | 
ManagedClusterPodIdentityExceptionPodLabels
| Name | Description | Value | 
|---|
ManagedClusterPodIdentityProfile
| Name | Description | Value | 
|---|---|---|
| allowNetworkPluginKubenet | Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information. | bool | 
| enabled | Whether the pod identity addon is enabled. | bool | 
| userAssignedIdentities | The pod identities to use in the cluster. | ManagedClusterPodIdentity[] | 
| userAssignedIdentityExceptions | The pod identity exceptions to allow. | ManagedClusterPodIdentityException[] | 
ManagedClusterProperties
| Name | Description | Value | 
|---|---|---|
| aadProfile | The Azure Active Directory configuration. | ManagedClusterAADProfile | 
| addonProfiles | The profile of managed cluster add-on. | ManagedClusterPropertiesAddonProfiles | 
| agentPoolProfiles | The agent pool properties. | ManagedClusterAgentPoolProfile[] | 
| apiServerAccessProfile | The access profile for managed cluster API server. | ManagedClusterAPIServerAccessProfile | 
| autoScalerProfile | Parameters to be applied to the cluster-autoscaler when enabled | ManagedClusterPropertiesAutoScalerProfile | 
| autoUpgradeProfile | The auto upgrade configuration. | ManagedClusterAutoUpgradeProfile | 
| disableLocalAccounts | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts. | bool | 
| diskEncryptionSetID | This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' | string | 
| dnsPrefix | This cannot be updated once the Managed Cluster has been created. | string | 
| enableNamespaceResources | The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See https://aka.ms/NamespaceARMResource for more details on Namespace as a ARM Resource. | bool | 
| enablePodSecurityPolicy | (DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy. | bool | 
| enableRBAC | Whether to enable Kubernetes Role-Based Access Control. | bool | 
| fqdnSubdomain | This cannot be updated once the Managed Cluster has been created. | string | 
| httpProxyConfig | Configurations for provisioning the cluster with HTTP proxy servers. | ManagedClusterHttpProxyConfig | 
| identityProfile | Identities associated with the cluster. | ManagedClusterPropertiesIdentityProfile | 
| kubernetesVersion | When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details. | string | 
| linuxProfile | The profile for Linux VMs in the Managed Cluster. | ContainerServiceLinuxProfile | 
| networkProfile | The network configuration profile. | ContainerServiceNetworkProfile | 
| nodeResourceGroup | The name of the resource group containing agent pool nodes. | string | 
| oidcIssuerProfile | The OIDC issuer profile of the Managed Cluster. | ManagedClusterOidcIssuerProfile | 
| podIdentityProfile | See use AAD pod identity for more details on AAD pod identity integration. | ManagedClusterPodIdentityProfile | 
| privateLinkResources | Private link resources associated with the cluster. | PrivateLinkResource[] | 
| publicNetworkAccess | Allow or deny public network access for AKS | 'Disabled' 'Enabled' | 
| securityProfile | Security profile for the managed cluster. | ManagedClusterSecurityProfile | 
| servicePrincipalProfile | Information about a service principal identity for the cluster to use for manipulating Azure APIs. | ManagedClusterServicePrincipalProfile | 
| windowsProfile | The profile for Windows VMs in the Managed Cluster. | ManagedClusterWindowsProfile | 
ManagedClusterPropertiesAddonProfiles
| Name | Description | Value | 
|---|
ManagedClusterPropertiesAutoScalerProfile
| Name | Description | Value | 
|---|---|---|
| balance-similar-node-groups | Valid values are 'true' and 'false' | string | 
| expander | If not specified, the default is 'random'. See expanders for more information. | 'least-waste' 'most-pods' 'priority' 'random' | 
| max-empty-bulk-delete | The default is 10. | string | 
| max-graceful-termination-sec | The default is 600. | string | 
| max-node-provision-time | The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| max-total-unready-percentage | The default is 45. The maximum is 100 and the minimum is 0. | string | 
| new-pod-scale-up-delay | For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). | string | 
| ok-total-unready-count | This must be an integer. The default is 3. | string | 
| scale-down-delay-after-add | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-delay-after-delete | The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-delay-after-failure | The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-unneeded-time | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-unready-time | The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-utilization-threshold | The default is '0.5'. | string | 
| scan-interval | The default is '10'. Values must be an integer number of seconds. | string | 
| skip-nodes-with-local-storage | The default is true. | string | 
| skip-nodes-with-system-pods | The default is true. | string | 
ManagedClusterPropertiesIdentityProfile
| Name | Description | Value | 
|---|
ManagedClusterSecurityProfile
| Name | Description | Value | 
|---|---|---|
| azureDefender | Azure Defender settings for the security profile. | ManagedClusterSecurityProfileAzureDefender | 
| azureKeyVaultKms | Azure Key Vault key management service settings for the security profile. | AzureKeyVaultKms | 
ManagedClusterSecurityProfileAzureDefender
| Name | Description | Value | 
|---|---|---|
| enabled | Whether to enable Azure Defender | bool | 
| logAnalyticsWorkspaceResourceId | Resource ID of the Log Analytics workspace to be associated with Azure Defender. When Azure Defender is enabled, this field is required and must be a valid workspace resource ID. When Azure Defender is disabled, leave the field empty. | string | 
ManagedClusterServicePrincipalProfile
| Name | Description | Value | 
|---|---|---|
| clientId | The ID for the service principal. | string (required) | 
| secret | The secret password associated with the service principal in plain text. | string | 
ManagedClusterSKU
| Name | Description | Value | 
|---|---|---|
| name | The name of a managed cluster SKU. | 'Basic' | 
| tier | If not specified, the default is 'Free'. See uptime SLA for more details. | 'Free' 'Paid' | 
ManagedClusterWindowsProfile
| Name | Description | Value | 
|---|---|---|
| adminPassword | Specifies the password of the administrator account. Minimum-length: 8 characters Max-length: 123 characters Complexity requirements: 3 out of 4 conditions below need to be fulfilled Has lower characters Has upper characters Has a digit Has a special character (Regex match [\W_]) Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" | string | 
| adminUsername | Specifies the name of the administrator account. Restriction: Cannot end in "." Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". Minimum-length: 1 character Max-length: 20 characters | string (required) | 
| enableCSIProxy | For more details on CSI proxy, see the CSI proxy GitHub repo. | bool | 
| gmsaProfile | The Windows gMSA Profile in the Managed Cluster. | WindowsGmsaProfile | 
| licenseType | The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. | 'None' 'Windows_Server' | 
ManagedServiceIdentityUserAssignedIdentitiesValue
| Name | Description | Value | 
|---|
PowerState
| Name | Description | Value | 
|---|---|---|
| code | Tells whether the cluster is Running or Stopped | 'Running' 'Stopped' | 
PrivateLinkResource
| Name | Description | Value | 
|---|---|---|
| groupId | The group ID of the resource. | string | 
| id | The ID of the private link resource. | string | 
| name | The name of the private link resource. | string | 
| requiredMembers | The RequiredMembers of the resource | string[] | 
| type | The resource type. | string | 
ResourceReference
| Name | Description | Value | 
|---|---|---|
| id | The fully qualified Azure resource id. | string | 
ResourceTags
| Name | Description | Value | 
|---|
SysctlConfig
| Name | Description | Value | 
|---|---|---|
| fsAioMaxNr | Sysctl setting fs.aio-max-nr. | int | 
| fsFileMax | Sysctl setting fs.file-max. | int | 
| fsInotifyMaxUserWatches | Sysctl setting fs.inotify.max_user_watches. | int | 
| fsNrOpen | Sysctl setting fs.nr_open. | int | 
| kernelThreadsMax | Sysctl setting kernel.threads-max. | int | 
| netCoreNetdevMaxBacklog | Sysctl setting net.core.netdev_max_backlog. | int | 
| netCoreOptmemMax | Sysctl setting net.core.optmem_max. | int | 
| netCoreRmemDefault | Sysctl setting net.core.rmem_default. | int | 
| netCoreRmemMax | Sysctl setting net.core.rmem_max. | int | 
| netCoreSomaxconn | Sysctl setting net.core.somaxconn. | int | 
| netCoreWmemDefault | Sysctl setting net.core.wmem_default. | int | 
| netCoreWmemMax | Sysctl setting net.core.wmem_max. | int | 
| netIpv4IpLocalPortRange | Sysctl setting net.ipv4.ip_local_port_range. | string | 
| netIpv4NeighDefaultGcThresh1 | Sysctl setting net.ipv4.neigh.default.gc_thresh1. | int | 
| netIpv4NeighDefaultGcThresh2 | Sysctl setting net.ipv4.neigh.default.gc_thresh2. | int | 
| netIpv4NeighDefaultGcThresh3 | Sysctl setting net.ipv4.neigh.default.gc_thresh3. | int | 
| netIpv4TcpFinTimeout | Sysctl setting net.ipv4.tcp_fin_timeout. | int | 
| netIpv4TcpkeepaliveIntvl | Sysctl setting net.ipv4.tcp_keepalive_intvl. | int | 
| netIpv4TcpKeepaliveProbes | Sysctl setting net.ipv4.tcp_keepalive_probes. | int | 
| netIpv4TcpKeepaliveTime | Sysctl setting net.ipv4.tcp_keepalive_time. | int | 
| netIpv4TcpMaxSynBacklog | Sysctl setting net.ipv4.tcp_max_syn_backlog. | int | 
| netIpv4TcpMaxTwBuckets | Sysctl setting net.ipv4.tcp_max_tw_buckets. | int | 
| netIpv4TcpTwReuse | Sysctl setting net.ipv4.tcp_tw_reuse. | bool | 
| netNetfilterNfConntrackBuckets | Sysctl setting net.netfilter.nf_conntrack_buckets. | int | 
| netNetfilterNfConntrackMax | Sysctl setting net.netfilter.nf_conntrack_max. | int | 
| vmMaxMapCount | Sysctl setting vm.max_map_count. | int | 
| vmSwappiness | Sysctl setting vm.swappiness. | int | 
| vmVfsCachePressure | Sysctl setting vm.vfs_cache_pressure. | int | 
UserAssignedIdentity
| Name | Description | Value | 
|---|---|---|
| clientId | The client ID of the user assigned identity. | string | 
| objectId | The object ID of the user assigned identity. | string | 
| resourceId | The resource ID of the user assigned identity. | string | 
WindowsGmsaProfile
| Name | Description | Value | 
|---|---|---|
| dnsServer | Specifies the DNS server for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. | string | 
| enabled | Specifies whether to enable Windows gMSA in the managed cluster. | bool | 
| rootDomainName | Specifies the root domain name for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. | string | 
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description | 
|---|---|
| AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. | 
| AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault | 
| Azure Container Service (AKS) | Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts | 
| Azure Container Service (AKS) | Deploy a managed cluster with Azure Container Service (AKS) | 
| Azure Container Service (AKS) with Helm | Deploy a managed cluster with Azure Container Service (AKS) with Helm | 
| Azure Kubernetes Service (AKS) | Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS) | 
| Azure Machine Learning end-to-end secure setup | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| Azure Machine Learning end-to-end secure setup (legacy) | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. | 
| CI/CD using Jenkins on Azure Container Service (AKS) | Containers make it very easy for you to continuously build and deploy your applications. By orchestrating deployment of those containers using Kubernetes in Azure Container Service, you can achieve replicable, manageable clusters of containers. By setting up a continuous build to produce your container images and orchestration, you can increase the speed and reliability of your deployment. | 
| Create a Private AKS Cluster | This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. | 
| Create a Private AKS Cluster with a Public DNS Zone | This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. | 
| Create AKS with Prometheus and Grafana with privae link | This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard | 
| Deploy a managed Kubernetes Cluster (AKS) | This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster. | 
| Deploy a managed Kubernetes Cluster with AAD (AKS) | This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network and Azure AD Integeration. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster. | 
| Deploy an AKS cluster for Azure ML | This template allows you to deploy an entreprise compliant AKS cluster which can be attached to Azure ML | 
| min.io Azure Gateway | Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage | 
Terraform (AzAPI provider) resource definition
The managedClusters resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.ContainerService/managedClusters resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
  type = "Microsoft.ContainerService/managedClusters@2022-02-02-preview"
  name = "string"
  parent_id = "string"
  identity {
    type = "string"
    identity_ids = [
      "string"
    ]
  }
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    extendedLocation = {
      name = "string"
      type = "string"
    }
    properties = {
      aadProfile = {
        adminGroupObjectIDs = [
          "string"
        ]
        clientAppID = "string"
        enableAzureRBAC = bool
        managed = bool
        serverAppID = "string"
        serverAppSecret = "string"
        tenantID = "string"
      }
      addonProfiles = {
        {customized property} = {
          config = {
            {customized property} = "string"
          }
          enabled = bool
        }
      }
      agentPoolProfiles = [
        {
          availabilityZones = [
            "string"
          ]
          capacityReservationGroupID = "string"
          count = int
          creationData = {
            sourceResourceId = "string"
          }
          enableAutoScaling = bool
          enableEncryptionAtHost = bool
          enableFIPS = bool
          enableNodePublicIP = bool
          enableUltraSSD = bool
          gpuInstanceProfile = "string"
          hostGroupID = "string"
          kubeletConfig = {
            allowedUnsafeSysctls = [
              "string"
            ]
            containerLogMaxFiles = int
            containerLogMaxSizeMB = int
            cpuCfsQuota = bool
            cpuCfsQuotaPeriod = "string"
            cpuManagerPolicy = "string"
            failSwapOn = bool
            imageGcHighThreshold = int
            imageGcLowThreshold = int
            podMaxPids = int
            topologyManagerPolicy = "string"
          }
          kubeletDiskType = "string"
          linuxOSConfig = {
            swapFileSizeMB = int
            sysctls = {
              fsAioMaxNr = int
              fsFileMax = int
              fsInotifyMaxUserWatches = int
              fsNrOpen = int
              kernelThreadsMax = int
              netCoreNetdevMaxBacklog = int
              netCoreOptmemMax = int
              netCoreRmemDefault = int
              netCoreRmemMax = int
              netCoreSomaxconn = int
              netCoreWmemDefault = int
              netCoreWmemMax = int
              netIpv4IpLocalPortRange = "string"
              netIpv4NeighDefaultGcThresh1 = int
              netIpv4NeighDefaultGcThresh2 = int
              netIpv4NeighDefaultGcThresh3 = int
              netIpv4TcpFinTimeout = int
              netIpv4TcpkeepaliveIntvl = int
              netIpv4TcpKeepaliveProbes = int
              netIpv4TcpKeepaliveTime = int
              netIpv4TcpMaxSynBacklog = int
              netIpv4TcpMaxTwBuckets = int
              netIpv4TcpTwReuse = bool
              netNetfilterNfConntrackBuckets = int
              netNetfilterNfConntrackMax = int
              vmMaxMapCount = int
              vmSwappiness = int
              vmVfsCachePressure = int
            }
            transparentHugePageDefrag = "string"
            transparentHugePageEnabled = "string"
          }
          maxCount = int
          maxPods = int
          messageOfTheDay = "string"
          minCount = int
          mode = "string"
          name = "string"
          nodeLabels = {
            {customized property} = "string"
          }
          nodePublicIPPrefixID = "string"
          nodeTaints = [
            "string"
          ]
          orchestratorVersion = "string"
          osDiskSizeGB = int
          osDiskType = "string"
          osSKU = "string"
          osType = "string"
          podSubnetID = "string"
          powerState = {
            code = "string"
          }
          proximityPlacementGroupID = "string"
          scaleDownMode = "string"
          scaleSetEvictionPolicy = "string"
          scaleSetPriority = "string"
          spotMaxPrice = int
          tags = {
            {customized property} = "string"
          }
          type = "string"
          upgradeSettings = {
            maxSurge = "string"
          }
          vmSize = "string"
          vnetSubnetID = "string"
          workloadRuntime = "string"
        }
      ]
      apiServerAccessProfile = {
        authorizedIPRanges = [
          "string"
        ]
        disableRunCommand = bool
        enablePrivateCluster = bool
        enablePrivateClusterPublicFQDN = bool
        privateDNSZone = "string"
      }
      autoScalerProfile = {
        balance-similar-node-groups = "string"
        expander = "string"
        max-empty-bulk-delete = "string"
        max-graceful-termination-sec = "string"
        max-node-provision-time = "string"
        max-total-unready-percentage = "string"
        new-pod-scale-up-delay = "string"
        ok-total-unready-count = "string"
        scale-down-delay-after-add = "string"
        scale-down-delay-after-delete = "string"
        scale-down-delay-after-failure = "string"
        scale-down-unneeded-time = "string"
        scale-down-unready-time = "string"
        scale-down-utilization-threshold = "string"
        scan-interval = "string"
        skip-nodes-with-local-storage = "string"
        skip-nodes-with-system-pods = "string"
      }
      autoUpgradeProfile = {
        upgradeChannel = "string"
      }
      disableLocalAccounts = bool
      diskEncryptionSetID = "string"
      dnsPrefix = "string"
      enableNamespaceResources = bool
      enablePodSecurityPolicy = bool
      enableRBAC = bool
      fqdnSubdomain = "string"
      httpProxyConfig = {
        httpProxy = "string"
        httpsProxy = "string"
        noProxy = [
          "string"
        ]
        trustedCa = "string"
      }
      identityProfile = {
        {customized property} = {
          clientId = "string"
          objectId = "string"
          resourceId = "string"
        }
      }
      kubernetesVersion = "string"
      linuxProfile = {
        adminUsername = "string"
        ssh = {
          publicKeys = [
            {
              keyData = "string"
            }
          ]
        }
      }
      networkProfile = {
        dnsServiceIP = "string"
        dockerBridgeCidr = "string"
        ipFamilies = [
          "string"
        ]
        loadBalancerProfile = {
          allocatedOutboundPorts = int
          effectiveOutboundIPs = [
            {
              id = "string"
            }
          ]
          enableMultipleStandardLoadBalancers = bool
          idleTimeoutInMinutes = int
          managedOutboundIPs = {
            count = int
            countIPv6 = int
          }
          outboundIPPrefixes = {
            publicIPPrefixes = [
              {
                id = "string"
              }
            ]
          }
          outboundIPs = {
            publicIPs = [
              {
                id = "string"
              }
            ]
          }
        }
        loadBalancerSku = "string"
        natGatewayProfile = {
          effectiveOutboundIPs = [
            {
              id = "string"
            }
          ]
          idleTimeoutInMinutes = int
          managedOutboundIPProfile = {
            count = int
          }
        }
        networkMode = "string"
        networkPlugin = "string"
        networkPolicy = "string"
        outboundType = "string"
        podCidr = "string"
        podCidrs = [
          "string"
        ]
        serviceCidr = "string"
        serviceCidrs = [
          "string"
        ]
      }
      nodeResourceGroup = "string"
      oidcIssuerProfile = {
        enabled = bool
      }
      podIdentityProfile = {
        allowNetworkPluginKubenet = bool
        enabled = bool
        userAssignedIdentities = [
          {
            bindingSelector = "string"
            identity = {
              clientId = "string"
              objectId = "string"
              resourceId = "string"
            }
            name = "string"
            namespace = "string"
          }
        ]
        userAssignedIdentityExceptions = [
          {
            name = "string"
            namespace = "string"
            podLabels = {
              {customized property} = "string"
            }
          }
        ]
      }
      privateLinkResources = [
        {
          groupId = "string"
          id = "string"
          name = "string"
          requiredMembers = [
            "string"
          ]
          type = "string"
        }
      ]
      publicNetworkAccess = "string"
      securityProfile = {
        azureDefender = {
          enabled = bool
          logAnalyticsWorkspaceResourceId = "string"
        }
        azureKeyVaultKms = {
          enabled = bool
          keyId = "string"
        }
      }
      servicePrincipalProfile = {
        clientId = "string"
        secret = "string"
      }
      windowsProfile = {
        adminPassword = "string"
        adminUsername = "string"
        enableCSIProxy = bool
        gmsaProfile = {
          dnsServer = "string"
          enabled = bool
          rootDomainName = "string"
        }
        licenseType = "string"
      }
    }
    sku = {
      name = "string"
      tier = "string"
    }
  }
}
Property Values
Microsoft.ContainerService/managedClusters
| Name | Description | Value | 
|---|---|---|
| extendedLocation | The extended location of the Virtual Machine. | ExtendedLocation | 
| identity | The identity of the managed cluster, if configured. | ManagedClusterIdentity | 
| location | Resource location | string (required) | 
| name | The resource name | string Constraints: Min length = 1 Max length = 63 Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$(required) | 
| parent_id | The ID of the resource to apply this extension resource to. | string (required) | 
| properties | Properties of a managed cluster. | ManagedClusterProperties | 
| sku | The managed cluster SKU. | ManagedClusterSKU | 
| tags | Resource tags | Dictionary of tag names and values. | 
| type | The resource type | "Microsoft.ContainerService/managedClusters@2022-02-02-preview" | 
AgentPoolUpgradeSettings
| Name | Description | Value | 
|---|---|---|
| maxSurge | This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: /azure/aks/upgrade-cluster#customize-node-surge-upgrade | string | 
AzureKeyVaultKms
| Name | Description | Value | 
|---|---|---|
| enabled | Whether to enable Azure Key Vault key management service. The default is false. | bool | 
| keyId | Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. | string | 
ContainerServiceLinuxProfile
| Name | Description | Value | 
|---|---|---|
| adminUsername | The administrator username to use for Linux VMs. | string Constraints: Pattern = ^[A-Za-z][-A-Za-z0-9_]*$(required) | 
| ssh | The SSH configuration for Linux-based VMs running on Azure. | ContainerServiceSshConfiguration (required) | 
ContainerServiceNetworkProfile
| Name | Description | Value | 
|---|---|---|
| dnsServiceIP | An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. | string Constraints: Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ | 
| dockerBridgeCidr | A CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| ipFamilies | IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. | String array containing any of: 'IPv4' 'IPv6' | 
| loadBalancerProfile | Profile of the cluster load balancer. | ManagedClusterLoadBalancerProfile | 
| loadBalancerSku | The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. | 'basic' 'standard' | 
| natGatewayProfile | Profile of the cluster NAT gateway. | ManagedClusterNATGatewayProfile | 
| networkMode | This cannot be specified if networkPlugin is anything other than 'azure'. | 'bridge' 'transparent' | 
| networkPlugin | Network plugin used for building the Kubernetes network. | 'azure' 'kubenet' 'none' | 
| networkPolicy | Network policy used for building the Kubernetes network. | 'azure' 'calico' | 
| outboundType | This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. | 'loadBalancer' 'managedNATGateway' 'userAssignedNATGateway' 'userDefinedRouting' | 
| podCidr | A CIDR notation IP range from which to assign pod IPs when kubenet is used. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| podCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. | string[] | 
| serviceCidr | A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. | string Constraints: Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$ | 
| serviceCidrs | One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. | string[] | 
ContainerServiceSshConfiguration
| Name | Description | Value | 
|---|---|---|
| publicKeys | The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. | ContainerServiceSshPublicKey[] (required) | 
ContainerServiceSshPublicKey
| Name | Description | Value | 
|---|---|---|
| keyData | Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. | string (required) | 
CreationData
| Name | Description | Value | 
|---|---|---|
| sourceResourceId | This is the ARM ID of the source object to be used to create the target object. | string | 
ExtendedLocation
| Name | Description | Value | 
|---|---|---|
| name | The name of the extended location. | string | 
| type | The type of the extended location. | 'EdgeZone' | 
KubeletConfig
| Name | Description | Value | 
|---|---|---|
| allowedUnsafeSysctls | Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *). | string[] | 
| containerLogMaxFiles | The maximum number of container log files that can be present for a container. The number must be ≥ 2. | int Constraints: Min value = 2 | 
| containerLogMaxSizeMB | The maximum size (e.g. 10Mi) of container log file before it is rotated. | int | 
| cpuCfsQuota | The default is true. | bool | 
| cpuCfsQuotaPeriod | The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. | string | 
| cpuManagerPolicy | The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. | string | 
| failSwapOn | If set to true it will make the Kubelet fail to start if swap is enabled on the node. | bool | 
| imageGcHighThreshold | To disable image garbage collection, set to 100. The default is 85% | int | 
| imageGcLowThreshold | This cannot be set higher than imageGcHighThreshold. The default is 80% | int | 
| podMaxPids | The maximum number of processes per pod. | int | 
| topologyManagerPolicy | For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. | string | 
LinuxOSConfig
| Name | Description | Value | 
|---|---|---|
| swapFileSizeMB | The size in MB of a swap file that will be created on each node. | int | 
| sysctls | Sysctl settings for Linux agent nodes. | SysctlConfig | 
| transparentHugePageDefrag | Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. | string | 
| transparentHugePageEnabled | Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. | string | 
ManagedClusterAADProfile
| Name | Description | Value | 
|---|---|---|
| adminGroupObjectIDs | The list of AAD group object IDs that will have admin role of the cluster. | string[] | 
| clientAppID | The client AAD application ID. | string | 
| enableAzureRBAC | Whether to enable Azure RBAC for Kubernetes authorization. | bool | 
| managed | Whether to enable managed AAD. | bool | 
| serverAppID | The server AAD application ID. | string | 
| serverAppSecret | The server AAD application secret. | string | 
| tenantID | The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. | string | 
ManagedClusterAddonProfile
| Name | Description | Value | 
|---|---|---|
| config | Key-value pairs for configuring an add-on. | ManagedClusterAddonProfileConfig | 
| enabled | Whether the add-on is enabled or not. | bool (required) | 
ManagedClusterAddonProfileConfig
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfile
| Name | Description | Value | 
|---|---|---|
| availabilityZones | The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. | string[] | 
| capacityReservationGroupID | AKS will associate the specified agent pool with the Capacity Reservation Group. | string | 
| count | Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. | int | 
| creationData | CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. | CreationData | 
| enableAutoScaling | Whether to enable auto-scaler | bool | 
| enableEncryptionAtHost | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption | bool | 
| enableFIPS | See Add a FIPS-enabled node pool for more details. | bool | 
| enableNodePublicIP | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. | bool | 
| enableUltraSSD | Whether to enable UltraSSD | bool | 
| gpuInstanceProfile | GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. | 'MIG1g' 'MIG2g' 'MIG3g' 'MIG4g' 'MIG7g' | 
| hostGroupID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts. | string | 
| kubeletConfig | The Kubelet configuration on the agent pool nodes. | KubeletConfig | 
| kubeletDiskType | Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. | 'OS' 'Temporary' | 
| linuxOSConfig | The OS configuration of Linux agent nodes. | LinuxOSConfig | 
| maxCount | The maximum number of nodes for auto-scaling | int | 
| maxPods | The maximum number of pods that can run on a node. | int | 
| messageOfTheDay | A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). | string | 
| minCount | The minimum number of nodes for auto-scaling | int | 
| mode | A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools | 'System' 'User' | 
| name | Windows agent pool names must be 6 characters or less. | string Constraints: Pattern = ^[a-z][a-z0-9]{0,11}$(required) | 
| nodeLabels | The node labels to be persisted across all nodes in agent pool. | ManagedClusterAgentPoolProfilePropertiesNodeLabels | 
| nodePublicIPPrefixID | This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} | string | 
| nodeTaints | The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. | string[] | 
| orchestratorVersion | As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. | string | 
| osDiskSizeGB | OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. | int Constraints: Min value = 0 Max value = 2048 | 
| osDiskType | The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. | 'Ephemeral' 'Managed' | 
| osSKU | Specifies an OS SKU. This value must not be specified if OSType is Windows. | 'CBLMariner' 'Ubuntu' | 
| osType | The operating system type. The default is Linux. | 'Linux' 'Windows' | 
| podSubnetID | If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string | 
| powerState | When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded | PowerState | 
| proximityPlacementGroupID | The ID for Proximity Placement Group. | string | 
| scaleDownMode | This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. | 'Deallocate' 'Delete' | 
| scaleSetEvictionPolicy | This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. | 'Deallocate' 'Delete' | 
| scaleSetPriority | The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. | 'Regular' 'Spot' | 
| spotMaxPrice | Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing | int | 
| tags | The tags to be persisted on the agent pool virtual machine scale set. | ManagedClusterAgentPoolProfilePropertiesTags | 
| type | The type of Agent Pool. | 'AvailabilitySet' 'VirtualMachineScaleSets' | 
| upgradeSettings | Settings for upgrading the agentpool | AgentPoolUpgradeSettings | 
| vmSize | VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions | string | 
| vnetSubnetID | If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} | string | 
| workloadRuntime | Determines the type of workload a node can run. | 'OCIContainer' 'WasmWasi' | 
ManagedClusterAgentPoolProfilePropertiesNodeLabels
| Name | Description | Value | 
|---|
ManagedClusterAgentPoolProfilePropertiesTags
| Name | Description | Value | 
|---|
ManagedClusterAPIServerAccessProfile
| Name | Description | Value | 
|---|---|---|
| authorizedIPRanges | IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges. | string[] | 
| disableRunCommand | Whether to disable run command for the cluster or not. | bool | 
| enablePrivateCluster | For more details, see Creating a private AKS cluster. | bool | 
| enablePrivateClusterPublicFQDN | Whether to create additional public FQDN for private cluster or not. | bool | 
| privateDNSZone | The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'. | string | 
ManagedClusterAutoUpgradeProfile
| Name | Description | Value | 
|---|---|---|
| upgradeChannel | For more information see setting the AKS cluster auto-upgrade channel. | 'node-image' 'none' 'patch' 'rapid' 'stable' | 
ManagedClusterHttpProxyConfig
| Name | Description | Value | 
|---|---|---|
| httpProxy | The HTTP proxy server endpoint to use. | string | 
| httpsProxy | The HTTPS proxy server endpoint to use. | string | 
| noProxy | The endpoints that should not go through proxy. | string[] | 
| trustedCa | Alternative CA cert to use for connecting to proxy servers. | string | 
ManagedClusterIdentity
| Name | Description | Value | 
|---|---|---|
| type | For more information see use managed identities in AKS. | 'None' 'SystemAssigned' 'UserAssigned' | 
| userAssignedIdentities | The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedClusterIdentityUserAssignedIdentities | 
ManagedClusterIdentityUserAssignedIdentities
| Name | Description | Value | 
|---|
ManagedClusterLoadBalancerProfile
| Name | Description | Value | 
|---|---|---|
| allocatedOutboundPorts | The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. | int Constraints: Min value = 0 Max value = 64000 | 
| effectiveOutboundIPs | The effective outbound IP resources of the cluster load balancer. | ResourceReference[] | 
| enableMultipleStandardLoadBalancers | Enable multiple standard load balancers per AKS cluster or not. | bool | 
| idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. | int Constraints: Min value = 4 Max value = 120 | 
| managedOutboundIPs | Desired managed outbound IPs for the cluster load balancer. | ManagedClusterLoadBalancerProfileManagedOutboundIPs | 
| outboundIPPrefixes | Desired outbound IP Prefix resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPPrefixes | 
| outboundIPs | Desired outbound IP resources for the cluster load balancer. | ManagedClusterLoadBalancerProfileOutboundIPs | 
ManagedClusterLoadBalancerProfileManagedOutboundIPs
| Name | Description | Value | 
|---|---|---|
| count | The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 100 | 
| countIPv6 | The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. | int Constraints: Min value = 0 Max value = 100 | 
ManagedClusterLoadBalancerProfileOutboundIPPrefixes
| Name | Description | Value | 
|---|---|---|
| publicIPPrefixes | A list of public IP prefix resources. | ResourceReference[] | 
ManagedClusterLoadBalancerProfileOutboundIPs
| Name | Description | Value | 
|---|---|---|
| publicIPs | A list of public IP resources. | ResourceReference[] | 
ManagedClusterManagedOutboundIPProfile
| Name | Description | Value | 
|---|---|---|
| count | The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. | int Constraints: Min value = 1 Max value = 16 | 
ManagedClusterNATGatewayProfile
| Name | Description | Value | 
|---|---|---|
| effectiveOutboundIPs | The effective outbound IP resources of the cluster NAT gateway. | ResourceReference[] | 
| idleTimeoutInMinutes | Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. | int Constraints: Min value = 4 Max value = 120 | 
| managedOutboundIPProfile | Profile of the managed outbound IP resources of the cluster NAT gateway. | ManagedClusterManagedOutboundIPProfile | 
ManagedClusterOidcIssuerProfile
| Name | Description | Value | 
|---|---|---|
| enabled | Whether the OIDC issuer is enabled. | bool | 
ManagedClusterPodIdentity
| Name | Description | Value | 
|---|---|---|
| bindingSelector | The binding selector to use for the AzureIdentityBinding resource. | string | 
| identity | The user assigned identity details. | UserAssignedIdentity (required) | 
| name | The name of the pod identity. | string (required) | 
| namespace | The namespace of the pod identity. | string (required) | 
ManagedClusterPodIdentityException
| Name | Description | Value | 
|---|---|---|
| name | The name of the pod identity exception. | string (required) | 
| namespace | The namespace of the pod identity exception. | string (required) | 
| podLabels | The pod labels to match. | ManagedClusterPodIdentityExceptionPodLabels (required) | 
ManagedClusterPodIdentityExceptionPodLabels
| Name | Description | Value | 
|---|
ManagedClusterPodIdentityProfile
| Name | Description | Value | 
|---|---|---|
| allowNetworkPluginKubenet | Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information. | bool | 
| enabled | Whether the pod identity addon is enabled. | bool | 
| userAssignedIdentities | The pod identities to use in the cluster. | ManagedClusterPodIdentity[] | 
| userAssignedIdentityExceptions | The pod identity exceptions to allow. | ManagedClusterPodIdentityException[] | 
ManagedClusterProperties
| Name | Description | Value | 
|---|---|---|
| aadProfile | The Azure Active Directory configuration. | ManagedClusterAADProfile | 
| addonProfiles | The profile of managed cluster add-on. | ManagedClusterPropertiesAddonProfiles | 
| agentPoolProfiles | The agent pool properties. | ManagedClusterAgentPoolProfile[] | 
| apiServerAccessProfile | The access profile for managed cluster API server. | ManagedClusterAPIServerAccessProfile | 
| autoScalerProfile | Parameters to be applied to the cluster-autoscaler when enabled | ManagedClusterPropertiesAutoScalerProfile | 
| autoUpgradeProfile | The auto upgrade configuration. | ManagedClusterAutoUpgradeProfile | 
| disableLocalAccounts | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts. | bool | 
| diskEncryptionSetID | This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' | string | 
| dnsPrefix | This cannot be updated once the Managed Cluster has been created. | string | 
| enableNamespaceResources | The default value is false. It can be enabled/disabled on creation and updating of the managed cluster. See https://aka.ms/NamespaceARMResource for more details on Namespace as a ARM Resource. | bool | 
| enablePodSecurityPolicy | (DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy. | bool | 
| enableRBAC | Whether to enable Kubernetes Role-Based Access Control. | bool | 
| fqdnSubdomain | This cannot be updated once the Managed Cluster has been created. | string | 
| httpProxyConfig | Configurations for provisioning the cluster with HTTP proxy servers. | ManagedClusterHttpProxyConfig | 
| identityProfile | Identities associated with the cluster. | ManagedClusterPropertiesIdentityProfile | 
| kubernetesVersion | When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details. | string | 
| linuxProfile | The profile for Linux VMs in the Managed Cluster. | ContainerServiceLinuxProfile | 
| networkProfile | The network configuration profile. | ContainerServiceNetworkProfile | 
| nodeResourceGroup | The name of the resource group containing agent pool nodes. | string | 
| oidcIssuerProfile | The OIDC issuer profile of the Managed Cluster. | ManagedClusterOidcIssuerProfile | 
| podIdentityProfile | See use AAD pod identity for more details on AAD pod identity integration. | ManagedClusterPodIdentityProfile | 
| privateLinkResources | Private link resources associated with the cluster. | PrivateLinkResource[] | 
| publicNetworkAccess | Allow or deny public network access for AKS | 'Disabled' 'Enabled' | 
| securityProfile | Security profile for the managed cluster. | ManagedClusterSecurityProfile | 
| servicePrincipalProfile | Information about a service principal identity for the cluster to use for manipulating Azure APIs. | ManagedClusterServicePrincipalProfile | 
| windowsProfile | The profile for Windows VMs in the Managed Cluster. | ManagedClusterWindowsProfile | 
ManagedClusterPropertiesAddonProfiles
| Name | Description | Value | 
|---|
ManagedClusterPropertiesAutoScalerProfile
| Name | Description | Value | 
|---|---|---|
| balance-similar-node-groups | Valid values are 'true' and 'false' | string | 
| expander | If not specified, the default is 'random'. See expanders for more information. | 'least-waste' 'most-pods' 'priority' 'random' | 
| max-empty-bulk-delete | The default is 10. | string | 
| max-graceful-termination-sec | The default is 600. | string | 
| max-node-provision-time | The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| max-total-unready-percentage | The default is 45. The maximum is 100 and the minimum is 0. | string | 
| new-pod-scale-up-delay | For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). | string | 
| ok-total-unready-count | This must be an integer. The default is 3. | string | 
| scale-down-delay-after-add | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-delay-after-delete | The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-delay-after-failure | The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-unneeded-time | The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-unready-time | The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. | string | 
| scale-down-utilization-threshold | The default is '0.5'. | string | 
| scan-interval | The default is '10'. Values must be an integer number of seconds. | string | 
| skip-nodes-with-local-storage | The default is true. | string | 
| skip-nodes-with-system-pods | The default is true. | string | 
ManagedClusterPropertiesIdentityProfile
| Name | Description | Value | 
|---|
ManagedClusterSecurityProfile
| Name | Description | Value | 
|---|---|---|
| azureDefender | Azure Defender settings for the security profile. | ManagedClusterSecurityProfileAzureDefender | 
| azureKeyVaultKms | Azure Key Vault key management service settings for the security profile. | AzureKeyVaultKms | 
ManagedClusterSecurityProfileAzureDefender
| Name | Description | Value | 
|---|---|---|
| enabled | Whether to enable Azure Defender | bool | 
| logAnalyticsWorkspaceResourceId | Resource ID of the Log Analytics workspace to be associated with Azure Defender. When Azure Defender is enabled, this field is required and must be a valid workspace resource ID. When Azure Defender is disabled, leave the field empty. | string | 
ManagedClusterServicePrincipalProfile
| Name | Description | Value | 
|---|---|---|
| clientId | The ID for the service principal. | string (required) | 
| secret | The secret password associated with the service principal in plain text. | string | 
ManagedClusterSKU
| Name | Description | Value | 
|---|---|---|
| name | The name of a managed cluster SKU. | 'Basic' | 
| tier | If not specified, the default is 'Free'. See uptime SLA for more details. | 'Free' 'Paid' | 
ManagedClusterWindowsProfile
| Name | Description | Value | 
|---|---|---|
| adminPassword | Specifies the password of the administrator account. Minimum-length: 8 characters Max-length: 123 characters Complexity requirements: 3 out of 4 conditions below need to be fulfilled Has lower characters Has upper characters Has a digit Has a special character (Regex match [\W_]) Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" | string | 
| adminUsername | Specifies the name of the administrator account. Restriction: Cannot end in "." Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". Minimum-length: 1 character Max-length: 20 characters | string (required) | 
| enableCSIProxy | For more details on CSI proxy, see the CSI proxy GitHub repo. | bool | 
| gmsaProfile | The Windows gMSA Profile in the Managed Cluster. | WindowsGmsaProfile | 
| licenseType | The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. | 'None' 'Windows_Server' | 
ManagedServiceIdentityUserAssignedIdentitiesValue
| Name | Description | Value | 
|---|
PowerState
| Name | Description | Value | 
|---|---|---|
| code | Tells whether the cluster is Running or Stopped | 'Running' 'Stopped' | 
PrivateLinkResource
| Name | Description | Value | 
|---|---|---|
| groupId | The group ID of the resource. | string | 
| id | The ID of the private link resource. | string | 
| name | The name of the private link resource. | string | 
| requiredMembers | The RequiredMembers of the resource | string[] | 
| type | The resource type. | string | 
ResourceReference
| Name | Description | Value | 
|---|---|---|
| id | The fully qualified Azure resource id. | string | 
ResourceTags
| Name | Description | Value | 
|---|
SysctlConfig
| Name | Description | Value | 
|---|---|---|
| fsAioMaxNr | Sysctl setting fs.aio-max-nr. | int | 
| fsFileMax | Sysctl setting fs.file-max. | int | 
| fsInotifyMaxUserWatches | Sysctl setting fs.inotify.max_user_watches. | int | 
| fsNrOpen | Sysctl setting fs.nr_open. | int | 
| kernelThreadsMax | Sysctl setting kernel.threads-max. | int | 
| netCoreNetdevMaxBacklog | Sysctl setting net.core.netdev_max_backlog. | int | 
| netCoreOptmemMax | Sysctl setting net.core.optmem_max. | int | 
| netCoreRmemDefault | Sysctl setting net.core.rmem_default. | int | 
| netCoreRmemMax | Sysctl setting net.core.rmem_max. | int | 
| netCoreSomaxconn | Sysctl setting net.core.somaxconn. | int | 
| netCoreWmemDefault | Sysctl setting net.core.wmem_default. | int | 
| netCoreWmemMax | Sysctl setting net.core.wmem_max. | int | 
| netIpv4IpLocalPortRange | Sysctl setting net.ipv4.ip_local_port_range. | string | 
| netIpv4NeighDefaultGcThresh1 | Sysctl setting net.ipv4.neigh.default.gc_thresh1. | int | 
| netIpv4NeighDefaultGcThresh2 | Sysctl setting net.ipv4.neigh.default.gc_thresh2. | int | 
| netIpv4NeighDefaultGcThresh3 | Sysctl setting net.ipv4.neigh.default.gc_thresh3. | int | 
| netIpv4TcpFinTimeout | Sysctl setting net.ipv4.tcp_fin_timeout. | int | 
| netIpv4TcpkeepaliveIntvl | Sysctl setting net.ipv4.tcp_keepalive_intvl. | int | 
| netIpv4TcpKeepaliveProbes | Sysctl setting net.ipv4.tcp_keepalive_probes. | int | 
| netIpv4TcpKeepaliveTime | Sysctl setting net.ipv4.tcp_keepalive_time. | int | 
| netIpv4TcpMaxSynBacklog | Sysctl setting net.ipv4.tcp_max_syn_backlog. | int | 
| netIpv4TcpMaxTwBuckets | Sysctl setting net.ipv4.tcp_max_tw_buckets. | int | 
| netIpv4TcpTwReuse | Sysctl setting net.ipv4.tcp_tw_reuse. | bool | 
| netNetfilterNfConntrackBuckets | Sysctl setting net.netfilter.nf_conntrack_buckets. | int | 
| netNetfilterNfConntrackMax | Sysctl setting net.netfilter.nf_conntrack_max. | int | 
| vmMaxMapCount | Sysctl setting vm.max_map_count. | int | 
| vmSwappiness | Sysctl setting vm.swappiness. | int | 
| vmVfsCachePressure | Sysctl setting vm.vfs_cache_pressure. | int | 
UserAssignedIdentity
| Name | Description | Value | 
|---|---|---|
| clientId | The client ID of the user assigned identity. | string | 
| objectId | The object ID of the user assigned identity. | string | 
| resourceId | The resource ID of the user assigned identity. | string | 
WindowsGmsaProfile
| Name | Description | Value | 
|---|---|---|
| dnsServer | Specifies the DNS server for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. | string | 
| enabled | Specifies whether to enable Windows gMSA in the managed cluster. | bool | 
| rootDomainName | Specifies the root domain name for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster. | string | 
Usage Examples
Terraform Samples
A basic example of deploying managed Kubernetes Cluster (also known as AKS / Azure Kubernetes Service).
terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}
provider "azapi" {
  skip_provider_registration = false
}
variable "resource_name" {
  type    = string
  default = "acctest0001"
}
variable "location" {
  type    = string
  default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
  type                      = "Microsoft.Resources/resourceGroups@2020-06-01"
  name                      = var.resource_name
  location                  = var.location
  schema_validation_enabled = false
  response_export_values    = ["*"]
}
resource "azapi_resource" "managedCluster" {
  type      = "Microsoft.ContainerService/managedClusters@2023-04-02-preview"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  identity {
    type         = "SystemAssigned"
    identity_ids = []
  }
  body = {
    properties = {
      agentPoolProfiles = [
        {
          count  = 1
          mode   = "System"
          name   = "default"
          vmSize = "Standard_DS2_v2"
        },
      ]
      dnsPrefix = var.resource_name
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description | 
|---|---|
| AKS Managed Cluster | AVM Resource Module for AKS Managed Cluster |