Share via


Microsoft.ContainerService managedClusters 2025-05-01

Remarks

For information about available add-ons, see Add-ons, extensions, and other integrations with Azure Kubernetes Service.

Bicep resource definition

The managedClusters resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerService/managedClusters resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.ContainerService/managedClusters@2025-05-01' = {
  scope: resourceSymbolicName or scope
  extendedLocation: {
    name: 'string'
    type: 'string'
  }
  identity: {
    delegatedResources: {
      {customized property}: {
        location: 'string'
        referralResource: 'string'
        resourceId: 'string'
        tenantId: 'string'
      }
    }
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    aadProfile: {
      adminGroupObjectIDs: [
        'string'
      ]
      clientAppID: 'string'
      enableAzureRBAC: bool
      managed: bool
      serverAppID: 'string'
      serverAppSecret: 'string'
      tenantID: 'string'
    }
    addonProfiles: {
      {customized property}: {
        config: {
          {customized property}: 'string'
        }
        enabled: bool
      }
    }
    agentPoolProfiles: [
      {
        availabilityZones: [
          'string'
        ]
        capacityReservationGroupID: 'string'
        count: int
        creationData: {
          sourceResourceId: 'string'
        }
        enableAutoScaling: bool
        enableEncryptionAtHost: bool
        enableFIPS: bool
        enableNodePublicIP: bool
        enableUltraSSD: bool
        gatewayProfile: {
          publicIPPrefixSize: int
        }
        gpuInstanceProfile: 'string'
        gpuProfile: {
          driver: 'string'
        }
        hostGroupID: 'string'
        kubeletConfig: {
          allowedUnsafeSysctls: [
            'string'
          ]
          containerLogMaxFiles: int
          containerLogMaxSizeMB: int
          cpuCfsQuota: bool
          cpuCfsQuotaPeriod: 'string'
          cpuManagerPolicy: 'string'
          failSwapOn: bool
          imageGcHighThreshold: int
          imageGcLowThreshold: int
          podMaxPids: int
          topologyManagerPolicy: 'string'
        }
        kubeletDiskType: 'string'
        linuxOSConfig: {
          swapFileSizeMB: int
          sysctls: {
            fsAioMaxNr: int
            fsFileMax: int
            fsInotifyMaxUserWatches: int
            fsNrOpen: int
            kernelThreadsMax: int
            netCoreNetdevMaxBacklog: int
            netCoreOptmemMax: int
            netCoreRmemDefault: int
            netCoreRmemMax: int
            netCoreSomaxconn: int
            netCoreWmemDefault: int
            netCoreWmemMax: int
            netIpv4IpLocalPortRange: 'string'
            netIpv4NeighDefaultGcThresh1: int
            netIpv4NeighDefaultGcThresh2: int
            netIpv4NeighDefaultGcThresh3: int
            netIpv4TcpFinTimeout: int
            netIpv4TcpkeepaliveIntvl: int
            netIpv4TcpKeepaliveProbes: int
            netIpv4TcpKeepaliveTime: int
            netIpv4TcpMaxSynBacklog: int
            netIpv4TcpMaxTwBuckets: int
            netIpv4TcpTwReuse: bool
            netNetfilterNfConntrackBuckets: int
            netNetfilterNfConntrackMax: int
            vmMaxMapCount: int
            vmSwappiness: int
            vmVfsCachePressure: int
          }
          transparentHugePageDefrag: 'string'
          transparentHugePageEnabled: 'string'
        }
        maxCount: int
        maxPods: int
        messageOfTheDay: 'string'
        minCount: int
        mode: 'string'
        name: 'string'
        networkProfile: {
          allowedHostPorts: [
            {
              portEnd: int
              portStart: int
              protocol: 'string'
            }
          ]
          applicationSecurityGroups: [
            'string'
          ]
          nodePublicIPTags: [
            {
              ipTagType: 'string'
              tag: 'string'
            }
          ]
        }
        nodeLabels: {
          {customized property}: 'string'
        }
        nodePublicIPPrefixID: 'string'
        nodeTaints: [
          'string'
        ]
        orchestratorVersion: 'string'
        osDiskSizeGB: int
        osDiskType: 'string'
        osSKU: 'string'
        osType: 'string'
        podIPAllocationMode: 'string'
        podSubnetID: 'string'
        powerState: {
          code: 'string'
        }
        proximityPlacementGroupID: 'string'
        scaleDownMode: 'string'
        scaleSetEvictionPolicy: 'string'
        scaleSetPriority: 'string'
        securityProfile: {
          enableSecureBoot: bool
          enableVTPM: bool
        }
        spotMaxPrice: int
        status: {}
        tags: {
          {customized property}: 'string'
        }
        type: 'string'
        upgradeSettings: {
          drainTimeoutInMinutes: int
          maxSurge: 'string'
          maxUnavailable: 'string'
          nodeSoakDurationInMinutes: int
          undrainableNodeBehavior: 'string'
        }
        virtualMachineNodesStatus: [
          {
            count: int
            size: 'string'
          }
        ]
        virtualMachinesProfile: {
          scale: {
            manual: [
              {
                count: int
                size: 'string'
              }
            ]
          }
        }
        vmSize: 'string'
        vnetSubnetID: 'string'
        windowsProfile: {
          disableOutboundNat: bool
        }
        workloadRuntime: 'string'
      }
    ]
    aiToolchainOperatorProfile: {
      enabled: bool
    }
    apiServerAccessProfile: {
      authorizedIPRanges: [
        'string'
      ]
      disableRunCommand: bool
      enablePrivateCluster: bool
      enablePrivateClusterPublicFQDN: bool
      enableVnetIntegration: bool
      privateDNSZone: 'string'
      subnetId: 'string'
    }
    autoScalerProfile: {
      balance-similar-node-groups: 'string'
      daemonset-eviction-for-empty-nodes: bool
      daemonset-eviction-for-occupied-nodes: bool
      expander: 'string'
      ignore-daemonsets-utilization: bool
      max-empty-bulk-delete: 'string'
      max-graceful-termination-sec: 'string'
      max-node-provision-time: 'string'
      max-total-unready-percentage: 'string'
      new-pod-scale-up-delay: 'string'
      ok-total-unready-count: 'string'
      scale-down-delay-after-add: 'string'
      scale-down-delay-after-delete: 'string'
      scale-down-delay-after-failure: 'string'
      scale-down-unneeded-time: 'string'
      scale-down-unready-time: 'string'
      scale-down-utilization-threshold: 'string'
      scan-interval: 'string'
      skip-nodes-with-local-storage: 'string'
      skip-nodes-with-system-pods: 'string'
    }
    autoUpgradeProfile: {
      nodeOSUpgradeChannel: 'string'
      upgradeChannel: 'string'
    }
    azureMonitorProfile: {
      metrics: {
        enabled: bool
        kubeStateMetrics: {
          metricAnnotationsAllowList: 'string'
          metricLabelsAllowlist: 'string'
        }
      }
    }
    bootstrapProfile: {
      artifactSource: 'string'
      containerRegistryId: 'string'
    }
    disableLocalAccounts: bool
    diskEncryptionSetID: 'string'
    dnsPrefix: 'string'
    enableRBAC: bool
    fqdnSubdomain: 'string'
    httpProxyConfig: {
      httpProxy: 'string'
      httpsProxy: 'string'
      noProxy: [
        'string'
      ]
      trustedCa: 'string'
    }
    identityProfile: {
      {customized property}: {
        clientId: 'string'
        objectId: 'string'
        resourceId: 'string'
      }
    }
    ingressProfile: {
      webAppRouting: {
        dnsZoneResourceIds: [
          'string'
        ]
        enabled: bool
        nginx: {
          defaultIngressControllerType: 'string'
        }
      }
    }
    kubernetesVersion: 'string'
    linuxProfile: {
      adminUsername: 'string'
      ssh: {
        publicKeys: [
          {
            keyData: 'string'
          }
        ]
      }
    }
    metricsProfile: {
      costAnalysis: {
        enabled: bool
      }
    }
    networkProfile: {
      advancedNetworking: {
        enabled: bool
        observability: {
          enabled: bool
        }
        security: {
          enabled: bool
        }
      }
      dnsServiceIP: 'string'
      ipFamilies: [
        'string'
      ]
      loadBalancerProfile: {
        allocatedOutboundPorts: int
        backendPoolType: 'string'
        enableMultipleStandardLoadBalancers: bool
        idleTimeoutInMinutes: int
        managedOutboundIPs: {
          count: int
          countIPv6: int
        }
        outboundIPPrefixes: {
          publicIPPrefixes: [
            {
              id: 'string'
            }
          ]
        }
        outboundIPs: {
          publicIPs: [
            {
              id: 'string'
            }
          ]
        }
      }
      loadBalancerSku: 'string'
      natGatewayProfile: {
        idleTimeoutInMinutes: int
        managedOutboundIPProfile: {
          count: int
        }
      }
      networkDataplane: 'string'
      networkMode: 'string'
      networkPlugin: 'string'
      networkPluginMode: 'string'
      networkPolicy: 'string'
      outboundType: 'string'
      podCidr: 'string'
      podCidrs: [
        'string'
      ]
      serviceCidr: 'string'
      serviceCidrs: [
        'string'
      ]
      staticEgressGatewayProfile: {
        enabled: bool
      }
    }
    nodeProvisioningProfile: {
      defaultNodePools: 'string'
      mode: 'string'
    }
    nodeResourceGroup: 'string'
    nodeResourceGroupProfile: {
      restrictionLevel: 'string'
    }
    oidcIssuerProfile: {
      enabled: bool
    }
    podIdentityProfile: {
      allowNetworkPluginKubenet: bool
      enabled: bool
      userAssignedIdentities: [
        {
          bindingSelector: 'string'
          identity: {
            clientId: 'string'
            objectId: 'string'
            resourceId: 'string'
          }
          name: 'string'
          namespace: 'string'
        }
      ]
      userAssignedIdentityExceptions: [
        {
          name: 'string'
          namespace: 'string'
          podLabels: {
            {customized property}: 'string'
          }
        }
      ]
    }
    privateLinkResources: [
      {
        groupId: 'string'
        id: 'string'
        name: 'string'
        requiredMembers: [
          'string'
        ]
        type: 'string'
      }
    ]
    publicNetworkAccess: 'string'
    securityProfile: {
      azureKeyVaultKms: {
        enabled: bool
        keyId: 'string'
        keyVaultNetworkAccess: 'string'
        keyVaultResourceId: 'string'
      }
      customCATrustCertificates: [
        any(...)
      ]
      defender: {
        logAnalyticsWorkspaceResourceId: 'string'
        securityMonitoring: {
          enabled: bool
        }
      }
      imageCleaner: {
        enabled: bool
        intervalHours: int
      }
      workloadIdentity: {
        enabled: bool
      }
    }
    serviceMeshProfile: {
      istio: {
        certificateAuthority: {
          plugin: {
            certChainObjectName: 'string'
            certObjectName: 'string'
            keyObjectName: 'string'
            keyVaultId: 'string'
            rootCertObjectName: 'string'
          }
        }
        components: {
          egressGateways: [
            {
              enabled: bool
            }
          ]
          ingressGateways: [
            {
              enabled: bool
              mode: 'string'
            }
          ]
        }
        revisions: [
          'string'
        ]
      }
      mode: 'string'
    }
    servicePrincipalProfile: {
      clientId: 'string'
      secret: 'string'
    }
    status: {}
    storageProfile: {
      blobCSIDriver: {
        enabled: bool
      }
      diskCSIDriver: {
        enabled: bool
      }
      fileCSIDriver: {
        enabled: bool
      }
      snapshotController: {
        enabled: bool
      }
    }
    supportPlan: 'string'
    upgradeSettings: {
      overrideSettings: {
        forceUpgrade: bool
        until: 'string'
      }
    }
    windowsProfile: {
      adminPassword: 'string'
      adminUsername: 'string'
      enableCSIProxy: bool
      gmsaProfile: {
        dnsServer: 'string'
        enabled: bool
        rootDomainName: 'string'
      }
      licenseType: 'string'
    }
    workloadAutoScalerProfile: {
      keda: {
        enabled: bool
      }
      verticalPodAutoscaler: {
        enabled: bool
      }
    }
  }
  sku: {
    name: 'string'
    tier: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property Values

Microsoft.ContainerService/managedClusters

Name Description Value
extendedLocation The extended location of the Virtual Machine. ExtendedLocation
identity The identity of the managed cluster, if configured. ManagedClusterIdentity
location The geo-location where the resource lives string (required)
name The resource name string

Constraints:
Min length = 1
Max length = 63
Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$ (required)
properties Properties of a managed cluster. ManagedClusterProperties
scope Use when creating a resource at a scope that is different than the deployment scope. Set this property to the symbolic name of a resource to apply the extension resource.
sku The managed cluster SKU. ManagedClusterSKU
tags Resource tags Dictionary of tag names and values. See Tags in templates

AdvancedNetworking

Name Description Value
enabled Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false. bool
observability Observability profile to enable advanced network metrics and flow logs with historical contexts. AdvancedNetworkingObservability
security Security profile to enable security features on cilium based cluster. AdvancedNetworkingSecurity

AdvancedNetworkingObservability

Name Description Value
enabled Indicates the enablement of Advanced Networking observability functionalities on clusters. bool

AdvancedNetworkingSecurity

Name Description Value
enabled This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false. bool

AgentPoolGatewayProfile

Name Description Value
publicIPPrefixSize The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide public egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with one IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure public IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8 nodes/IPs, /28 = 16 nodes/IPs). The default value is 31. int

Constraints:
Min value = 28
Max value = 31

AgentPoolNetworkProfile

Name Description Value
allowedHostPorts The port ranges that are allowed to access. The specified ranges are allowed to overlap. PortRange[]
applicationSecurityGroups The IDs of the application security groups which agent pool will associate when created. string[]
nodePublicIPTags IPTags of instance-level public IPs. IPTag[]

AgentPoolSecurityProfile

Name Description Value
enableSecureBoot Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. bool
enableVTPM vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. bool

AgentPoolStatus

Name Description Value

AgentPoolUpgradeSettings

Name Description Value
drainTimeoutInMinutes The drain timeout for a node. The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes. int

Constraints:
Min value = 1
Max value = 1440
maxSurge The maximum number or percentage of nodes that are surged during upgrade. This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 10%. For more information, including best practices, see: /azure/aks/upgrade-cluster string
maxUnavailable The maximum number or percentage of nodes that can be simultaneously unavailable during upgrade. This can either be set to an integer (e.g. '1') or a percentage (e.g. '5%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 0. For more information, including best practices, see: /azure/aks/upgrade-cluster string
nodeSoakDurationInMinutes The soak duration for a node. The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes. int

Constraints:
Min value = 0
Max value = 30
undrainableNodeBehavior Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes. 'Cordon'
'Schedule'

AgentPoolWindowsProfile

Name Description Value
disableOutboundNat Whether to disable OutboundNAT in windows nodes. The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled. bool

AzureKeyVaultKms

Name Description Value
enabled Whether to enable Azure Key Vault key management service. The default is false. bool
keyId Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. string
keyVaultNetworkAccess Network access of the key vault. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. 'Private'
'Public'
keyVaultResourceId Resource ID of key vault. When keyVaultNetworkAccess is Private, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public, leave the field empty. string

ClusterUpgradeSettings

Name Description Value
overrideSettings Settings for overrides. UpgradeOverrideSettings

ContainerServiceLinuxProfile

Name Description Value
adminUsername The administrator username to use for Linux VMs. string

Constraints:
Pattern = ^[A-Za-z][-A-Za-z0-9_]*$ (required)
ssh The SSH configuration for Linux-based VMs running on Azure. ContainerServiceSshConfiguration (required)

ContainerServiceNetworkProfile

Name Description Value
advancedNetworking Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. AdvancedNetworking
dnsServiceIP An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. string

Constraints:
Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
ipFamilies The IP families used to specify IP versions available to the cluster. IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. String array containing any of:
'IPv4'
'IPv6'
loadBalancerProfile Profile of the cluster load balancer. ManagedClusterLoadBalancerProfile
loadBalancerSku The load balancer sku for the managed cluster. The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. 'basic'
'standard'
natGatewayProfile Profile of the cluster NAT gateway. ManagedClusterNATGatewayProfile
networkDataplane Network dataplane used in the Kubernetes cluster. 'azure'
'cilium'
networkMode The network mode Azure CNI is configured with. This cannot be specified if networkPlugin is anything other than 'azure'. 'bridge'
'transparent'
networkPlugin Network plugin used for building the Kubernetes network. 'azure'
'kubenet'
'none'
networkPluginMode The mode the network plugin should use. 'overlay'
networkPolicy Network policy used for building the Kubernetes network. 'azure'
'calico'
'cilium'
'none'
outboundType The outbound (egress) routing method. This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. 'loadBalancer'
'managedNATGateway'
'none'
'userAssignedNATGateway'
'userDefinedRouting'
podCidr A CIDR notation IP range from which to assign pod IPs when kubenet is used. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
podCidrs The CIDR notation IP ranges from which to assign pod IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. string[]
serviceCidr A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
serviceCidrs The CIDR notation IP ranges from which to assign service cluster IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. string[]
staticEgressGatewayProfile The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway. ManagedClusterStaticEgressGatewayProfile

ContainerServiceSshConfiguration

Name Description Value
publicKeys The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. ContainerServiceSshPublicKey[] (required)

ContainerServiceSshPublicKey

Name Description Value
keyData Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. string (required)

CreationData

Name Description Value
sourceResourceId This is the ARM ID of the source object to be used to create the target object. string

DelegatedResource

Name Description Value
location The source resource location - internal use only. string
referralResource The delegation id of the referral delegation (optional) - internal use only. string
resourceId The ARM resource id of the delegated resource - internal use only. string
tenantId The tenant id of the delegated resource - internal use only. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

DelegatedResources

Name Description Value

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

GPUProfile

Name Description Value
driver Whether to install GPU drivers. When it's not specified, default is Install. 'Install'
'None'

IPTag

Name Description Value
ipTagType The IP tag type. Example: RoutingPreference. string
tag The value of the IP tag associated with the public IP. Example: Internet. string

IstioCertificateAuthority

Name Description Value
plugin Plugin certificates information for Service Mesh. IstioPluginCertificateAuthority

IstioComponents

Name Description Value
egressGateways Istio egress gateways. IstioEgressGateway[]
ingressGateways Istio ingress gateways. IstioIngressGateway[]

IstioEgressGateway

Name Description Value
enabled Whether to enable the egress gateway. bool (required)

IstioIngressGateway

Name Description Value
enabled Whether to enable the ingress gateway. bool (required)
mode Mode of an ingress gateway. 'External'
'Internal' (required)

IstioPluginCertificateAuthority

Name Description Value
certChainObjectName Certificate chain object name in Azure Key Vault. string
certObjectName Intermediate certificate object name in Azure Key Vault. string
keyObjectName Intermediate certificate private key object name in Azure Key Vault. string
keyVaultId The resource ID of the Key Vault. string
rootCertObjectName Root certificate object name in Azure Key Vault. string

IstioServiceMesh

Name Description Value
certificateAuthority Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca IstioCertificateAuthority
components Istio components configuration. IstioComponents
revisions The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: /azure/aks/istio-upgrade string[]

KubeletConfig

Name Description Value
allowedUnsafeSysctls Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *). string[]
containerLogMaxFiles The maximum number of container log files that can be present for a container. The number must be ≥ 2. int

Constraints:
Min value = 2
containerLogMaxSizeMB The maximum size (e.g. 10Mi) of container log file before it is rotated. int
cpuCfsQuota If CPU CFS quota enforcement is enabled for containers that specify CPU limits. The default is true. bool
cpuCfsQuotaPeriod The CPU CFS quota period value. The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. string
cpuManagerPolicy The CPU Manager policy to use. The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. string
failSwapOn If set to true it will make the Kubelet fail to start if swap is enabled on the node. bool
imageGcHighThreshold The percent of disk usage after which image garbage collection is always run. To disable image garbage collection, set to 100. The default is 85% int
imageGcLowThreshold The percent of disk usage before which image garbage collection is never run. This cannot be set higher than imageGcHighThreshold. The default is 80% int
podMaxPids The maximum number of processes per pod. int
topologyManagerPolicy The Topology Manager policy to use. For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. string

LinuxOSConfig

Name Description Value
swapFileSizeMB The size in MB of a swap file that will be created on each node. int
sysctls Sysctl settings for Linux agent nodes. SysctlConfig
transparentHugePageDefrag Whether the kernel should make aggressive use of memory compaction to make more hugepages available. Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. string
transparentHugePageEnabled Whether transparent hugepages are enabled. Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. string

ManagedClusterAADProfile

Name Description Value
adminGroupObjectIDs The list of AAD group object IDs that will have admin role of the cluster. string[]
clientAppID (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. string
enableAzureRBAC Whether to enable Azure RBAC for Kubernetes authorization. bool
managed Whether to enable managed AAD. bool
serverAppID (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. string
serverAppSecret (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy. string
tenantID The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. string

ManagedClusterAddonProfile

Name Description Value
config Key-value pairs for configuring an add-on. ManagedClusterAddonProfileConfig
enabled Whether the add-on is enabled or not. bool (required)

ManagedClusterAddonProfileConfig

Name Description Value

ManagedClusterAgentPoolProfile

Name Description Value
availabilityZones The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. string[]
capacityReservationGroupID AKS will associate the specified agent pool with the Capacity Reservation Group. string
count Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. int
creationData CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. CreationData
enableAutoScaling Whether to enable auto-scaler bool
enableEncryptionAtHost Whether to enable host based OS and data drive encryption. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption bool
enableFIPS Whether to use a FIPS-enabled OS. See Add a FIPS-enabled node pool for more details. bool
enableNodePublicIP Whether each node is allocated its own public IP. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. bool
enableUltraSSD Whether to enable UltraSSD bool
gatewayProfile Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is not Gateway. AgentPoolGatewayProfile
gpuInstanceProfile GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. 'MIG1g'
'MIG2g'
'MIG3g'
'MIG4g'
'MIG7g'
gpuProfile GPU settings for the Agent Pool. GPUProfile
hostGroupID The fully qualified resource ID of the Dedicated Host Group to provision virtual machines from, used only in creation scenario and not allowed to changed once set. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts. string
kubeletConfig The Kubelet configuration on the agent pool nodes. KubeletConfig
kubeletDiskType Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. 'OS'
'Temporary'
linuxOSConfig The OS configuration of Linux agent nodes. LinuxOSConfig
maxCount The maximum number of nodes for auto-scaling int
maxPods The maximum number of pods that can run on a node. int
messageOfTheDay Message of the day for Linux nodes, base64-encoded. A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). string
minCount The minimum number of nodes for auto-scaling int
mode The mode of an agent pool. A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools 'Gateway'
'System'
'User'
name Unique name of the agent pool profile in the context of the subscription and resource group. Windows agent pool names must be 6 characters or less. string

Constraints:
Pattern = ^[a-z][a-z0-9]{0,11}$ (required)
networkProfile Network-related settings of an agent pool. AgentPoolNetworkProfile
nodeLabels The node labels to be persisted across all nodes in agent pool. ManagedClusterAgentPoolProfilePropertiesNodeLabels
nodePublicIPPrefixID The public IP prefix ID which VM nodes should use IPs from. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} string
nodeTaints The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. string[]
orchestratorVersion The version of Kubernetes specified by the user. Both patch version <major.minor.patch> (e.g. 1.20.13) and <major.minor> (e.g. 1.20) are supported. When <major.minor> is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same <major.minor> once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. string
osDiskSizeGB OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. int

Constraints:
Min value = 0
Max value = 2048
osDiskType The OS disk type to be used for machines in the agent pool. The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. 'Ephemeral'
'Managed'
osSKU Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. 'AzureLinux'
'CBLMariner'
'Ubuntu'
'Ubuntu2204'
'Windows2019'
'Windows2022'
osType The operating system type. The default is Linux. 'Linux'
'Windows'
podIPAllocationMode Pod IP Allocation Mode. The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'. 'DynamicIndividual'
'StaticBlock'
podSubnetID The ID of the subnet which pods will join when launched. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} string
powerState Whether the Agent Pool is running or stopped. When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded PowerState
proximityPlacementGroupID The ID for Proximity Placement Group. string
scaleDownMode The scale down mode to use when scaling the Agent Pool. This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. 'Deallocate'
'Delete'
scaleSetEvictionPolicy The Virtual Machine Scale Set eviction policy to use. This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. 'Deallocate'
'Delete'
scaleSetPriority The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. 'Regular'
'Spot'
securityProfile The security settings of an agent pool. AgentPoolSecurityProfile
spotMaxPrice The max price (in US Dollars) you are willing to pay for spot instances. Possible values are any decimal value greater than zero or -1 which indicates default price to be up-to on-demand. Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing int
status Contains read-only information about the Agent Pool. AgentPoolStatus
tags The tags to be persisted on the agent pool virtual machine scale set. ManagedClusterAgentPoolProfilePropertiesTags
type The type of Agent Pool. 'AvailabilitySet'
'VirtualMachines'
'VirtualMachineScaleSets'
upgradeSettings Settings for upgrading the agentpool AgentPoolUpgradeSettings
virtualMachineNodesStatus The status of nodes in a VirtualMachines agent pool. VirtualMachineNodes[]
virtualMachinesProfile Specifications on VirtualMachines agent pool. VirtualMachinesProfile
vmSize The size of the agent pool VMs. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions string
vnetSubnetID The ID of the subnet which agent pool nodes and optionally pods will join on startup. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} string
windowsProfile The Windows agent pool's specific profile. AgentPoolWindowsProfile
workloadRuntime Determines the type of workload a node can run. 'OCIContainer'
'WasmWasi'

ManagedClusterAgentPoolProfilePropertiesNodeLabels

Name Description Value

ManagedClusterAgentPoolProfilePropertiesTags

Name Description Value

ManagedClusterAIToolchainOperatorProfile

Name Description Value
enabled Whether to enable AI toolchain operator to the cluster. Indicates if AI toolchain operator enabled or not. bool

ManagedClusterAPIServerAccessProfile

Name Description Value
authorizedIPRanges The IP ranges authorized to access the Kubernetes API server. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges. string[]
disableRunCommand Whether to disable run command for the cluster or not. bool
enablePrivateCluster Whether to create the cluster as a private cluster or not. For more details, see Creating a private AKS cluster. bool
enablePrivateClusterPublicFQDN Whether to create additional public FQDN for private cluster or not. bool
enableVnetIntegration Whether to enable apiserver vnet integration for the cluster or not. See aka.ms/AksVnetIntegration for more details. bool
privateDNSZone The private DNS zone mode for the cluster. The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'. string
subnetId The subnet to be used when apiserver vnet integration is enabled. It is required when creating a new cluster with BYO Vnet, or when updating an existing cluster to enable apiserver vnet integration. string

ManagedClusterAutoUpgradeProfile

Name Description Value
nodeOSUpgradeChannel Node OS Upgrade Channel. Manner in which the OS on your nodes is updated. The default is NodeImage. 'NodeImage'
'None'
'SecurityPatch'
'Unmanaged'
upgradeChannel The upgrade channel for auto upgrade. The default is 'none'. For more information see setting the AKS cluster auto-upgrade channel. 'node-image'
'none'
'patch'
'rapid'
'stable'

ManagedClusterAzureMonitorProfile

Name Description Value
metrics Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview. ManagedClusterAzureMonitorProfileMetrics

ManagedClusterAzureMonitorProfileKubeStateMetrics

Name Description Value
metricAnnotationsAllowList Comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric (Example: 'namespaces=[kubernetes.io/team,...],pods=[kubernetes.io/team],...'). By default the metric contains only resource name and namespace labels. string
metricLabelsAllowlist Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric (Example: 'namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...'). By default the metric contains only resource name and namespace labels. string

ManagedClusterAzureMonitorProfileMetrics

Name Description Value
enabled Whether to enable or disable the Azure Managed Prometheus addon for Prometheus monitoring. See aka.ms/AzureManagedPrometheus-aks-enable for details on enabling and disabling. bool (required)
kubeStateMetrics Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details. ManagedClusterAzureMonitorProfileKubeStateMetrics

ManagedClusterBootstrapProfile

Name Description Value
artifactSource The artifact source. The source where the artifacts are downloaded from. 'Cache'
'Direct'
containerRegistryId The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy. string

ManagedClusterCostAnalysis

Name Description Value
enabled Whether to enable cost analysis. The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis. bool

ManagedClusterHttpProxyConfig

Name Description Value
httpProxy The HTTP proxy server endpoint to use. string
httpsProxy The HTTPS proxy server endpoint to use. string
noProxy The endpoints that should not go through proxy. string[]
trustedCa Alternative CA cert to use for connecting to proxy servers. string

ManagedClusterIdentity

Name Description Value
delegatedResources The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only. DelegatedResources
type The type of identity used for the managed cluster. For more information see use managed identities in AKS. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the managed cluster. This identity will be used in control plane. Only one user assigned identity is allowed. The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedClusterIdentityUserAssignedIdentities

ManagedClusterIdentityUserAssignedIdentities

Name Description Value

ManagedClusterIngressProfile

Name Description Value
webAppRouting App Routing settings for the ingress profile. You can find an overview and onboarding guide for this feature at /azure/aks/app-routing?tabs=default%2Cdeploy-app-default. ManagedClusterIngressProfileWebAppRouting

ManagedClusterIngressProfileNginx

Name Description Value
defaultIngressControllerType Ingress type for the default NginxIngressController custom resource 'AnnotationControlled'
'External'
'Internal'
'None'

ManagedClusterIngressProfileWebAppRouting

Name Description Value
dnsZoneResourceIds Resource IDs of the DNS zones to be associated with the Application Routing add-on. Used only when Application Routing add-on is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group. string[]
enabled Whether to enable the Application Routing add-on. bool
nginx Configuration for the default NginxIngressController. See more at /azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller. ManagedClusterIngressProfileNginx

ManagedClusterLoadBalancerProfile

Name Description Value
allocatedOutboundPorts The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. int

Constraints:
Min value = 0
Max value = 64000
backendPoolType The type of the managed inbound Load Balancer BackendPool. 'NodeIP'
'NodeIPConfiguration'
enableMultipleStandardLoadBalancers Enable multiple standard load balancers per AKS cluster or not. bool
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. int

Constraints:
Min value = 4
Max value = 120
managedOutboundIPs Desired managed outbound IPs for the cluster load balancer. ManagedClusterLoadBalancerProfileManagedOutboundIPs
outboundIPPrefixes Desired outbound IP Prefix resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPPrefixes
outboundIPs Desired outbound IP resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPs

ManagedClusterLoadBalancerProfileManagedOutboundIPs

Name Description Value
count The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. int

Constraints:
Min value = 1
Max value = 100
countIPv6 The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. int

Constraints:
Min value = 0
Max value = 100

ManagedClusterLoadBalancerProfileOutboundIPPrefixes

Name Description Value
publicIPPrefixes A list of public IP prefix resources. ResourceReference[]

ManagedClusterLoadBalancerProfileOutboundIPs

Name Description Value
publicIPs A list of public IP resources. ResourceReference[]

ManagedClusterManagedOutboundIPProfile

Name Description Value
count The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. int

Constraints:
Min value = 1
Max value = 16

ManagedClusterMetricsProfile

Name Description Value
costAnalysis The configuration for detailed per-Kubernetes resource cost analysis. ManagedClusterCostAnalysis

ManagedClusterNATGatewayProfile

Name Description Value
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. int

Constraints:
Min value = 4
Max value = 120
managedOutboundIPProfile Profile of the managed outbound IP resources of the cluster NAT gateway. ManagedClusterManagedOutboundIPProfile

ManagedClusterNodeProvisioningProfile

Name Description Value
defaultNodePools The set of default Karpenter NodePools (CRDs) configured for node provisioning. This field has no effect unless mode is 'Auto'. Warning: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action. If not specified, the default is Auto. For more information see aka.ms/aks/nap#node-pools. 'Auto'
'None'
mode The node provisioning mode. If not specified, the default is Manual. 'Auto'
'Manual'

ManagedClusterNodeResourceGroupProfile

Name Description Value
restrictionLevel The restriction level applied to the cluster's node resource group. If not specified, the default is 'Unrestricted' 'ReadOnly'
'Unrestricted'

ManagedClusterOidcIssuerProfile

Name Description Value
enabled Whether the OIDC issuer is enabled. bool

ManagedClusterPodIdentity

Name Description Value
bindingSelector The binding selector to use for the AzureIdentityBinding resource. string
identity The user assigned identity details. UserAssignedIdentity (required)
name The name of the pod identity. string (required)
namespace The namespace of the pod identity. string (required)

ManagedClusterPodIdentityException

Name Description Value
name The name of the pod identity exception. string (required)
namespace The namespace of the pod identity exception. string (required)
podLabels The pod labels to match. ManagedClusterPodIdentityExceptionPodLabels (required)

ManagedClusterPodIdentityExceptionPodLabels

Name Description Value

ManagedClusterPodIdentityProfile

Name Description Value
allowNetworkPluginKubenet Whether pod identity is allowed to run on clusters with Kubenet networking. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information. bool
enabled Whether the pod identity addon is enabled. bool
userAssignedIdentities The pod identities to use in the cluster. ManagedClusterPodIdentity[]
userAssignedIdentityExceptions The pod identity exceptions to allow. ManagedClusterPodIdentityException[]

ManagedClusterProperties

Name Description Value
aadProfile The Azure Active Directory configuration. ManagedClusterAADProfile
addonProfiles The profile of managed cluster add-on. ManagedClusterPropertiesAddonProfiles
agentPoolProfiles The agent pool properties. ManagedClusterAgentPoolProfile[]
aiToolchainOperatorProfile AI toolchain operator settings that apply to the whole cluster. ManagedClusterAIToolchainOperatorProfile
apiServerAccessProfile The access profile for managed cluster API server. ManagedClusterAPIServerAccessProfile
autoScalerProfile Parameters to be applied to the cluster-autoscaler when enabled ManagedClusterPropertiesAutoScalerProfile
autoUpgradeProfile The auto upgrade configuration. ManagedClusterAutoUpgradeProfile
azureMonitorProfile Azure Monitor addon profiles for monitoring the managed cluster. ManagedClusterAzureMonitorProfile
bootstrapProfile Profile of the cluster bootstrap configuration. ManagedClusterBootstrapProfile
disableLocalAccounts If local accounts should be disabled on the Managed Cluster. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts. bool
diskEncryptionSetID The Resource ID of the disk encryption set to use for enabling encryption at rest. This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' string
dnsPrefix The DNS prefix of the Managed Cluster. This cannot be updated once the Managed Cluster has been created. string
enableRBAC Whether to enable Kubernetes Role-Based Access Control. bool
fqdnSubdomain The FQDN subdomain of the private cluster with custom private dns zone. This cannot be updated once the Managed Cluster has been created. string
httpProxyConfig Configurations for provisioning the cluster with HTTP proxy servers. ManagedClusterHttpProxyConfig
identityProfile The user identity associated with the managed cluster. This identity will be used by the kubelet. Only one user assigned identity is allowed. The only accepted key is "kubeletidentity", with value of "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}". ManagedClusterPropertiesIdentityProfile
ingressProfile Ingress profile for the managed cluster. ManagedClusterIngressProfile
kubernetesVersion The version of Kubernetes specified by the user. Both patch version <major.minor.patch> (e.g. 1.20.13) and <major.minor> (e.g. 1.20) are supported. When <major.minor> is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same <major.minor> once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details. string
linuxProfile The profile for Linux VMs in the Managed Cluster. ContainerServiceLinuxProfile
metricsProfile Optional cluster metrics configuration. ManagedClusterMetricsProfile
networkProfile The network configuration profile. ContainerServiceNetworkProfile
nodeProvisioningProfile Node provisioning settings that apply to the whole cluster. ManagedClusterNodeProvisioningProfile
nodeResourceGroup The name of the resource group containing agent pool nodes. string
nodeResourceGroupProfile Profile of the node resource group configuration. ManagedClusterNodeResourceGroupProfile
oidcIssuerProfile The OIDC issuer profile of the Managed Cluster. ManagedClusterOidcIssuerProfile
podIdentityProfile The pod identity profile of the Managed Cluster. See use AAD pod identity for more details on AAD pod identity integration. ManagedClusterPodIdentityProfile
privateLinkResources Private link resources associated with the cluster. PrivateLinkResource[]
publicNetworkAccess PublicNetworkAccess of the managedCluster. Allow or deny public network access for AKS 'Disabled'
'Enabled'
securityProfile Security profile for the managed cluster. ManagedClusterSecurityProfile
serviceMeshProfile Service mesh profile for a managed cluster. ServiceMeshProfile
servicePrincipalProfile Information about a service principal identity for the cluster to use for manipulating Azure APIs. ManagedClusterServicePrincipalProfile
status Contains read-only information about the Managed Cluster. ManagedClusterStatus
storageProfile Storage profile for the managed cluster. ManagedClusterStorageProfile
supportPlan The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'. 'AKSLongTermSupport'
'KubernetesOfficial'
upgradeSettings Settings for upgrading a cluster. ClusterUpgradeSettings
windowsProfile The profile for Windows VMs in the Managed Cluster. ManagedClusterWindowsProfile
workloadAutoScalerProfile Workload Auto-scaler profile for the managed cluster. ManagedClusterWorkloadAutoScalerProfile

ManagedClusterPropertiesAddonProfiles

Name Description Value

ManagedClusterPropertiesAutoScalerProfile

Name Description Value
balance-similar-node-groups Detects similar node pools and balances the number of nodes between them. Valid values are 'true' and 'false' string
daemonset-eviction-for-empty-nodes DaemonSet pods will be gracefully terminated from empty nodes. If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. bool
daemonset-eviction-for-occupied-nodes DaemonSet pods will be gracefully terminated from non-empty nodes. If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. bool
expander The expander to use when scaling up. If not specified, the default is 'random'. See expanders for more information. 'least-waste'
'most-pods'
'priority'
'random'
ignore-daemonsets-utilization Should CA ignore DaemonSet pods when calculating resource utilization for scaling down. If set to true, the resources used by daemonset will be taken into account when making scaling down decisions. bool
max-empty-bulk-delete The maximum number of empty nodes that can be deleted at the same time. This must be a positive integer. The default is 10. string
max-graceful-termination-sec The maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. The default is 600. string
max-node-provision-time The maximum time the autoscaler waits for a node to be provisioned. The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
max-total-unready-percentage The maximum percentage of unready nodes in the cluster. After this percentage is exceeded, cluster autoscaler halts operations. The default is 45. The maximum is 100 and the minimum is 0. string
new-pod-scale-up-delay Ignore unscheduled pods before they're a certain age. For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). string
ok-total-unready-count The number of allowed unready nodes, irrespective of max-total-unready-percentage. This must be an integer. The default is 3. string
scale-down-delay-after-add How long after scale up that scale down evaluation resumes. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-delay-after-delete How long after node deletion that scale down evaluation resumes. The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-delay-after-failure How long after scale down failure that scale down evaluation resumes. The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-unneeded-time How long a node should be unneeded before it is eligible for scale down. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-unready-time How long an unready node should be unneeded before it is eligible for scale down. The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-utilization-threshold Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. The default is '0.5'. string
scan-interval How often cluster is reevaluated for scale up or down. The default is '10'. Values must be an integer number of seconds. string
skip-nodes-with-local-storage If cluster autoscaler will skip deleting nodes with pods with local storage, for example, EmptyDir or HostPath. The default is true. string
skip-nodes-with-system-pods If cluster autoscaler will skip deleting nodes with pods from kube-system (except for DaemonSet or mirror pods). The default is true. string

ManagedClusterPropertiesIdentityProfile

Name Description Value

ManagedClusterSecurityProfile

Name Description Value
azureKeyVaultKms Azure Key Vault key management service settings for the security profile. AzureKeyVaultKms
customCATrustCertificates A list of up to 10 base64 encoded CAs that will be added to the trust store on all nodes in the cluster. For more information see Custom CA Trust Certificates. any[]
defender Microsoft Defender settings for the security profile. ManagedClusterSecurityProfileDefender
imageCleaner Image Cleaner settings for the security profile. ManagedClusterSecurityProfileImageCleaner
workloadIdentity Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details. ManagedClusterSecurityProfileWorkloadIdentity

ManagedClusterSecurityProfileDefender

Name Description Value
logAnalyticsWorkspaceResourceId Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty. string
securityMonitoring Microsoft Defender threat detection for Cloud settings for the security profile. ManagedClusterSecurityProfileDefenderSecurityMonitoring

ManagedClusterSecurityProfileDefenderSecurityMonitoring

Name Description Value
enabled Whether to enable Defender threat detection bool

ManagedClusterSecurityProfileImageCleaner

Name Description Value
enabled Whether to enable Image Cleaner on AKS cluster. bool
intervalHours Image Cleaner scanning interval in hours. int

ManagedClusterSecurityProfileWorkloadIdentity

Name Description Value
enabled Whether to enable workload identity. bool

ManagedClusterServicePrincipalProfile

Name Description Value
clientId The ID for the service principal. string (required)
secret The secret password associated with the service principal in plain text. string

ManagedClusterSKU

Name Description Value
name The name of a managed cluster SKU. 'Base'
tier The tier of a managed cluster SKU. If not specified, the default is 'Free'. See AKS Pricing Tier for more details. 'Free'
'Premium'
'Standard'

ManagedClusterStaticEgressGatewayProfile

Name Description Value
enabled Enable Static Egress Gateway addon. Indicates if Static Egress Gateway addon is enabled or not. bool

ManagedClusterStatus

Name Description Value

ManagedClusterStorageProfile

Name Description Value
blobCSIDriver AzureBlob CSI Driver settings for the storage profile. ManagedClusterStorageProfileBlobCSIDriver
diskCSIDriver AzureDisk CSI Driver settings for the storage profile. ManagedClusterStorageProfileDiskCSIDriver
fileCSIDriver AzureFile CSI Driver settings for the storage profile. ManagedClusterStorageProfileFileCSIDriver
snapshotController Snapshot Controller settings for the storage profile. ManagedClusterStorageProfileSnapshotController

ManagedClusterStorageProfileBlobCSIDriver

Name Description Value
enabled Whether to enable AzureBlob CSI Driver. The default value is false. bool

ManagedClusterStorageProfileDiskCSIDriver

Name Description Value
enabled Whether to enable AzureDisk CSI Driver. The default value is true. bool

ManagedClusterStorageProfileFileCSIDriver

Name Description Value
enabled Whether to enable AzureFile CSI Driver. The default value is true. bool

ManagedClusterStorageProfileSnapshotController

Name Description Value
enabled Whether to enable Snapshot Controller. The default value is true. bool

ManagedClusterWindowsProfile

Name Description Value
adminPassword Specifies the password of the administrator account.

Minimum-length: 8 characters

Max-length: 123 characters

Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])

Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
string
adminUsername Specifies the name of the administrator account.

Restriction: Cannot end in "."

Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".

Minimum-length: 1 character

Max-length: 20 characters
string (required)
enableCSIProxy Whether to enable CSI proxy. For more details on CSI proxy, see the CSI proxy GitHub repo. bool
gmsaProfile The Windows gMSA Profile in the Managed Cluster. WindowsGmsaProfile
licenseType The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. 'None'
'Windows_Server'

ManagedClusterWorkloadAutoScalerProfile

Name Description Value
keda KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. ManagedClusterWorkloadAutoScalerProfileKeda
verticalPodAutoscaler VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile. ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler

ManagedClusterWorkloadAutoScalerProfileKeda

Name Description Value
enabled Whether to enable KEDA. bool (required)

ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler

Name Description Value
enabled Whether to enable VPA. Default value is false. bool (required)

ManagedServiceIdentityUserAssignedIdentitiesValue

Name Description Value

ManualScaleProfile

Name Description Value
count Number of nodes. int
size VM size that AKS will use when creating and scaling e.g. 'Standard_E4s_v3', 'Standard_E16s_v3' or 'Standard_D16s_v5'. string

PortRange

Name Description Value
portEnd The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart. int

Constraints:
Min value = 1
Max value = 65535
portStart The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd. int

Constraints:
Min value = 1
Max value = 65535
protocol The network protocol of the port. 'TCP'
'UDP'

PowerState

Name Description Value
code Tells whether the cluster is Running or Stopped 'Running'
'Stopped'

PrivateLinkResource

Name Description Value
groupId The group ID of the resource. string
id The ID of the private link resource. string
name The name of the private link resource. string
requiredMembers The RequiredMembers of the resource string[]
type The resource type. string

ResourceReference

Name Description Value
id The fully qualified Azure resource id. string

ScaleProfile

Name Description Value
manual Specifications on how to scale the VirtualMachines agent pool to a fixed size. ManualScaleProfile[]

ServiceMeshProfile

Name Description Value
istio Istio service mesh configuration. IstioServiceMesh
mode Mode of the service mesh. 'Disabled'
'Istio' (required)

SysctlConfig

Name Description Value
fsAioMaxNr Sysctl setting fs.aio-max-nr. int
fsFileMax Sysctl setting fs.file-max. int
fsInotifyMaxUserWatches Sysctl setting fs.inotify.max_user_watches. int
fsNrOpen Sysctl setting fs.nr_open. int
kernelThreadsMax Sysctl setting kernel.threads-max. int
netCoreNetdevMaxBacklog Sysctl setting net.core.netdev_max_backlog. int
netCoreOptmemMax Sysctl setting net.core.optmem_max. int
netCoreRmemDefault Sysctl setting net.core.rmem_default. int
netCoreRmemMax Sysctl setting net.core.rmem_max. int
netCoreSomaxconn Sysctl setting net.core.somaxconn. int
netCoreWmemDefault Sysctl setting net.core.wmem_default. int
netCoreWmemMax Sysctl setting net.core.wmem_max. int
netIpv4IpLocalPortRange Sysctl setting net.ipv4.ip_local_port_range. string
netIpv4NeighDefaultGcThresh1 Sysctl setting net.ipv4.neigh.default.gc_thresh1. int
netIpv4NeighDefaultGcThresh2 Sysctl setting net.ipv4.neigh.default.gc_thresh2. int
netIpv4NeighDefaultGcThresh3 Sysctl setting net.ipv4.neigh.default.gc_thresh3. int
netIpv4TcpFinTimeout Sysctl setting net.ipv4.tcp_fin_timeout. int
netIpv4TcpkeepaliveIntvl Sysctl setting net.ipv4.tcp_keepalive_intvl. int

Constraints:
Min value = 10
Max value = 90
netIpv4TcpKeepaliveProbes Sysctl setting net.ipv4.tcp_keepalive_probes. int
netIpv4TcpKeepaliveTime Sysctl setting net.ipv4.tcp_keepalive_time. int
netIpv4TcpMaxSynBacklog Sysctl setting net.ipv4.tcp_max_syn_backlog. int
netIpv4TcpMaxTwBuckets Sysctl setting net.ipv4.tcp_max_tw_buckets. int
netIpv4TcpTwReuse Sysctl setting net.ipv4.tcp_tw_reuse. bool
netNetfilterNfConntrackBuckets Sysctl setting net.netfilter.nf_conntrack_buckets. int

Constraints:
Min value = 65536
Max value = 524288
netNetfilterNfConntrackMax Sysctl setting net.netfilter.nf_conntrack_max. int

Constraints:
Min value = 131072
Max value = 2097152
vmMaxMapCount Sysctl setting vm.max_map_count. int
vmSwappiness Sysctl setting vm.swappiness. int
vmVfsCachePressure Sysctl setting vm.vfs_cache_pressure. int

TrackedResourceTags

Name Description Value

UpgradeOverrideSettings

Name Description Value
forceUpgrade Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution. bool
until Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the until expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect. string

UserAssignedIdentity

Name Description Value
clientId The client ID of the user assigned identity. string
objectId The object ID of the user assigned identity. string
resourceId The resource ID of the user assigned identity. string

VirtualMachineNodes

Name Description Value
count Number of nodes. int
size The VM size of the agents used to host this group of nodes. string

VirtualMachinesProfile

Name Description Value
scale Specifications on how to scale a VirtualMachines agent pool. ScaleProfile

WindowsGmsaProfile

Name Description Value
dnsServer Specifies the DNS server for Windows gMSA.

Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string
enabled Whether to enable Windows gMSA. Specifies whether to enable Windows gMSA in the managed cluster. bool
rootDomainName Specifies the root domain name for Windows gMSA.

Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string

Usage Examples

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

Module Description
Azure Kubernetes Service (AKS) Managed Cluster AVM Resource Module for Azure Kubernetes Service (AKS) Managed Cluster

Azure Quickstart Samples

The following Azure Quickstart templates contain Bicep samples for deploying this resource type.

Bicep File Description
AKS Cluster with a NAT Gateway and an Application Gateway This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Azure Container Service (AKS) Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts
Azure Container Service (AKS) Deploy a managed cluster with Azure Container Service (AKS)
Azure Container Service (AKS) with Helm Deploy a managed cluster with Azure Container Service (AKS) with Helm
Azure Kubernetes Service (AKS) Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS)
Azure Machine Learning end-to-end secure setup This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy) This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Create a Private AKS Cluster This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create AKS with Prometheus and Grafana with privae link This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard

ARM template resource definition

The managedClusters resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerService/managedClusters resource, add the following JSON to your template.

{
  "type": "Microsoft.ContainerService/managedClusters",
  "apiVersion": "2025-05-01",
  "name": "string",
  "extendedLocation": {
    "name": "string",
    "type": "string"
  },
  "identity": {
    "delegatedResources": {
      "{customized property}": {
        "location": "string",
        "referralResource": "string",
        "resourceId": "string",
        "tenantId": "string"
      }
    },
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "aadProfile": {
      "adminGroupObjectIDs": [ "string" ],
      "clientAppID": "string",
      "enableAzureRBAC": "bool",
      "managed": "bool",
      "serverAppID": "string",
      "serverAppSecret": "string",
      "tenantID": "string"
    },
    "addonProfiles": {
      "{customized property}": {
        "config": {
          "{customized property}": "string"
        },
        "enabled": "bool"
      }
    },
    "agentPoolProfiles": [
      {
        "availabilityZones": [ "string" ],
        "capacityReservationGroupID": "string",
        "count": "int",
        "creationData": {
          "sourceResourceId": "string"
        },
        "enableAutoScaling": "bool",
        "enableEncryptionAtHost": "bool",
        "enableFIPS": "bool",
        "enableNodePublicIP": "bool",
        "enableUltraSSD": "bool",
        "gatewayProfile": {
          "publicIPPrefixSize": "int"
        },
        "gpuInstanceProfile": "string",
        "gpuProfile": {
          "driver": "string"
        },
        "hostGroupID": "string",
        "kubeletConfig": {
          "allowedUnsafeSysctls": [ "string" ],
          "containerLogMaxFiles": "int",
          "containerLogMaxSizeMB": "int",
          "cpuCfsQuota": "bool",
          "cpuCfsQuotaPeriod": "string",
          "cpuManagerPolicy": "string",
          "failSwapOn": "bool",
          "imageGcHighThreshold": "int",
          "imageGcLowThreshold": "int",
          "podMaxPids": "int",
          "topologyManagerPolicy": "string"
        },
        "kubeletDiskType": "string",
        "linuxOSConfig": {
          "swapFileSizeMB": "int",
          "sysctls": {
            "fsAioMaxNr": "int",
            "fsFileMax": "int",
            "fsInotifyMaxUserWatches": "int",
            "fsNrOpen": "int",
            "kernelThreadsMax": "int",
            "netCoreNetdevMaxBacklog": "int",
            "netCoreOptmemMax": "int",
            "netCoreRmemDefault": "int",
            "netCoreRmemMax": "int",
            "netCoreSomaxconn": "int",
            "netCoreWmemDefault": "int",
            "netCoreWmemMax": "int",
            "netIpv4IpLocalPortRange": "string",
            "netIpv4NeighDefaultGcThresh1": "int",
            "netIpv4NeighDefaultGcThresh2": "int",
            "netIpv4NeighDefaultGcThresh3": "int",
            "netIpv4TcpFinTimeout": "int",
            "netIpv4TcpkeepaliveIntvl": "int",
            "netIpv4TcpKeepaliveProbes": "int",
            "netIpv4TcpKeepaliveTime": "int",
            "netIpv4TcpMaxSynBacklog": "int",
            "netIpv4TcpMaxTwBuckets": "int",
            "netIpv4TcpTwReuse": "bool",
            "netNetfilterNfConntrackBuckets": "int",
            "netNetfilterNfConntrackMax": "int",
            "vmMaxMapCount": "int",
            "vmSwappiness": "int",
            "vmVfsCachePressure": "int"
          },
          "transparentHugePageDefrag": "string",
          "transparentHugePageEnabled": "string"
        },
        "maxCount": "int",
        "maxPods": "int",
        "messageOfTheDay": "string",
        "minCount": "int",
        "mode": "string",
        "name": "string",
        "networkProfile": {
          "allowedHostPorts": [
            {
              "portEnd": "int",
              "portStart": "int",
              "protocol": "string"
            }
          ],
          "applicationSecurityGroups": [ "string" ],
          "nodePublicIPTags": [
            {
              "ipTagType": "string",
              "tag": "string"
            }
          ]
        },
        "nodeLabels": {
          "{customized property}": "string"
        },
        "nodePublicIPPrefixID": "string",
        "nodeTaints": [ "string" ],
        "orchestratorVersion": "string",
        "osDiskSizeGB": "int",
        "osDiskType": "string",
        "osSKU": "string",
        "osType": "string",
        "podIPAllocationMode": "string",
        "podSubnetID": "string",
        "powerState": {
          "code": "string"
        },
        "proximityPlacementGroupID": "string",
        "scaleDownMode": "string",
        "scaleSetEvictionPolicy": "string",
        "scaleSetPriority": "string",
        "securityProfile": {
          "enableSecureBoot": "bool",
          "enableVTPM": "bool"
        },
        "spotMaxPrice": "int",
        "status": {
        },
        "tags": {
          "{customized property}": "string"
        },
        "type": "string",
        "upgradeSettings": {
          "drainTimeoutInMinutes": "int",
          "maxSurge": "string",
          "maxUnavailable": "string",
          "nodeSoakDurationInMinutes": "int",
          "undrainableNodeBehavior": "string"
        },
        "virtualMachineNodesStatus": [
          {
            "count": "int",
            "size": "string"
          }
        ],
        "virtualMachinesProfile": {
          "scale": {
            "manual": [
              {
                "count": "int",
                "size": "string"
              }
            ]
          }
        },
        "vmSize": "string",
        "vnetSubnetID": "string",
        "windowsProfile": {
          "disableOutboundNat": "bool"
        },
        "workloadRuntime": "string"
      }
    ],
    "aiToolchainOperatorProfile": {
      "enabled": "bool"
    },
    "apiServerAccessProfile": {
      "authorizedIPRanges": [ "string" ],
      "disableRunCommand": "bool",
      "enablePrivateCluster": "bool",
      "enablePrivateClusterPublicFQDN": "bool",
      "enableVnetIntegration": "bool",
      "privateDNSZone": "string",
      "subnetId": "string"
    },
    "autoScalerProfile": {
      "balance-similar-node-groups": "string",
      "daemonset-eviction-for-empty-nodes": "bool",
      "daemonset-eviction-for-occupied-nodes": "bool",
      "expander": "string",
      "ignore-daemonsets-utilization": "bool",
      "max-empty-bulk-delete": "string",
      "max-graceful-termination-sec": "string",
      "max-node-provision-time": "string",
      "max-total-unready-percentage": "string",
      "new-pod-scale-up-delay": "string",
      "ok-total-unready-count": "string",
      "scale-down-delay-after-add": "string",
      "scale-down-delay-after-delete": "string",
      "scale-down-delay-after-failure": "string",
      "scale-down-unneeded-time": "string",
      "scale-down-unready-time": "string",
      "scale-down-utilization-threshold": "string",
      "scan-interval": "string",
      "skip-nodes-with-local-storage": "string",
      "skip-nodes-with-system-pods": "string"
    },
    "autoUpgradeProfile": {
      "nodeOSUpgradeChannel": "string",
      "upgradeChannel": "string"
    },
    "azureMonitorProfile": {
      "metrics": {
        "enabled": "bool",
        "kubeStateMetrics": {
          "metricAnnotationsAllowList": "string",
          "metricLabelsAllowlist": "string"
        }
      }
    },
    "bootstrapProfile": {
      "artifactSource": "string",
      "containerRegistryId": "string"
    },
    "disableLocalAccounts": "bool",
    "diskEncryptionSetID": "string",
    "dnsPrefix": "string",
    "enableRBAC": "bool",
    "fqdnSubdomain": "string",
    "httpProxyConfig": {
      "httpProxy": "string",
      "httpsProxy": "string",
      "noProxy": [ "string" ],
      "trustedCa": "string"
    },
    "identityProfile": {
      "{customized property}": {
        "clientId": "string",
        "objectId": "string",
        "resourceId": "string"
      }
    },
    "ingressProfile": {
      "webAppRouting": {
        "dnsZoneResourceIds": [ "string" ],
        "enabled": "bool",
        "nginx": {
          "defaultIngressControllerType": "string"
        }
      }
    },
    "kubernetesVersion": "string",
    "linuxProfile": {
      "adminUsername": "string",
      "ssh": {
        "publicKeys": [
          {
            "keyData": "string"
          }
        ]
      }
    },
    "metricsProfile": {
      "costAnalysis": {
        "enabled": "bool"
      }
    },
    "networkProfile": {
      "advancedNetworking": {
        "enabled": "bool",
        "observability": {
          "enabled": "bool"
        },
        "security": {
          "enabled": "bool"
        }
      },
      "dnsServiceIP": "string",
      "ipFamilies": [ "string" ],
      "loadBalancerProfile": {
        "allocatedOutboundPorts": "int",
        "backendPoolType": "string",
        "enableMultipleStandardLoadBalancers": "bool",
        "idleTimeoutInMinutes": "int",
        "managedOutboundIPs": {
          "count": "int",
          "countIPv6": "int"
        },
        "outboundIPPrefixes": {
          "publicIPPrefixes": [
            {
              "id": "string"
            }
          ]
        },
        "outboundIPs": {
          "publicIPs": [
            {
              "id": "string"
            }
          ]
        }
      },
      "loadBalancerSku": "string",
      "natGatewayProfile": {
        "idleTimeoutInMinutes": "int",
        "managedOutboundIPProfile": {
          "count": "int"
        }
      },
      "networkDataplane": "string",
      "networkMode": "string",
      "networkPlugin": "string",
      "networkPluginMode": "string",
      "networkPolicy": "string",
      "outboundType": "string",
      "podCidr": "string",
      "podCidrs": [ "string" ],
      "serviceCidr": "string",
      "serviceCidrs": [ "string" ],
      "staticEgressGatewayProfile": {
        "enabled": "bool"
      }
    },
    "nodeProvisioningProfile": {
      "defaultNodePools": "string",
      "mode": "string"
    },
    "nodeResourceGroup": "string",
    "nodeResourceGroupProfile": {
      "restrictionLevel": "string"
    },
    "oidcIssuerProfile": {
      "enabled": "bool"
    },
    "podIdentityProfile": {
      "allowNetworkPluginKubenet": "bool",
      "enabled": "bool",
      "userAssignedIdentities": [
        {
          "bindingSelector": "string",
          "identity": {
            "clientId": "string",
            "objectId": "string",
            "resourceId": "string"
          },
          "name": "string",
          "namespace": "string"
        }
      ],
      "userAssignedIdentityExceptions": [
        {
          "name": "string",
          "namespace": "string",
          "podLabels": {
            "{customized property}": "string"
          }
        }
      ]
    },
    "privateLinkResources": [
      {
        "groupId": "string",
        "id": "string",
        "name": "string",
        "requiredMembers": [ "string" ],
        "type": "string"
      }
    ],
    "publicNetworkAccess": "string",
    "securityProfile": {
      "azureKeyVaultKms": {
        "enabled": "bool",
        "keyId": "string",
        "keyVaultNetworkAccess": "string",
        "keyVaultResourceId": "string"
      },
      "customCATrustCertificates": [ {} ],
      "defender": {
        "logAnalyticsWorkspaceResourceId": "string",
        "securityMonitoring": {
          "enabled": "bool"
        }
      },
      "imageCleaner": {
        "enabled": "bool",
        "intervalHours": "int"
      },
      "workloadIdentity": {
        "enabled": "bool"
      }
    },
    "serviceMeshProfile": {
      "istio": {
        "certificateAuthority": {
          "plugin": {
            "certChainObjectName": "string",
            "certObjectName": "string",
            "keyObjectName": "string",
            "keyVaultId": "string",
            "rootCertObjectName": "string"
          }
        },
        "components": {
          "egressGateways": [
            {
              "enabled": "bool"
            }
          ],
          "ingressGateways": [
            {
              "enabled": "bool",
              "mode": "string"
            }
          ]
        },
        "revisions": [ "string" ]
      },
      "mode": "string"
    },
    "servicePrincipalProfile": {
      "clientId": "string",
      "secret": "string"
    },
    "status": {
    },
    "storageProfile": {
      "blobCSIDriver": {
        "enabled": "bool"
      },
      "diskCSIDriver": {
        "enabled": "bool"
      },
      "fileCSIDriver": {
        "enabled": "bool"
      },
      "snapshotController": {
        "enabled": "bool"
      }
    },
    "supportPlan": "string",
    "upgradeSettings": {
      "overrideSettings": {
        "forceUpgrade": "bool",
        "until": "string"
      }
    },
    "windowsProfile": {
      "adminPassword": "string",
      "adminUsername": "string",
      "enableCSIProxy": "bool",
      "gmsaProfile": {
        "dnsServer": "string",
        "enabled": "bool",
        "rootDomainName": "string"
      },
      "licenseType": "string"
    },
    "workloadAutoScalerProfile": {
      "keda": {
        "enabled": "bool"
      },
      "verticalPodAutoscaler": {
        "enabled": "bool"
      }
    }
  },
  "sku": {
    "name": "string",
    "tier": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property Values

Microsoft.ContainerService/managedClusters

Name Description Value
apiVersion The api version '2025-05-01'
extendedLocation The extended location of the Virtual Machine. ExtendedLocation
identity The identity of the managed cluster, if configured. ManagedClusterIdentity
location The geo-location where the resource lives string (required)
name The resource name string

Constraints:
Min length = 1
Max length = 63
Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$ (required)
properties Properties of a managed cluster. ManagedClusterProperties
sku The managed cluster SKU. ManagedClusterSKU
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.ContainerService/managedClusters'

AdvancedNetworking

Name Description Value
enabled Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false. bool
observability Observability profile to enable advanced network metrics and flow logs with historical contexts. AdvancedNetworkingObservability
security Security profile to enable security features on cilium based cluster. AdvancedNetworkingSecurity

AdvancedNetworkingObservability

Name Description Value
enabled Indicates the enablement of Advanced Networking observability functionalities on clusters. bool

AdvancedNetworkingSecurity

Name Description Value
enabled This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false. bool

AgentPoolGatewayProfile

Name Description Value
publicIPPrefixSize The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide public egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with one IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure public IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8 nodes/IPs, /28 = 16 nodes/IPs). The default value is 31. int

Constraints:
Min value = 28
Max value = 31

AgentPoolNetworkProfile

Name Description Value
allowedHostPorts The port ranges that are allowed to access. The specified ranges are allowed to overlap. PortRange[]
applicationSecurityGroups The IDs of the application security groups which agent pool will associate when created. string[]
nodePublicIPTags IPTags of instance-level public IPs. IPTag[]

AgentPoolSecurityProfile

Name Description Value
enableSecureBoot Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. bool
enableVTPM vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. bool

AgentPoolStatus

Name Description Value

AgentPoolUpgradeSettings

Name Description Value
drainTimeoutInMinutes The drain timeout for a node. The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes. int

Constraints:
Min value = 1
Max value = 1440
maxSurge The maximum number or percentage of nodes that are surged during upgrade. This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 10%. For more information, including best practices, see: /azure/aks/upgrade-cluster string
maxUnavailable The maximum number or percentage of nodes that can be simultaneously unavailable during upgrade. This can either be set to an integer (e.g. '1') or a percentage (e.g. '5%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 0. For more information, including best practices, see: /azure/aks/upgrade-cluster string
nodeSoakDurationInMinutes The soak duration for a node. The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes. int

Constraints:
Min value = 0
Max value = 30
undrainableNodeBehavior Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes. 'Cordon'
'Schedule'

AgentPoolWindowsProfile

Name Description Value
disableOutboundNat Whether to disable OutboundNAT in windows nodes. The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled. bool

AzureKeyVaultKms

Name Description Value
enabled Whether to enable Azure Key Vault key management service. The default is false. bool
keyId Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. string
keyVaultNetworkAccess Network access of the key vault. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. 'Private'
'Public'
keyVaultResourceId Resource ID of key vault. When keyVaultNetworkAccess is Private, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public, leave the field empty. string

ClusterUpgradeSettings

Name Description Value
overrideSettings Settings for overrides. UpgradeOverrideSettings

ContainerServiceLinuxProfile

Name Description Value
adminUsername The administrator username to use for Linux VMs. string

Constraints:
Pattern = ^[A-Za-z][-A-Za-z0-9_]*$ (required)
ssh The SSH configuration for Linux-based VMs running on Azure. ContainerServiceSshConfiguration (required)

ContainerServiceNetworkProfile

Name Description Value
advancedNetworking Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. AdvancedNetworking
dnsServiceIP An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. string

Constraints:
Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
ipFamilies The IP families used to specify IP versions available to the cluster. IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. String array containing any of:
'IPv4'
'IPv6'
loadBalancerProfile Profile of the cluster load balancer. ManagedClusterLoadBalancerProfile
loadBalancerSku The load balancer sku for the managed cluster. The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. 'basic'
'standard'
natGatewayProfile Profile of the cluster NAT gateway. ManagedClusterNATGatewayProfile
networkDataplane Network dataplane used in the Kubernetes cluster. 'azure'
'cilium'
networkMode The network mode Azure CNI is configured with. This cannot be specified if networkPlugin is anything other than 'azure'. 'bridge'
'transparent'
networkPlugin Network plugin used for building the Kubernetes network. 'azure'
'kubenet'
'none'
networkPluginMode The mode the network plugin should use. 'overlay'
networkPolicy Network policy used for building the Kubernetes network. 'azure'
'calico'
'cilium'
'none'
outboundType The outbound (egress) routing method. This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. 'loadBalancer'
'managedNATGateway'
'none'
'userAssignedNATGateway'
'userDefinedRouting'
podCidr A CIDR notation IP range from which to assign pod IPs when kubenet is used. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
podCidrs The CIDR notation IP ranges from which to assign pod IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. string[]
serviceCidr A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
serviceCidrs The CIDR notation IP ranges from which to assign service cluster IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. string[]
staticEgressGatewayProfile The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway. ManagedClusterStaticEgressGatewayProfile

ContainerServiceSshConfiguration

Name Description Value
publicKeys The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. ContainerServiceSshPublicKey[] (required)

ContainerServiceSshPublicKey

Name Description Value
keyData Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. string (required)

CreationData

Name Description Value
sourceResourceId This is the ARM ID of the source object to be used to create the target object. string

DelegatedResource

Name Description Value
location The source resource location - internal use only. string
referralResource The delegation id of the referral delegation (optional) - internal use only. string
resourceId The ARM resource id of the delegated resource - internal use only. string
tenantId The tenant id of the delegated resource - internal use only. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

DelegatedResources

Name Description Value

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

GPUProfile

Name Description Value
driver Whether to install GPU drivers. When it's not specified, default is Install. 'Install'
'None'

IPTag

Name Description Value
ipTagType The IP tag type. Example: RoutingPreference. string
tag The value of the IP tag associated with the public IP. Example: Internet. string

IstioCertificateAuthority

Name Description Value
plugin Plugin certificates information for Service Mesh. IstioPluginCertificateAuthority

IstioComponents

Name Description Value
egressGateways Istio egress gateways. IstioEgressGateway[]
ingressGateways Istio ingress gateways. IstioIngressGateway[]

IstioEgressGateway

Name Description Value
enabled Whether to enable the egress gateway. bool (required)

IstioIngressGateway

Name Description Value
enabled Whether to enable the ingress gateway. bool (required)
mode Mode of an ingress gateway. 'External'
'Internal' (required)

IstioPluginCertificateAuthority

Name Description Value
certChainObjectName Certificate chain object name in Azure Key Vault. string
certObjectName Intermediate certificate object name in Azure Key Vault. string
keyObjectName Intermediate certificate private key object name in Azure Key Vault. string
keyVaultId The resource ID of the Key Vault. string
rootCertObjectName Root certificate object name in Azure Key Vault. string

IstioServiceMesh

Name Description Value
certificateAuthority Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca IstioCertificateAuthority
components Istio components configuration. IstioComponents
revisions The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: /azure/aks/istio-upgrade string[]

KubeletConfig

Name Description Value
allowedUnsafeSysctls Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *). string[]
containerLogMaxFiles The maximum number of container log files that can be present for a container. The number must be ≥ 2. int

Constraints:
Min value = 2
containerLogMaxSizeMB The maximum size (e.g. 10Mi) of container log file before it is rotated. int
cpuCfsQuota If CPU CFS quota enforcement is enabled for containers that specify CPU limits. The default is true. bool
cpuCfsQuotaPeriod The CPU CFS quota period value. The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. string
cpuManagerPolicy The CPU Manager policy to use. The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. string
failSwapOn If set to true it will make the Kubelet fail to start if swap is enabled on the node. bool
imageGcHighThreshold The percent of disk usage after which image garbage collection is always run. To disable image garbage collection, set to 100. The default is 85% int
imageGcLowThreshold The percent of disk usage before which image garbage collection is never run. This cannot be set higher than imageGcHighThreshold. The default is 80% int
podMaxPids The maximum number of processes per pod. int
topologyManagerPolicy The Topology Manager policy to use. For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. string

LinuxOSConfig

Name Description Value
swapFileSizeMB The size in MB of a swap file that will be created on each node. int
sysctls Sysctl settings for Linux agent nodes. SysctlConfig
transparentHugePageDefrag Whether the kernel should make aggressive use of memory compaction to make more hugepages available. Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. string
transparentHugePageEnabled Whether transparent hugepages are enabled. Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. string

ManagedClusterAADProfile

Name Description Value
adminGroupObjectIDs The list of AAD group object IDs that will have admin role of the cluster. string[]
clientAppID (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. string
enableAzureRBAC Whether to enable Azure RBAC for Kubernetes authorization. bool
managed Whether to enable managed AAD. bool
serverAppID (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. string
serverAppSecret (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy. string
tenantID The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. string

ManagedClusterAddonProfile

Name Description Value
config Key-value pairs for configuring an add-on. ManagedClusterAddonProfileConfig
enabled Whether the add-on is enabled or not. bool (required)

ManagedClusterAddonProfileConfig

Name Description Value

ManagedClusterAgentPoolProfile

Name Description Value
availabilityZones The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. string[]
capacityReservationGroupID AKS will associate the specified agent pool with the Capacity Reservation Group. string
count Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. int
creationData CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. CreationData
enableAutoScaling Whether to enable auto-scaler bool
enableEncryptionAtHost Whether to enable host based OS and data drive encryption. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption bool
enableFIPS Whether to use a FIPS-enabled OS. See Add a FIPS-enabled node pool for more details. bool
enableNodePublicIP Whether each node is allocated its own public IP. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. bool
enableUltraSSD Whether to enable UltraSSD bool
gatewayProfile Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is not Gateway. AgentPoolGatewayProfile
gpuInstanceProfile GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. 'MIG1g'
'MIG2g'
'MIG3g'
'MIG4g'
'MIG7g'
gpuProfile GPU settings for the Agent Pool. GPUProfile
hostGroupID The fully qualified resource ID of the Dedicated Host Group to provision virtual machines from, used only in creation scenario and not allowed to changed once set. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts. string
kubeletConfig The Kubelet configuration on the agent pool nodes. KubeletConfig
kubeletDiskType Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. 'OS'
'Temporary'
linuxOSConfig The OS configuration of Linux agent nodes. LinuxOSConfig
maxCount The maximum number of nodes for auto-scaling int
maxPods The maximum number of pods that can run on a node. int
messageOfTheDay Message of the day for Linux nodes, base64-encoded. A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). string
minCount The minimum number of nodes for auto-scaling int
mode The mode of an agent pool. A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools 'Gateway'
'System'
'User'
name Unique name of the agent pool profile in the context of the subscription and resource group. Windows agent pool names must be 6 characters or less. string

Constraints:
Pattern = ^[a-z][a-z0-9]{0,11}$ (required)
networkProfile Network-related settings of an agent pool. AgentPoolNetworkProfile
nodeLabels The node labels to be persisted across all nodes in agent pool. ManagedClusterAgentPoolProfilePropertiesNodeLabels
nodePublicIPPrefixID The public IP prefix ID which VM nodes should use IPs from. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} string
nodeTaints The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. string[]
orchestratorVersion The version of Kubernetes specified by the user. Both patch version <major.minor.patch> (e.g. 1.20.13) and <major.minor> (e.g. 1.20) are supported. When <major.minor> is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same <major.minor> once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. string
osDiskSizeGB OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. int

Constraints:
Min value = 0
Max value = 2048
osDiskType The OS disk type to be used for machines in the agent pool. The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. 'Ephemeral'
'Managed'
osSKU Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. 'AzureLinux'
'CBLMariner'
'Ubuntu'
'Ubuntu2204'
'Windows2019'
'Windows2022'
osType The operating system type. The default is Linux. 'Linux'
'Windows'
podIPAllocationMode Pod IP Allocation Mode. The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'. 'DynamicIndividual'
'StaticBlock'
podSubnetID The ID of the subnet which pods will join when launched. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} string
powerState Whether the Agent Pool is running or stopped. When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded PowerState
proximityPlacementGroupID The ID for Proximity Placement Group. string
scaleDownMode The scale down mode to use when scaling the Agent Pool. This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. 'Deallocate'
'Delete'
scaleSetEvictionPolicy The Virtual Machine Scale Set eviction policy to use. This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. 'Deallocate'
'Delete'
scaleSetPriority The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. 'Regular'
'Spot'
securityProfile The security settings of an agent pool. AgentPoolSecurityProfile
spotMaxPrice The max price (in US Dollars) you are willing to pay for spot instances. Possible values are any decimal value greater than zero or -1 which indicates default price to be up-to on-demand. Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing int
status Contains read-only information about the Agent Pool. AgentPoolStatus
tags The tags to be persisted on the agent pool virtual machine scale set. ManagedClusterAgentPoolProfilePropertiesTags
type The type of Agent Pool. 'AvailabilitySet'
'VirtualMachines'
'VirtualMachineScaleSets'
upgradeSettings Settings for upgrading the agentpool AgentPoolUpgradeSettings
virtualMachineNodesStatus The status of nodes in a VirtualMachines agent pool. VirtualMachineNodes[]
virtualMachinesProfile Specifications on VirtualMachines agent pool. VirtualMachinesProfile
vmSize The size of the agent pool VMs. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions string
vnetSubnetID The ID of the subnet which agent pool nodes and optionally pods will join on startup. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} string
windowsProfile The Windows agent pool's specific profile. AgentPoolWindowsProfile
workloadRuntime Determines the type of workload a node can run. 'OCIContainer'
'WasmWasi'

ManagedClusterAgentPoolProfilePropertiesNodeLabels

Name Description Value

ManagedClusterAgentPoolProfilePropertiesTags

Name Description Value

ManagedClusterAIToolchainOperatorProfile

Name Description Value
enabled Whether to enable AI toolchain operator to the cluster. Indicates if AI toolchain operator enabled or not. bool

ManagedClusterAPIServerAccessProfile

Name Description Value
authorizedIPRanges The IP ranges authorized to access the Kubernetes API server. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges. string[]
disableRunCommand Whether to disable run command for the cluster or not. bool
enablePrivateCluster Whether to create the cluster as a private cluster or not. For more details, see Creating a private AKS cluster. bool
enablePrivateClusterPublicFQDN Whether to create additional public FQDN for private cluster or not. bool
enableVnetIntegration Whether to enable apiserver vnet integration for the cluster or not. See aka.ms/AksVnetIntegration for more details. bool
privateDNSZone The private DNS zone mode for the cluster. The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'. string
subnetId The subnet to be used when apiserver vnet integration is enabled. It is required when creating a new cluster with BYO Vnet, or when updating an existing cluster to enable apiserver vnet integration. string

ManagedClusterAutoUpgradeProfile

Name Description Value
nodeOSUpgradeChannel Node OS Upgrade Channel. Manner in which the OS on your nodes is updated. The default is NodeImage. 'NodeImage'
'None'
'SecurityPatch'
'Unmanaged'
upgradeChannel The upgrade channel for auto upgrade. The default is 'none'. For more information see setting the AKS cluster auto-upgrade channel. 'node-image'
'none'
'patch'
'rapid'
'stable'

ManagedClusterAzureMonitorProfile

Name Description Value
metrics Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview. ManagedClusterAzureMonitorProfileMetrics

ManagedClusterAzureMonitorProfileKubeStateMetrics

Name Description Value
metricAnnotationsAllowList Comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric (Example: 'namespaces=[kubernetes.io/team,...],pods=[kubernetes.io/team],...'). By default the metric contains only resource name and namespace labels. string
metricLabelsAllowlist Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric (Example: 'namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...'). By default the metric contains only resource name and namespace labels. string

ManagedClusterAzureMonitorProfileMetrics

Name Description Value
enabled Whether to enable or disable the Azure Managed Prometheus addon for Prometheus monitoring. See aka.ms/AzureManagedPrometheus-aks-enable for details on enabling and disabling. bool (required)
kubeStateMetrics Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details. ManagedClusterAzureMonitorProfileKubeStateMetrics

ManagedClusterBootstrapProfile

Name Description Value
artifactSource The artifact source. The source where the artifacts are downloaded from. 'Cache'
'Direct'
containerRegistryId The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy. string

ManagedClusterCostAnalysis

Name Description Value
enabled Whether to enable cost analysis. The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis. bool

ManagedClusterHttpProxyConfig

Name Description Value
httpProxy The HTTP proxy server endpoint to use. string
httpsProxy The HTTPS proxy server endpoint to use. string
noProxy The endpoints that should not go through proxy. string[]
trustedCa Alternative CA cert to use for connecting to proxy servers. string

ManagedClusterIdentity

Name Description Value
delegatedResources The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only. DelegatedResources
type The type of identity used for the managed cluster. For more information see use managed identities in AKS. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the managed cluster. This identity will be used in control plane. Only one user assigned identity is allowed. The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedClusterIdentityUserAssignedIdentities

ManagedClusterIdentityUserAssignedIdentities

Name Description Value

ManagedClusterIngressProfile

Name Description Value
webAppRouting App Routing settings for the ingress profile. You can find an overview and onboarding guide for this feature at /azure/aks/app-routing?tabs=default%2Cdeploy-app-default. ManagedClusterIngressProfileWebAppRouting

ManagedClusterIngressProfileNginx

Name Description Value
defaultIngressControllerType Ingress type for the default NginxIngressController custom resource 'AnnotationControlled'
'External'
'Internal'
'None'

ManagedClusterIngressProfileWebAppRouting

Name Description Value
dnsZoneResourceIds Resource IDs of the DNS zones to be associated with the Application Routing add-on. Used only when Application Routing add-on is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group. string[]
enabled Whether to enable the Application Routing add-on. bool
nginx Configuration for the default NginxIngressController. See more at /azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller. ManagedClusterIngressProfileNginx

ManagedClusterLoadBalancerProfile

Name Description Value
allocatedOutboundPorts The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. int

Constraints:
Min value = 0
Max value = 64000
backendPoolType The type of the managed inbound Load Balancer BackendPool. 'NodeIP'
'NodeIPConfiguration'
enableMultipleStandardLoadBalancers Enable multiple standard load balancers per AKS cluster or not. bool
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. int

Constraints:
Min value = 4
Max value = 120
managedOutboundIPs Desired managed outbound IPs for the cluster load balancer. ManagedClusterLoadBalancerProfileManagedOutboundIPs
outboundIPPrefixes Desired outbound IP Prefix resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPPrefixes
outboundIPs Desired outbound IP resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPs

ManagedClusterLoadBalancerProfileManagedOutboundIPs

Name Description Value
count The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. int

Constraints:
Min value = 1
Max value = 100
countIPv6 The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. int

Constraints:
Min value = 0
Max value = 100

ManagedClusterLoadBalancerProfileOutboundIPPrefixes

Name Description Value
publicIPPrefixes A list of public IP prefix resources. ResourceReference[]

ManagedClusterLoadBalancerProfileOutboundIPs

Name Description Value
publicIPs A list of public IP resources. ResourceReference[]

ManagedClusterManagedOutboundIPProfile

Name Description Value
count The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. int

Constraints:
Min value = 1
Max value = 16

ManagedClusterMetricsProfile

Name Description Value
costAnalysis The configuration for detailed per-Kubernetes resource cost analysis. ManagedClusterCostAnalysis

ManagedClusterNATGatewayProfile

Name Description Value
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. int

Constraints:
Min value = 4
Max value = 120
managedOutboundIPProfile Profile of the managed outbound IP resources of the cluster NAT gateway. ManagedClusterManagedOutboundIPProfile

ManagedClusterNodeProvisioningProfile

Name Description Value
defaultNodePools The set of default Karpenter NodePools (CRDs) configured for node provisioning. This field has no effect unless mode is 'Auto'. Warning: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action. If not specified, the default is Auto. For more information see aka.ms/aks/nap#node-pools. 'Auto'
'None'
mode The node provisioning mode. If not specified, the default is Manual. 'Auto'
'Manual'

ManagedClusterNodeResourceGroupProfile

Name Description Value
restrictionLevel The restriction level applied to the cluster's node resource group. If not specified, the default is 'Unrestricted' 'ReadOnly'
'Unrestricted'

ManagedClusterOidcIssuerProfile

Name Description Value
enabled Whether the OIDC issuer is enabled. bool

ManagedClusterPodIdentity

Name Description Value
bindingSelector The binding selector to use for the AzureIdentityBinding resource. string
identity The user assigned identity details. UserAssignedIdentity (required)
name The name of the pod identity. string (required)
namespace The namespace of the pod identity. string (required)

ManagedClusterPodIdentityException

Name Description Value
name The name of the pod identity exception. string (required)
namespace The namespace of the pod identity exception. string (required)
podLabels The pod labels to match. ManagedClusterPodIdentityExceptionPodLabels (required)

ManagedClusterPodIdentityExceptionPodLabels

Name Description Value

ManagedClusterPodIdentityProfile

Name Description Value
allowNetworkPluginKubenet Whether pod identity is allowed to run on clusters with Kubenet networking. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information. bool
enabled Whether the pod identity addon is enabled. bool
userAssignedIdentities The pod identities to use in the cluster. ManagedClusterPodIdentity[]
userAssignedIdentityExceptions The pod identity exceptions to allow. ManagedClusterPodIdentityException[]

ManagedClusterProperties

Name Description Value
aadProfile The Azure Active Directory configuration. ManagedClusterAADProfile
addonProfiles The profile of managed cluster add-on. ManagedClusterPropertiesAddonProfiles
agentPoolProfiles The agent pool properties. ManagedClusterAgentPoolProfile[]
aiToolchainOperatorProfile AI toolchain operator settings that apply to the whole cluster. ManagedClusterAIToolchainOperatorProfile
apiServerAccessProfile The access profile for managed cluster API server. ManagedClusterAPIServerAccessProfile
autoScalerProfile Parameters to be applied to the cluster-autoscaler when enabled ManagedClusterPropertiesAutoScalerProfile
autoUpgradeProfile The auto upgrade configuration. ManagedClusterAutoUpgradeProfile
azureMonitorProfile Azure Monitor addon profiles for monitoring the managed cluster. ManagedClusterAzureMonitorProfile
bootstrapProfile Profile of the cluster bootstrap configuration. ManagedClusterBootstrapProfile
disableLocalAccounts If local accounts should be disabled on the Managed Cluster. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts. bool
diskEncryptionSetID The Resource ID of the disk encryption set to use for enabling encryption at rest. This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' string
dnsPrefix The DNS prefix of the Managed Cluster. This cannot be updated once the Managed Cluster has been created. string
enableRBAC Whether to enable Kubernetes Role-Based Access Control. bool
fqdnSubdomain The FQDN subdomain of the private cluster with custom private dns zone. This cannot be updated once the Managed Cluster has been created. string
httpProxyConfig Configurations for provisioning the cluster with HTTP proxy servers. ManagedClusterHttpProxyConfig
identityProfile The user identity associated with the managed cluster. This identity will be used by the kubelet. Only one user assigned identity is allowed. The only accepted key is "kubeletidentity", with value of "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}". ManagedClusterPropertiesIdentityProfile
ingressProfile Ingress profile for the managed cluster. ManagedClusterIngressProfile
kubernetesVersion The version of Kubernetes specified by the user. Both patch version <major.minor.patch> (e.g. 1.20.13) and <major.minor> (e.g. 1.20) are supported. When <major.minor> is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same <major.minor> once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details. string
linuxProfile The profile for Linux VMs in the Managed Cluster. ContainerServiceLinuxProfile
metricsProfile Optional cluster metrics configuration. ManagedClusterMetricsProfile
networkProfile The network configuration profile. ContainerServiceNetworkProfile
nodeProvisioningProfile Node provisioning settings that apply to the whole cluster. ManagedClusterNodeProvisioningProfile
nodeResourceGroup The name of the resource group containing agent pool nodes. string
nodeResourceGroupProfile Profile of the node resource group configuration. ManagedClusterNodeResourceGroupProfile
oidcIssuerProfile The OIDC issuer profile of the Managed Cluster. ManagedClusterOidcIssuerProfile
podIdentityProfile The pod identity profile of the Managed Cluster. See use AAD pod identity for more details on AAD pod identity integration. ManagedClusterPodIdentityProfile
privateLinkResources Private link resources associated with the cluster. PrivateLinkResource[]
publicNetworkAccess PublicNetworkAccess of the managedCluster. Allow or deny public network access for AKS 'Disabled'
'Enabled'
securityProfile Security profile for the managed cluster. ManagedClusterSecurityProfile
serviceMeshProfile Service mesh profile for a managed cluster. ServiceMeshProfile
servicePrincipalProfile Information about a service principal identity for the cluster to use for manipulating Azure APIs. ManagedClusterServicePrincipalProfile
status Contains read-only information about the Managed Cluster. ManagedClusterStatus
storageProfile Storage profile for the managed cluster. ManagedClusterStorageProfile
supportPlan The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'. 'AKSLongTermSupport'
'KubernetesOfficial'
upgradeSettings Settings for upgrading a cluster. ClusterUpgradeSettings
windowsProfile The profile for Windows VMs in the Managed Cluster. ManagedClusterWindowsProfile
workloadAutoScalerProfile Workload Auto-scaler profile for the managed cluster. ManagedClusterWorkloadAutoScalerProfile

ManagedClusterPropertiesAddonProfiles

Name Description Value

ManagedClusterPropertiesAutoScalerProfile

Name Description Value
balance-similar-node-groups Detects similar node pools and balances the number of nodes between them. Valid values are 'true' and 'false' string
daemonset-eviction-for-empty-nodes DaemonSet pods will be gracefully terminated from empty nodes. If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. bool
daemonset-eviction-for-occupied-nodes DaemonSet pods will be gracefully terminated from non-empty nodes. If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. bool
expander The expander to use when scaling up. If not specified, the default is 'random'. See expanders for more information. 'least-waste'
'most-pods'
'priority'
'random'
ignore-daemonsets-utilization Should CA ignore DaemonSet pods when calculating resource utilization for scaling down. If set to true, the resources used by daemonset will be taken into account when making scaling down decisions. bool
max-empty-bulk-delete The maximum number of empty nodes that can be deleted at the same time. This must be a positive integer. The default is 10. string
max-graceful-termination-sec The maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. The default is 600. string
max-node-provision-time The maximum time the autoscaler waits for a node to be provisioned. The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
max-total-unready-percentage The maximum percentage of unready nodes in the cluster. After this percentage is exceeded, cluster autoscaler halts operations. The default is 45. The maximum is 100 and the minimum is 0. string
new-pod-scale-up-delay Ignore unscheduled pods before they're a certain age. For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). string
ok-total-unready-count The number of allowed unready nodes, irrespective of max-total-unready-percentage. This must be an integer. The default is 3. string
scale-down-delay-after-add How long after scale up that scale down evaluation resumes. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-delay-after-delete How long after node deletion that scale down evaluation resumes. The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-delay-after-failure How long after scale down failure that scale down evaluation resumes. The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-unneeded-time How long a node should be unneeded before it is eligible for scale down. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-unready-time How long an unready node should be unneeded before it is eligible for scale down. The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-utilization-threshold Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. The default is '0.5'. string
scan-interval How often cluster is reevaluated for scale up or down. The default is '10'. Values must be an integer number of seconds. string
skip-nodes-with-local-storage If cluster autoscaler will skip deleting nodes with pods with local storage, for example, EmptyDir or HostPath. The default is true. string
skip-nodes-with-system-pods If cluster autoscaler will skip deleting nodes with pods from kube-system (except for DaemonSet or mirror pods). The default is true. string

ManagedClusterPropertiesIdentityProfile

Name Description Value

ManagedClusterSecurityProfile

Name Description Value
azureKeyVaultKms Azure Key Vault key management service settings for the security profile. AzureKeyVaultKms
customCATrustCertificates A list of up to 10 base64 encoded CAs that will be added to the trust store on all nodes in the cluster. For more information see Custom CA Trust Certificates. any[]
defender Microsoft Defender settings for the security profile. ManagedClusterSecurityProfileDefender
imageCleaner Image Cleaner settings for the security profile. ManagedClusterSecurityProfileImageCleaner
workloadIdentity Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details. ManagedClusterSecurityProfileWorkloadIdentity

ManagedClusterSecurityProfileDefender

Name Description Value
logAnalyticsWorkspaceResourceId Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty. string
securityMonitoring Microsoft Defender threat detection for Cloud settings for the security profile. ManagedClusterSecurityProfileDefenderSecurityMonitoring

ManagedClusterSecurityProfileDefenderSecurityMonitoring

Name Description Value
enabled Whether to enable Defender threat detection bool

ManagedClusterSecurityProfileImageCleaner

Name Description Value
enabled Whether to enable Image Cleaner on AKS cluster. bool
intervalHours Image Cleaner scanning interval in hours. int

ManagedClusterSecurityProfileWorkloadIdentity

Name Description Value
enabled Whether to enable workload identity. bool

ManagedClusterServicePrincipalProfile

Name Description Value
clientId The ID for the service principal. string (required)
secret The secret password associated with the service principal in plain text. string

ManagedClusterSKU

Name Description Value
name The name of a managed cluster SKU. 'Base'
tier The tier of a managed cluster SKU. If not specified, the default is 'Free'. See AKS Pricing Tier for more details. 'Free'
'Premium'
'Standard'

ManagedClusterStaticEgressGatewayProfile

Name Description Value
enabled Enable Static Egress Gateway addon. Indicates if Static Egress Gateway addon is enabled or not. bool

ManagedClusterStatus

Name Description Value

ManagedClusterStorageProfile

Name Description Value
blobCSIDriver AzureBlob CSI Driver settings for the storage profile. ManagedClusterStorageProfileBlobCSIDriver
diskCSIDriver AzureDisk CSI Driver settings for the storage profile. ManagedClusterStorageProfileDiskCSIDriver
fileCSIDriver AzureFile CSI Driver settings for the storage profile. ManagedClusterStorageProfileFileCSIDriver
snapshotController Snapshot Controller settings for the storage profile. ManagedClusterStorageProfileSnapshotController

ManagedClusterStorageProfileBlobCSIDriver

Name Description Value
enabled Whether to enable AzureBlob CSI Driver. The default value is false. bool

ManagedClusterStorageProfileDiskCSIDriver

Name Description Value
enabled Whether to enable AzureDisk CSI Driver. The default value is true. bool

ManagedClusterStorageProfileFileCSIDriver

Name Description Value
enabled Whether to enable AzureFile CSI Driver. The default value is true. bool

ManagedClusterStorageProfileSnapshotController

Name Description Value
enabled Whether to enable Snapshot Controller. The default value is true. bool

ManagedClusterWindowsProfile

Name Description Value
adminPassword Specifies the password of the administrator account.

Minimum-length: 8 characters

Max-length: 123 characters

Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])

Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
string
adminUsername Specifies the name of the administrator account.

Restriction: Cannot end in "."

Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".

Minimum-length: 1 character

Max-length: 20 characters
string (required)
enableCSIProxy Whether to enable CSI proxy. For more details on CSI proxy, see the CSI proxy GitHub repo. bool
gmsaProfile The Windows gMSA Profile in the Managed Cluster. WindowsGmsaProfile
licenseType The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. 'None'
'Windows_Server'

ManagedClusterWorkloadAutoScalerProfile

Name Description Value
keda KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. ManagedClusterWorkloadAutoScalerProfileKeda
verticalPodAutoscaler VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile. ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler

ManagedClusterWorkloadAutoScalerProfileKeda

Name Description Value
enabled Whether to enable KEDA. bool (required)

ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler

Name Description Value
enabled Whether to enable VPA. Default value is false. bool (required)

ManagedServiceIdentityUserAssignedIdentitiesValue

Name Description Value

ManualScaleProfile

Name Description Value
count Number of nodes. int
size VM size that AKS will use when creating and scaling e.g. 'Standard_E4s_v3', 'Standard_E16s_v3' or 'Standard_D16s_v5'. string

PortRange

Name Description Value
portEnd The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart. int

Constraints:
Min value = 1
Max value = 65535
portStart The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd. int

Constraints:
Min value = 1
Max value = 65535
protocol The network protocol of the port. 'TCP'
'UDP'

PowerState

Name Description Value
code Tells whether the cluster is Running or Stopped 'Running'
'Stopped'

PrivateLinkResource

Name Description Value
groupId The group ID of the resource. string
id The ID of the private link resource. string
name The name of the private link resource. string
requiredMembers The RequiredMembers of the resource string[]
type The resource type. string

ResourceReference

Name Description Value
id The fully qualified Azure resource id. string

ScaleProfile

Name Description Value
manual Specifications on how to scale the VirtualMachines agent pool to a fixed size. ManualScaleProfile[]

ServiceMeshProfile

Name Description Value
istio Istio service mesh configuration. IstioServiceMesh
mode Mode of the service mesh. 'Disabled'
'Istio' (required)

SysctlConfig

Name Description Value
fsAioMaxNr Sysctl setting fs.aio-max-nr. int
fsFileMax Sysctl setting fs.file-max. int
fsInotifyMaxUserWatches Sysctl setting fs.inotify.max_user_watches. int
fsNrOpen Sysctl setting fs.nr_open. int
kernelThreadsMax Sysctl setting kernel.threads-max. int
netCoreNetdevMaxBacklog Sysctl setting net.core.netdev_max_backlog. int
netCoreOptmemMax Sysctl setting net.core.optmem_max. int
netCoreRmemDefault Sysctl setting net.core.rmem_default. int
netCoreRmemMax Sysctl setting net.core.rmem_max. int
netCoreSomaxconn Sysctl setting net.core.somaxconn. int
netCoreWmemDefault Sysctl setting net.core.wmem_default. int
netCoreWmemMax Sysctl setting net.core.wmem_max. int
netIpv4IpLocalPortRange Sysctl setting net.ipv4.ip_local_port_range. string
netIpv4NeighDefaultGcThresh1 Sysctl setting net.ipv4.neigh.default.gc_thresh1. int
netIpv4NeighDefaultGcThresh2 Sysctl setting net.ipv4.neigh.default.gc_thresh2. int
netIpv4NeighDefaultGcThresh3 Sysctl setting net.ipv4.neigh.default.gc_thresh3. int
netIpv4TcpFinTimeout Sysctl setting net.ipv4.tcp_fin_timeout. int
netIpv4TcpkeepaliveIntvl Sysctl setting net.ipv4.tcp_keepalive_intvl. int

Constraints:
Min value = 10
Max value = 90
netIpv4TcpKeepaliveProbes Sysctl setting net.ipv4.tcp_keepalive_probes. int
netIpv4TcpKeepaliveTime Sysctl setting net.ipv4.tcp_keepalive_time. int
netIpv4TcpMaxSynBacklog Sysctl setting net.ipv4.tcp_max_syn_backlog. int
netIpv4TcpMaxTwBuckets Sysctl setting net.ipv4.tcp_max_tw_buckets. int
netIpv4TcpTwReuse Sysctl setting net.ipv4.tcp_tw_reuse. bool
netNetfilterNfConntrackBuckets Sysctl setting net.netfilter.nf_conntrack_buckets. int

Constraints:
Min value = 65536
Max value = 524288
netNetfilterNfConntrackMax Sysctl setting net.netfilter.nf_conntrack_max. int

Constraints:
Min value = 131072
Max value = 2097152
vmMaxMapCount Sysctl setting vm.max_map_count. int
vmSwappiness Sysctl setting vm.swappiness. int
vmVfsCachePressure Sysctl setting vm.vfs_cache_pressure. int

TrackedResourceTags

Name Description Value

UpgradeOverrideSettings

Name Description Value
forceUpgrade Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution. bool
until Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the until expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect. string

UserAssignedIdentity

Name Description Value
clientId The client ID of the user assigned identity. string
objectId The object ID of the user assigned identity. string
resourceId The resource ID of the user assigned identity. string

VirtualMachineNodes

Name Description Value
count Number of nodes. int
size The VM size of the agents used to host this group of nodes. string

VirtualMachinesProfile

Name Description Value
scale Specifications on how to scale a VirtualMachines agent pool. ScaleProfile

WindowsGmsaProfile

Name Description Value
dnsServer Specifies the DNS server for Windows gMSA.

Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string
enabled Whether to enable Windows gMSA. Specifies whether to enable Windows gMSA in the managed cluster. bool
rootDomainName Specifies the root domain name for Windows gMSA.

Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string

Usage Examples

Azure Quickstart Templates

The following Azure Quickstart templates deploy this resource type.

Template Description
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Azure Container Service (AKS)

Deploy to Azure
Deploy a managed cluster with Azure Container Service (AKS) using Azure Linux container hosts
Azure Container Service (AKS)

Deploy to Azure
Deploy a managed cluster with Azure Container Service (AKS)
Azure Container Service (AKS) with Helm

Deploy to Azure
Deploy a managed cluster with Azure Container Service (AKS) with Helm
Azure Kubernetes Service (AKS)

Deploy to Azure
Deploys a managed Kubernetes cluster via Azure Kubernetes Service (AKS)
Azure Machine Learning end-to-end secure setup

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
CI/CD using Jenkins on Azure Container Service (AKS)

Deploy to Azure
Containers make it very easy for you to continuously build and deploy your applications. By orchestrating deployment of those containers using Kubernetes in Azure Container Service, you can achieve replicable, manageable clusters of containers. By setting up a continuous build to produce your container images and orchestration, you can increase the speed and reliability of your deployment.
Create a Private AKS Cluster

Deploy to Azure
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Create AKS with Prometheus and Grafana with privae link

Deploy to Azure
This will create an Azure grafana, AKS and install Prometheus, an open-source monitoring and alerting toolkit, on an Azure Kubernetes Service (AKS) cluster. Then you use Azure Managed Grafana's managed private endpoint to connect to this Prometheus server and display the Prometheus data in a Grafana dashboard
Deploy a managed Kubernetes Cluster (AKS)

Deploy to Azure
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy a managed Kubernetes Cluster with AAD (AKS)

Deploy to Azure
This ARM template demonstrates the deployment of an AKS instance with advanced networking features into an existing virtual network and Azure AD Integeration. Additionally, the chosen Service Principal is assigned the Network Contributor role against the subnet that contains the AKS cluster.
Deploy an AKS cluster for Azure ML

Deploy to Azure
This template allows you to deploy an entreprise compliant AKS cluster which can be attached to Azure ML
min.io Azure Gateway

Deploy to Azure
Fully private min.io Azure Gateway deployment to provide an S3 compliant storage API backed by blob storage

Terraform (AzAPI provider) resource definition

The managedClusters resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.ContainerService/managedClusters resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.ContainerService/managedClusters@2025-05-01"
  name = "string"
  parent_id = "string"
  identity {
    type = "string"
    identity_ids = [
      "string"
    ]
  }
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    extendedLocation = {
      name = "string"
      type = "string"
    }
    properties = {
      aadProfile = {
        adminGroupObjectIDs = [
          "string"
        ]
        clientAppID = "string"
        enableAzureRBAC = bool
        managed = bool
        serverAppID = "string"
        serverAppSecret = "string"
        tenantID = "string"
      }
      addonProfiles = {
        {customized property} = {
          config = {
            {customized property} = "string"
          }
          enabled = bool
        }
      }
      agentPoolProfiles = [
        {
          availabilityZones = [
            "string"
          ]
          capacityReservationGroupID = "string"
          count = int
          creationData = {
            sourceResourceId = "string"
          }
          enableAutoScaling = bool
          enableEncryptionAtHost = bool
          enableFIPS = bool
          enableNodePublicIP = bool
          enableUltraSSD = bool
          gatewayProfile = {
            publicIPPrefixSize = int
          }
          gpuInstanceProfile = "string"
          gpuProfile = {
            driver = "string"
          }
          hostGroupID = "string"
          kubeletConfig = {
            allowedUnsafeSysctls = [
              "string"
            ]
            containerLogMaxFiles = int
            containerLogMaxSizeMB = int
            cpuCfsQuota = bool
            cpuCfsQuotaPeriod = "string"
            cpuManagerPolicy = "string"
            failSwapOn = bool
            imageGcHighThreshold = int
            imageGcLowThreshold = int
            podMaxPids = int
            topologyManagerPolicy = "string"
          }
          kubeletDiskType = "string"
          linuxOSConfig = {
            swapFileSizeMB = int
            sysctls = {
              fsAioMaxNr = int
              fsFileMax = int
              fsInotifyMaxUserWatches = int
              fsNrOpen = int
              kernelThreadsMax = int
              netCoreNetdevMaxBacklog = int
              netCoreOptmemMax = int
              netCoreRmemDefault = int
              netCoreRmemMax = int
              netCoreSomaxconn = int
              netCoreWmemDefault = int
              netCoreWmemMax = int
              netIpv4IpLocalPortRange = "string"
              netIpv4NeighDefaultGcThresh1 = int
              netIpv4NeighDefaultGcThresh2 = int
              netIpv4NeighDefaultGcThresh3 = int
              netIpv4TcpFinTimeout = int
              netIpv4TcpkeepaliveIntvl = int
              netIpv4TcpKeepaliveProbes = int
              netIpv4TcpKeepaliveTime = int
              netIpv4TcpMaxSynBacklog = int
              netIpv4TcpMaxTwBuckets = int
              netIpv4TcpTwReuse = bool
              netNetfilterNfConntrackBuckets = int
              netNetfilterNfConntrackMax = int
              vmMaxMapCount = int
              vmSwappiness = int
              vmVfsCachePressure = int
            }
            transparentHugePageDefrag = "string"
            transparentHugePageEnabled = "string"
          }
          maxCount = int
          maxPods = int
          messageOfTheDay = "string"
          minCount = int
          mode = "string"
          name = "string"
          networkProfile = {
            allowedHostPorts = [
              {
                portEnd = int
                portStart = int
                protocol = "string"
              }
            ]
            applicationSecurityGroups = [
              "string"
            ]
            nodePublicIPTags = [
              {
                ipTagType = "string"
                tag = "string"
              }
            ]
          }
          nodeLabels = {
            {customized property} = "string"
          }
          nodePublicIPPrefixID = "string"
          nodeTaints = [
            "string"
          ]
          orchestratorVersion = "string"
          osDiskSizeGB = int
          osDiskType = "string"
          osSKU = "string"
          osType = "string"
          podIPAllocationMode = "string"
          podSubnetID = "string"
          powerState = {
            code = "string"
          }
          proximityPlacementGroupID = "string"
          scaleDownMode = "string"
          scaleSetEvictionPolicy = "string"
          scaleSetPriority = "string"
          securityProfile = {
            enableSecureBoot = bool
            enableVTPM = bool
          }
          spotMaxPrice = int
          status = {
          }
          tags = {
            {customized property} = "string"
          }
          type = "string"
          upgradeSettings = {
            drainTimeoutInMinutes = int
            maxSurge = "string"
            maxUnavailable = "string"
            nodeSoakDurationInMinutes = int
            undrainableNodeBehavior = "string"
          }
          virtualMachineNodesStatus = [
            {
              count = int
              size = "string"
            }
          ]
          virtualMachinesProfile = {
            scale = {
              manual = [
                {
                  count = int
                  size = "string"
                }
              ]
            }
          }
          vmSize = "string"
          vnetSubnetID = "string"
          windowsProfile = {
            disableOutboundNat = bool
          }
          workloadRuntime = "string"
        }
      ]
      aiToolchainOperatorProfile = {
        enabled = bool
      }
      apiServerAccessProfile = {
        authorizedIPRanges = [
          "string"
        ]
        disableRunCommand = bool
        enablePrivateCluster = bool
        enablePrivateClusterPublicFQDN = bool
        enableVnetIntegration = bool
        privateDNSZone = "string"
        subnetId = "string"
      }
      autoScalerProfile = {
        balance-similar-node-groups = "string"
        daemonset-eviction-for-empty-nodes = bool
        daemonset-eviction-for-occupied-nodes = bool
        expander = "string"
        ignore-daemonsets-utilization = bool
        max-empty-bulk-delete = "string"
        max-graceful-termination-sec = "string"
        max-node-provision-time = "string"
        max-total-unready-percentage = "string"
        new-pod-scale-up-delay = "string"
        ok-total-unready-count = "string"
        scale-down-delay-after-add = "string"
        scale-down-delay-after-delete = "string"
        scale-down-delay-after-failure = "string"
        scale-down-unneeded-time = "string"
        scale-down-unready-time = "string"
        scale-down-utilization-threshold = "string"
        scan-interval = "string"
        skip-nodes-with-local-storage = "string"
        skip-nodes-with-system-pods = "string"
      }
      autoUpgradeProfile = {
        nodeOSUpgradeChannel = "string"
        upgradeChannel = "string"
      }
      azureMonitorProfile = {
        metrics = {
          enabled = bool
          kubeStateMetrics = {
            metricAnnotationsAllowList = "string"
            metricLabelsAllowlist = "string"
          }
        }
      }
      bootstrapProfile = {
        artifactSource = "string"
        containerRegistryId = "string"
      }
      disableLocalAccounts = bool
      diskEncryptionSetID = "string"
      dnsPrefix = "string"
      enableRBAC = bool
      fqdnSubdomain = "string"
      httpProxyConfig = {
        httpProxy = "string"
        httpsProxy = "string"
        noProxy = [
          "string"
        ]
        trustedCa = "string"
      }
      identityProfile = {
        {customized property} = {
          clientId = "string"
          objectId = "string"
          resourceId = "string"
        }
      }
      ingressProfile = {
        webAppRouting = {
          dnsZoneResourceIds = [
            "string"
          ]
          enabled = bool
          nginx = {
            defaultIngressControllerType = "string"
          }
        }
      }
      kubernetesVersion = "string"
      linuxProfile = {
        adminUsername = "string"
        ssh = {
          publicKeys = [
            {
              keyData = "string"
            }
          ]
        }
      }
      metricsProfile = {
        costAnalysis = {
          enabled = bool
        }
      }
      networkProfile = {
        advancedNetworking = {
          enabled = bool
          observability = {
            enabled = bool
          }
          security = {
            enabled = bool
          }
        }
        dnsServiceIP = "string"
        ipFamilies = [
          "string"
        ]
        loadBalancerProfile = {
          allocatedOutboundPorts = int
          backendPoolType = "string"
          enableMultipleStandardLoadBalancers = bool
          idleTimeoutInMinutes = int
          managedOutboundIPs = {
            count = int
            countIPv6 = int
          }
          outboundIPPrefixes = {
            publicIPPrefixes = [
              {
                id = "string"
              }
            ]
          }
          outboundIPs = {
            publicIPs = [
              {
                id = "string"
              }
            ]
          }
        }
        loadBalancerSku = "string"
        natGatewayProfile = {
          idleTimeoutInMinutes = int
          managedOutboundIPProfile = {
            count = int
          }
        }
        networkDataplane = "string"
        networkMode = "string"
        networkPlugin = "string"
        networkPluginMode = "string"
        networkPolicy = "string"
        outboundType = "string"
        podCidr = "string"
        podCidrs = [
          "string"
        ]
        serviceCidr = "string"
        serviceCidrs = [
          "string"
        ]
        staticEgressGatewayProfile = {
          enabled = bool
        }
      }
      nodeProvisioningProfile = {
        defaultNodePools = "string"
        mode = "string"
      }
      nodeResourceGroup = "string"
      nodeResourceGroupProfile = {
        restrictionLevel = "string"
      }
      oidcIssuerProfile = {
        enabled = bool
      }
      podIdentityProfile = {
        allowNetworkPluginKubenet = bool
        enabled = bool
        userAssignedIdentities = [
          {
            bindingSelector = "string"
            identity = {
              clientId = "string"
              objectId = "string"
              resourceId = "string"
            }
            name = "string"
            namespace = "string"
          }
        ]
        userAssignedIdentityExceptions = [
          {
            name = "string"
            namespace = "string"
            podLabels = {
              {customized property} = "string"
            }
          }
        ]
      }
      privateLinkResources = [
        {
          groupId = "string"
          id = "string"
          name = "string"
          requiredMembers = [
            "string"
          ]
          type = "string"
        }
      ]
      publicNetworkAccess = "string"
      securityProfile = {
        azureKeyVaultKms = {
          enabled = bool
          keyId = "string"
          keyVaultNetworkAccess = "string"
          keyVaultResourceId = "string"
        }
        customCATrustCertificates = [
          ?
        ]
        defender = {
          logAnalyticsWorkspaceResourceId = "string"
          securityMonitoring = {
            enabled = bool
          }
        }
        imageCleaner = {
          enabled = bool
          intervalHours = int
        }
        workloadIdentity = {
          enabled = bool
        }
      }
      serviceMeshProfile = {
        istio = {
          certificateAuthority = {
            plugin = {
              certChainObjectName = "string"
              certObjectName = "string"
              keyObjectName = "string"
              keyVaultId = "string"
              rootCertObjectName = "string"
            }
          }
          components = {
            egressGateways = [
              {
                enabled = bool
              }
            ]
            ingressGateways = [
              {
                enabled = bool
                mode = "string"
              }
            ]
          }
          revisions = [
            "string"
          ]
        }
        mode = "string"
      }
      servicePrincipalProfile = {
        clientId = "string"
        secret = "string"
      }
      status = {
      }
      storageProfile = {
        blobCSIDriver = {
          enabled = bool
        }
        diskCSIDriver = {
          enabled = bool
        }
        fileCSIDriver = {
          enabled = bool
        }
        snapshotController = {
          enabled = bool
        }
      }
      supportPlan = "string"
      upgradeSettings = {
        overrideSettings = {
          forceUpgrade = bool
          until = "string"
        }
      }
      windowsProfile = {
        adminPassword = "string"
        adminUsername = "string"
        enableCSIProxy = bool
        gmsaProfile = {
          dnsServer = "string"
          enabled = bool
          rootDomainName = "string"
        }
        licenseType = "string"
      }
      workloadAutoScalerProfile = {
        keda = {
          enabled = bool
        }
        verticalPodAutoscaler = {
          enabled = bool
        }
      }
    }
    sku = {
      name = "string"
      tier = "string"
    }
  }
}

Property Values

Microsoft.ContainerService/managedClusters

Name Description Value
extendedLocation The extended location of the Virtual Machine. ExtendedLocation
identity The identity of the managed cluster, if configured. ManagedClusterIdentity
location The geo-location where the resource lives string (required)
name The resource name string

Constraints:
Min length = 1
Max length = 63
Pattern = ^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$ (required)
parent_id The ID of the resource to apply this extension resource to. string (required)
properties Properties of a managed cluster. ManagedClusterProperties
sku The managed cluster SKU. ManagedClusterSKU
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.ContainerService/managedClusters@2025-05-01"

AdvancedNetworking

Name Description Value
enabled Indicates the enablement of Advanced Networking functionalities of observability and security on AKS clusters. When this is set to true, all observability and security features will be set to enabled unless explicitly disabled. If not specified, the default is false. bool
observability Observability profile to enable advanced network metrics and flow logs with historical contexts. AdvancedNetworkingObservability
security Security profile to enable security features on cilium based cluster. AdvancedNetworkingSecurity

AdvancedNetworkingObservability

Name Description Value
enabled Indicates the enablement of Advanced Networking observability functionalities on clusters. bool

AdvancedNetworkingSecurity

Name Description Value
enabled This feature allows user to configure network policy based on DNS (FQDN) names. It can be enabled only on cilium based clusters. If not specified, the default is false. bool

AgentPoolGatewayProfile

Name Description Value
publicIPPrefixSize The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide public egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with one IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure public IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8 nodes/IPs, /28 = 16 nodes/IPs). The default value is 31. int

Constraints:
Min value = 28
Max value = 31

AgentPoolNetworkProfile

Name Description Value
allowedHostPorts The port ranges that are allowed to access. The specified ranges are allowed to overlap. PortRange[]
applicationSecurityGroups The IDs of the application security groups which agent pool will associate when created. string[]
nodePublicIPTags IPTags of instance-level public IPs. IPTag[]

AgentPoolSecurityProfile

Name Description Value
enableSecureBoot Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and drivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. bool
enableVTPM vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held locally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false. bool

AgentPoolStatus

Name Description Value

AgentPoolUpgradeSettings

Name Description Value
drainTimeoutInMinutes The drain timeout for a node. The amount of time (in minutes) to wait on eviction of pods and graceful termination per node. This eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not specified, the default is 30 minutes. int

Constraints:
Min value = 1
Max value = 1440
maxSurge The maximum number or percentage of nodes that are surged during upgrade. This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 10%. For more information, including best practices, see: /azure/aks/upgrade-cluster string
maxUnavailable The maximum number or percentage of nodes that can be simultaneously unavailable during upgrade. This can either be set to an integer (e.g. '1') or a percentage (e.g. '5%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 0. For more information, including best practices, see: /azure/aks/upgrade-cluster string
nodeSoakDurationInMinutes The soak duration for a node. The amount of time (in minutes) to wait after draining a node and before reimaging it and moving on to next node. If not specified, the default is 0 minutes. int

Constraints:
Min value = 0
Max value = 30
undrainableNodeBehavior Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable nodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the remaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes. 'Cordon'
'Schedule'

AgentPoolWindowsProfile

Name Description Value
disableOutboundNat Whether to disable OutboundNAT in windows nodes. The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT Gateway and the Windows agent pool does not have node public IP enabled. bool

AzureKeyVaultKms

Name Description Value
enabled Whether to enable Azure Key Vault key management service. The default is false. bool
keyId Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty. string
keyVaultNetworkAccess Network access of the key vault. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. 'Private'
'Public'
keyVaultResourceId Resource ID of key vault. When keyVaultNetworkAccess is Private, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public, leave the field empty. string

ClusterUpgradeSettings

Name Description Value
overrideSettings Settings for overrides. UpgradeOverrideSettings

ContainerServiceLinuxProfile

Name Description Value
adminUsername The administrator username to use for Linux VMs. string

Constraints:
Pattern = ^[A-Za-z][-A-Za-z0-9_]*$ (required)
ssh The SSH configuration for Linux-based VMs running on Azure. ContainerServiceSshConfiguration (required)

ContainerServiceNetworkProfile

Name Description Value
advancedNetworking Advanced Networking profile for enabling observability and security feature suite on a cluster. For more information see aka.ms/aksadvancednetworking. AdvancedNetworking
dnsServiceIP An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. string

Constraints:
Pattern = ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
ipFamilies The IP families used to specify IP versions available to the cluster. IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6. String array containing any of:
'IPv4'
'IPv6'
loadBalancerProfile Profile of the cluster load balancer. ManagedClusterLoadBalancerProfile
loadBalancerSku The load balancer sku for the managed cluster. The default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs. 'basic'
'standard'
natGatewayProfile Profile of the cluster NAT gateway. ManagedClusterNATGatewayProfile
networkDataplane Network dataplane used in the Kubernetes cluster. 'azure'
'cilium'
networkMode The network mode Azure CNI is configured with. This cannot be specified if networkPlugin is anything other than 'azure'. 'bridge'
'transparent'
networkPlugin Network plugin used for building the Kubernetes network. 'azure'
'kubenet'
'none'
networkPluginMode The mode the network plugin should use. 'overlay'
networkPolicy Network policy used for building the Kubernetes network. 'azure'
'calico'
'cilium'
'none'
outboundType The outbound (egress) routing method. This can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type. 'loadBalancer'
'managedNATGateway'
'none'
'userAssignedNATGateway'
'userDefinedRouting'
podCidr A CIDR notation IP range from which to assign pod IPs when kubenet is used. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
podCidrs The CIDR notation IP ranges from which to assign pod IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. string[]
serviceCidr A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges. string

Constraints:
Pattern = ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
serviceCidrs The CIDR notation IP ranges from which to assign service cluster IPs. One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges. string[]
staticEgressGatewayProfile The profile for Static Egress Gateway addon. For more details about Static Egress Gateway, see https://aka.ms/aks/static-egress-gateway. ManagedClusterStaticEgressGatewayProfile

ContainerServiceSshConfiguration

Name Description Value
publicKeys The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified. ContainerServiceSshPublicKey[] (required)

ContainerServiceSshPublicKey

Name Description Value
keyData Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers. string (required)

CreationData

Name Description Value
sourceResourceId This is the ARM ID of the source object to be used to create the target object. string

DelegatedResource

Name Description Value
location The source resource location - internal use only. string
referralResource The delegation id of the referral delegation (optional) - internal use only. string
resourceId The ARM resource id of the delegated resource - internal use only. string
tenantId The tenant id of the delegated resource - internal use only. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

DelegatedResources

Name Description Value

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

GPUProfile

Name Description Value
driver Whether to install GPU drivers. When it's not specified, default is Install. 'Install'
'None'

IPTag

Name Description Value
ipTagType The IP tag type. Example: RoutingPreference. string
tag The value of the IP tag associated with the public IP. Example: Internet. string

IstioCertificateAuthority

Name Description Value
plugin Plugin certificates information for Service Mesh. IstioPluginCertificateAuthority

IstioComponents

Name Description Value
egressGateways Istio egress gateways. IstioEgressGateway[]
ingressGateways Istio ingress gateways. IstioIngressGateway[]

IstioEgressGateway

Name Description Value
enabled Whether to enable the egress gateway. bool (required)

IstioIngressGateway

Name Description Value
enabled Whether to enable the ingress gateway. bool (required)
mode Mode of an ingress gateway. 'External'
'Internal' (required)

IstioPluginCertificateAuthority

Name Description Value
certChainObjectName Certificate chain object name in Azure Key Vault. string
certObjectName Intermediate certificate object name in Azure Key Vault. string
keyObjectName Intermediate certificate private key object name in Azure Key Vault. string
keyVaultId The resource ID of the Key Vault. string
rootCertObjectName Root certificate object name in Azure Key Vault. string

IstioServiceMesh

Name Description Value
certificateAuthority Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin certificates as described here https://aka.ms/asm-plugin-ca IstioCertificateAuthority
components Istio components configuration. IstioComponents
revisions The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: /azure/aks/istio-upgrade string[]

KubeletConfig

Name Description Value
allowedUnsafeSysctls Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in *). string[]
containerLogMaxFiles The maximum number of container log files that can be present for a container. The number must be ≥ 2. int

Constraints:
Min value = 2
containerLogMaxSizeMB The maximum size (e.g. 10Mi) of container log file before it is rotated. int
cpuCfsQuota If CPU CFS quota enforcement is enabled for containers that specify CPU limits. The default is true. bool
cpuCfsQuotaPeriod The CPU CFS quota period value. The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'. string
cpuManagerPolicy The CPU Manager policy to use. The default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'. string
failSwapOn If set to true it will make the Kubelet fail to start if swap is enabled on the node. bool
imageGcHighThreshold The percent of disk usage after which image garbage collection is always run. To disable image garbage collection, set to 100. The default is 85% int
imageGcLowThreshold The percent of disk usage before which image garbage collection is never run. This cannot be set higher than imageGcHighThreshold. The default is 80% int
podMaxPids The maximum number of processes per pod. int
topologyManagerPolicy The Topology Manager policy to use. For more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'. string

LinuxOSConfig

Name Description Value
swapFileSizeMB The size in MB of a swap file that will be created on each node. int
sysctls Sysctl settings for Linux agent nodes. SysctlConfig
transparentHugePageDefrag Whether the kernel should make aggressive use of memory compaction to make more hugepages available. Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages. string
transparentHugePageEnabled Whether transparent hugepages are enabled. Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages. string

ManagedClusterAADProfile

Name Description Value
adminGroupObjectIDs The list of AAD group object IDs that will have admin role of the cluster. string[]
clientAppID (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. string
enableAzureRBAC Whether to enable Azure RBAC for Kubernetes authorization. bool
managed Whether to enable managed AAD. bool
serverAppID (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy. string
serverAppSecret (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy. string
tenantID The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription. string

ManagedClusterAddonProfile

Name Description Value
config Key-value pairs for configuring an add-on. ManagedClusterAddonProfileConfig
enabled Whether the add-on is enabled or not. bool (required)

ManagedClusterAddonProfileConfig

Name Description Value

ManagedClusterAgentPoolProfile

Name Description Value
availabilityZones The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'. string[]
capacityReservationGroupID AKS will associate the specified agent pool with the Capacity Reservation Group. string
count Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. int
creationData CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using a snapshot. CreationData
enableAutoScaling Whether to enable auto-scaler bool
enableEncryptionAtHost Whether to enable host based OS and data drive encryption. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption bool
enableFIPS Whether to use a FIPS-enabled OS. See Add a FIPS-enabled node pool for more details. bool
enableNodePublicIP Whether each node is allocated its own public IP. Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false. bool
enableUltraSSD Whether to enable UltraSSD bool
gatewayProfile Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is not Gateway. AgentPoolGatewayProfile
gpuInstanceProfile GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU. 'MIG1g'
'MIG2g'
'MIG3g'
'MIG4g'
'MIG7g'
gpuProfile GPU settings for the Agent Pool. GPUProfile
hostGroupID The fully qualified resource ID of the Dedicated Host Group to provision virtual machines from, used only in creation scenario and not allowed to changed once set. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}. For more information see Azure dedicated hosts. string
kubeletConfig The Kubelet configuration on the agent pool nodes. KubeletConfig
kubeletDiskType Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage. 'OS'
'Temporary'
linuxOSConfig The OS configuration of Linux agent nodes. LinuxOSConfig
maxCount The maximum number of nodes for auto-scaling int
maxPods The maximum number of pods that can run on a node. int
messageOfTheDay Message of the day for Linux nodes, base64-encoded. A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e., will be printed raw and not be executed as a script). string
minCount The minimum number of nodes for auto-scaling int
mode The mode of an agent pool. A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool restrictions and best practices, see: /azure/aks/use-system-pools 'Gateway'
'System'
'User'
name Unique name of the agent pool profile in the context of the subscription and resource group. Windows agent pool names must be 6 characters or less. string

Constraints:
Pattern = ^[a-z][a-z0-9]{0,11}$ (required)
networkProfile Network-related settings of an agent pool. AgentPoolNetworkProfile
nodeLabels The node labels to be persisted across all nodes in agent pool. ManagedClusterAgentPoolProfilePropertiesNodeLabels
nodePublicIPPrefixID The public IP prefix ID which VM nodes should use IPs from. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName} string
nodeTaints The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule. string[]
orchestratorVersion The version of Kubernetes specified by the user. Both patch version <major.minor.patch> (e.g. 1.20.13) and <major.minor> (e.g. 1.20) are supported. When <major.minor> is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same <major.minor> once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. As a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool. string
osDiskSizeGB OS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified. int

Constraints:
Min value = 0
Max value = 2048
osDiskType The OS disk type to be used for machines in the agent pool. The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see Ephemeral OS. 'Ephemeral'
'Managed'
osSKU Specifies the OS SKU used by the agent pool. The default is Ubuntu if OSType is Linux. The default is Windows2019 when Kubernetes <= 1.24 or Windows2022 when Kubernetes >= 1.25 if OSType is Windows. 'AzureLinux'
'CBLMariner'
'Ubuntu'
'Ubuntu2204'
'Windows2019'
'Windows2022'
osType The operating system type. The default is Linux. 'Linux'
'Windows'
podIPAllocationMode Pod IP Allocation Mode. The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is 'DynamicIndividual'. 'DynamicIndividual'
'StaticBlock'
podSubnetID The ID of the subnet which pods will join when launched. If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} string
powerState Whether the Agent Pool is running or stopped. When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this field to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only be stopped if it is Running and provisioning state is Succeeded PowerState
proximityPlacementGroupID The ID for Proximity Placement Group. string
scaleDownMode The scale down mode to use when scaling the Agent Pool. This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete. 'Deallocate'
'Delete'
scaleSetEvictionPolicy The Virtual Machine Scale Set eviction policy to use. This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'. 'Deallocate'
'Delete'
scaleSetPriority The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'. 'Regular'
'Spot'
securityProfile The security settings of an agent pool. AgentPoolSecurityProfile
spotMaxPrice The max price (in US Dollars) you are willing to pay for spot instances. Possible values are any decimal value greater than zero or -1 which indicates default price to be up-to on-demand. Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing int
status Contains read-only information about the Agent Pool. AgentPoolStatus
tags The tags to be persisted on the agent pool virtual machine scale set. ManagedClusterAgentPoolProfilePropertiesTags
type The type of Agent Pool. 'AvailabilitySet'
'VirtualMachines'
'VirtualMachineScaleSets'
upgradeSettings Settings for upgrading the agentpool AgentPoolUpgradeSettings
virtualMachineNodesStatus The status of nodes in a VirtualMachines agent pool. VirtualMachineNodes[]
virtualMachinesProfile Specifications on VirtualMachines agent pool. VirtualMachinesProfile
vmSize The size of the agent pool VMs. VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: /azure/aks/quotas-skus-regions string
vnetSubnetID The ID of the subnet which agent pool nodes and optionally pods will join on startup. If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName} string
windowsProfile The Windows agent pool's specific profile. AgentPoolWindowsProfile
workloadRuntime Determines the type of workload a node can run. 'OCIContainer'
'WasmWasi'

ManagedClusterAgentPoolProfilePropertiesNodeLabels

Name Description Value

ManagedClusterAgentPoolProfilePropertiesTags

Name Description Value

ManagedClusterAIToolchainOperatorProfile

Name Description Value
enabled Whether to enable AI toolchain operator to the cluster. Indicates if AI toolchain operator enabled or not. bool

ManagedClusterAPIServerAccessProfile

Name Description Value
authorizedIPRanges The IP ranges authorized to access the Kubernetes API server. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges. string[]
disableRunCommand Whether to disable run command for the cluster or not. bool
enablePrivateCluster Whether to create the cluster as a private cluster or not. For more details, see Creating a private AKS cluster. bool
enablePrivateClusterPublicFQDN Whether to create additional public FQDN for private cluster or not. bool
enableVnetIntegration Whether to enable apiserver vnet integration for the cluster or not. See aka.ms/AksVnetIntegration for more details. bool
privateDNSZone The private DNS zone mode for the cluster. The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'. string
subnetId The subnet to be used when apiserver vnet integration is enabled. It is required when creating a new cluster with BYO Vnet, or when updating an existing cluster to enable apiserver vnet integration. string

ManagedClusterAutoUpgradeProfile

Name Description Value
nodeOSUpgradeChannel Node OS Upgrade Channel. Manner in which the OS on your nodes is updated. The default is NodeImage. 'NodeImage'
'None'
'SecurityPatch'
'Unmanaged'
upgradeChannel The upgrade channel for auto upgrade. The default is 'none'. For more information see setting the AKS cluster auto-upgrade channel. 'node-image'
'none'
'patch'
'rapid'
'stable'

ManagedClusterAzureMonitorProfile

Name Description Value
metrics Metrics profile for the Azure Monitor managed service for Prometheus addon. Collect out-of-the-box Kubernetes infrastructure metrics to send to an Azure Monitor Workspace and configure additional scraping for custom targets. See aka.ms/AzureManagedPrometheus for an overview. ManagedClusterAzureMonitorProfileMetrics

ManagedClusterAzureMonitorProfileKubeStateMetrics

Name Description Value
metricAnnotationsAllowList Comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric (Example: 'namespaces=[kubernetes.io/team,...],pods=[kubernetes.io/team],...'). By default the metric contains only resource name and namespace labels. string
metricLabelsAllowlist Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric (Example: 'namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...'). By default the metric contains only resource name and namespace labels. string

ManagedClusterAzureMonitorProfileMetrics

Name Description Value
enabled Whether to enable or disable the Azure Managed Prometheus addon for Prometheus monitoring. See aka.ms/AzureManagedPrometheus-aks-enable for details on enabling and disabling. bool (required)
kubeStateMetrics Kube State Metrics profile for the Azure Managed Prometheus addon. These optional settings are for the kube-state-metrics pod that is deployed with the addon. See aka.ms/AzureManagedPrometheus-optional-parameters for details. ManagedClusterAzureMonitorProfileKubeStateMetrics

ManagedClusterBootstrapProfile

Name Description Value
artifactSource The artifact source. The source where the artifacts are downloaded from. 'Cache'
'Direct'
containerRegistryId The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy. string

ManagedClusterCostAnalysis

Name Description Value
enabled Whether to enable cost analysis. The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis. bool

ManagedClusterHttpProxyConfig

Name Description Value
httpProxy The HTTP proxy server endpoint to use. string
httpsProxy The HTTPS proxy server endpoint to use. string
noProxy The endpoints that should not go through proxy. string[]
trustedCa Alternative CA cert to use for connecting to proxy servers. string

ManagedClusterIdentity

Name Description Value
delegatedResources The delegated identity resources assigned to this managed cluster. This can only be set by another Azure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only. DelegatedResources
type The type of identity used for the managed cluster. For more information see use managed identities in AKS. 'None'
'SystemAssigned'
'UserAssigned'
userAssignedIdentities The user identity associated with the managed cluster. This identity will be used in control plane. Only one user assigned identity is allowed. The keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedClusterIdentityUserAssignedIdentities

ManagedClusterIdentityUserAssignedIdentities

Name Description Value

ManagedClusterIngressProfile

Name Description Value
webAppRouting App Routing settings for the ingress profile. You can find an overview and onboarding guide for this feature at /azure/aks/app-routing?tabs=default%2Cdeploy-app-default. ManagedClusterIngressProfileWebAppRouting

ManagedClusterIngressProfileNginx

Name Description Value
defaultIngressControllerType Ingress type for the default NginxIngressController custom resource 'AnnotationControlled'
'External'
'Internal'
'None'

ManagedClusterIngressProfileWebAppRouting

Name Description Value
dnsZoneResourceIds Resource IDs of the DNS zones to be associated with the Application Routing add-on. Used only when Application Routing add-on is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group. string[]
enabled Whether to enable the Application Routing add-on. bool
nginx Configuration for the default NginxIngressController. See more at /azure/aks/app-routing-nginx-configuration#the-default-nginx-ingress-controller. ManagedClusterIngressProfileNginx

ManagedClusterLoadBalancerProfile

Name Description Value
allocatedOutboundPorts The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports. int

Constraints:
Min value = 0
Max value = 64000
backendPoolType The type of the managed inbound Load Balancer BackendPool. 'NodeIP'
'NodeIPConfiguration'
enableMultipleStandardLoadBalancers Enable multiple standard load balancers per AKS cluster or not. bool
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes. int

Constraints:
Min value = 4
Max value = 120
managedOutboundIPs Desired managed outbound IPs for the cluster load balancer. ManagedClusterLoadBalancerProfileManagedOutboundIPs
outboundIPPrefixes Desired outbound IP Prefix resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPPrefixes
outboundIPs Desired outbound IP resources for the cluster load balancer. ManagedClusterLoadBalancerProfileOutboundIPs

ManagedClusterLoadBalancerProfileManagedOutboundIPs

Name Description Value
count The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1. int

Constraints:
Min value = 1
Max value = 100
countIPv6 The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack. int

Constraints:
Min value = 0
Max value = 100

ManagedClusterLoadBalancerProfileOutboundIPPrefixes

Name Description Value
publicIPPrefixes A list of public IP prefix resources. ResourceReference[]

ManagedClusterLoadBalancerProfileOutboundIPs

Name Description Value
publicIPs A list of public IP resources. ResourceReference[]

ManagedClusterManagedOutboundIPProfile

Name Description Value
count The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1. int

Constraints:
Min value = 1
Max value = 16

ManagedClusterMetricsProfile

Name Description Value
costAnalysis The configuration for detailed per-Kubernetes resource cost analysis. ManagedClusterCostAnalysis

ManagedClusterNATGatewayProfile

Name Description Value
idleTimeoutInMinutes Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes. int

Constraints:
Min value = 4
Max value = 120
managedOutboundIPProfile Profile of the managed outbound IP resources of the cluster NAT gateway. ManagedClusterManagedOutboundIPProfile

ManagedClusterNodeProvisioningProfile

Name Description Value
defaultNodePools The set of default Karpenter NodePools (CRDs) configured for node provisioning. This field has no effect unless mode is 'Auto'. Warning: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action. If not specified, the default is Auto. For more information see aka.ms/aks/nap#node-pools. 'Auto'
'None'
mode The node provisioning mode. If not specified, the default is Manual. 'Auto'
'Manual'

ManagedClusterNodeResourceGroupProfile

Name Description Value
restrictionLevel The restriction level applied to the cluster's node resource group. If not specified, the default is 'Unrestricted' 'ReadOnly'
'Unrestricted'

ManagedClusterOidcIssuerProfile

Name Description Value
enabled Whether the OIDC issuer is enabled. bool

ManagedClusterPodIdentity

Name Description Value
bindingSelector The binding selector to use for the AzureIdentityBinding resource. string
identity The user assigned identity details. UserAssignedIdentity (required)
name The name of the pod identity. string (required)
namespace The namespace of the pod identity. string (required)

ManagedClusterPodIdentityException

Name Description Value
name The name of the pod identity exception. string (required)
namespace The namespace of the pod identity exception. string (required)
podLabels The pod labels to match. ManagedClusterPodIdentityExceptionPodLabels (required)

ManagedClusterPodIdentityExceptionPodLabels

Name Description Value

ManagedClusterPodIdentityProfile

Name Description Value
allowNetworkPluginKubenet Whether pod identity is allowed to run on clusters with Kubenet networking. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information. bool
enabled Whether the pod identity addon is enabled. bool
userAssignedIdentities The pod identities to use in the cluster. ManagedClusterPodIdentity[]
userAssignedIdentityExceptions The pod identity exceptions to allow. ManagedClusterPodIdentityException[]

ManagedClusterProperties

Name Description Value
aadProfile The Azure Active Directory configuration. ManagedClusterAADProfile
addonProfiles The profile of managed cluster add-on. ManagedClusterPropertiesAddonProfiles
agentPoolProfiles The agent pool properties. ManagedClusterAgentPoolProfile[]
aiToolchainOperatorProfile AI toolchain operator settings that apply to the whole cluster. ManagedClusterAIToolchainOperatorProfile
apiServerAccessProfile The access profile for managed cluster API server. ManagedClusterAPIServerAccessProfile
autoScalerProfile Parameters to be applied to the cluster-autoscaler when enabled ManagedClusterPropertiesAutoScalerProfile
autoUpgradeProfile The auto upgrade configuration. ManagedClusterAutoUpgradeProfile
azureMonitorProfile Azure Monitor addon profiles for monitoring the managed cluster. ManagedClusterAzureMonitorProfile
bootstrapProfile Profile of the cluster bootstrap configuration. ManagedClusterBootstrapProfile
disableLocalAccounts If local accounts should be disabled on the Managed Cluster. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts. bool
diskEncryptionSetID The Resource ID of the disk encryption set to use for enabling encryption at rest. This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}' string
dnsPrefix The DNS prefix of the Managed Cluster. This cannot be updated once the Managed Cluster has been created. string
enableRBAC Whether to enable Kubernetes Role-Based Access Control. bool
fqdnSubdomain The FQDN subdomain of the private cluster with custom private dns zone. This cannot be updated once the Managed Cluster has been created. string
httpProxyConfig Configurations for provisioning the cluster with HTTP proxy servers. ManagedClusterHttpProxyConfig
identityProfile The user identity associated with the managed cluster. This identity will be used by the kubelet. Only one user assigned identity is allowed. The only accepted key is "kubeletidentity", with value of "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}". ManagedClusterPropertiesIdentityProfile
ingressProfile Ingress profile for the managed cluster. ManagedClusterIngressProfile
kubernetesVersion The version of Kubernetes specified by the user. Both patch version <major.minor.patch> (e.g. 1.20.13) and <major.minor> (e.g. 1.20) are supported. When <major.minor> is specified, the latest supported GA patch version is chosen automatically. Updating the cluster with the same <major.minor> once it has been created (e.g. 1.14.x -> 1.14) will not trigger an upgrade, even if a newer patch version is available. When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details. string
linuxProfile The profile for Linux VMs in the Managed Cluster. ContainerServiceLinuxProfile
metricsProfile Optional cluster metrics configuration. ManagedClusterMetricsProfile
networkProfile The network configuration profile. ContainerServiceNetworkProfile
nodeProvisioningProfile Node provisioning settings that apply to the whole cluster. ManagedClusterNodeProvisioningProfile
nodeResourceGroup The name of the resource group containing agent pool nodes. string
nodeResourceGroupProfile Profile of the node resource group configuration. ManagedClusterNodeResourceGroupProfile
oidcIssuerProfile The OIDC issuer profile of the Managed Cluster. ManagedClusterOidcIssuerProfile
podIdentityProfile The pod identity profile of the Managed Cluster. See use AAD pod identity for more details on AAD pod identity integration. ManagedClusterPodIdentityProfile
privateLinkResources Private link resources associated with the cluster. PrivateLinkResource[]
publicNetworkAccess PublicNetworkAccess of the managedCluster. Allow or deny public network access for AKS 'Disabled'
'Enabled'
securityProfile Security profile for the managed cluster. ManagedClusterSecurityProfile
serviceMeshProfile Service mesh profile for a managed cluster. ServiceMeshProfile
servicePrincipalProfile Information about a service principal identity for the cluster to use for manipulating Azure APIs. ManagedClusterServicePrincipalProfile
status Contains read-only information about the Managed Cluster. ManagedClusterStatus
storageProfile Storage profile for the managed cluster. ManagedClusterStorageProfile
supportPlan The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'. 'AKSLongTermSupport'
'KubernetesOfficial'
upgradeSettings Settings for upgrading a cluster. ClusterUpgradeSettings
windowsProfile The profile for Windows VMs in the Managed Cluster. ManagedClusterWindowsProfile
workloadAutoScalerProfile Workload Auto-scaler profile for the managed cluster. ManagedClusterWorkloadAutoScalerProfile

ManagedClusterPropertiesAddonProfiles

Name Description Value

ManagedClusterPropertiesAutoScalerProfile

Name Description Value
balance-similar-node-groups Detects similar node pools and balances the number of nodes between them. Valid values are 'true' and 'false' string
daemonset-eviction-for-empty-nodes DaemonSet pods will be gracefully terminated from empty nodes. If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. bool
daemonset-eviction-for-occupied-nodes DaemonSet pods will be gracefully terminated from non-empty nodes. If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted. bool
expander The expander to use when scaling up. If not specified, the default is 'random'. See expanders for more information. 'least-waste'
'most-pods'
'priority'
'random'
ignore-daemonsets-utilization Should CA ignore DaemonSet pods when calculating resource utilization for scaling down. If set to true, the resources used by daemonset will be taken into account when making scaling down decisions. bool
max-empty-bulk-delete The maximum number of empty nodes that can be deleted at the same time. This must be a positive integer. The default is 10. string
max-graceful-termination-sec The maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. The default is 600. string
max-node-provision-time The maximum time the autoscaler waits for a node to be provisioned. The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
max-total-unready-percentage The maximum percentage of unready nodes in the cluster. After this percentage is exceeded, cluster autoscaler halts operations. The default is 45. The maximum is 100 and the minimum is 0. string
new-pod-scale-up-delay Ignore unscheduled pods before they're a certain age. For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc). string
ok-total-unready-count The number of allowed unready nodes, irrespective of max-total-unready-percentage. This must be an integer. The default is 3. string
scale-down-delay-after-add How long after scale up that scale down evaluation resumes. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-delay-after-delete How long after node deletion that scale down evaluation resumes. The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-delay-after-failure How long after scale down failure that scale down evaluation resumes. The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-unneeded-time How long a node should be unneeded before it is eligible for scale down. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-unready-time How long an unready node should be unneeded before it is eligible for scale down. The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported. string
scale-down-utilization-threshold Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. The default is '0.5'. string
scan-interval How often cluster is reevaluated for scale up or down. The default is '10'. Values must be an integer number of seconds. string
skip-nodes-with-local-storage If cluster autoscaler will skip deleting nodes with pods with local storage, for example, EmptyDir or HostPath. The default is true. string
skip-nodes-with-system-pods If cluster autoscaler will skip deleting nodes with pods from kube-system (except for DaemonSet or mirror pods). The default is true. string

ManagedClusterPropertiesIdentityProfile

Name Description Value

ManagedClusterSecurityProfile

Name Description Value
azureKeyVaultKms Azure Key Vault key management service settings for the security profile. AzureKeyVaultKms
customCATrustCertificates A list of up to 10 base64 encoded CAs that will be added to the trust store on all nodes in the cluster. For more information see Custom CA Trust Certificates. any[]
defender Microsoft Defender settings for the security profile. ManagedClusterSecurityProfileDefender
imageCleaner Image Cleaner settings for the security profile. ManagedClusterSecurityProfileImageCleaner
workloadIdentity Workload identity settings for the security profile. Workload identity enables Kubernetes applications to access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details. ManagedClusterSecurityProfileWorkloadIdentity

ManagedClusterSecurityProfileDefender

Name Description Value
logAnalyticsWorkspaceResourceId Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty. string
securityMonitoring Microsoft Defender threat detection for Cloud settings for the security profile. ManagedClusterSecurityProfileDefenderSecurityMonitoring

ManagedClusterSecurityProfileDefenderSecurityMonitoring

Name Description Value
enabled Whether to enable Defender threat detection bool

ManagedClusterSecurityProfileImageCleaner

Name Description Value
enabled Whether to enable Image Cleaner on AKS cluster. bool
intervalHours Image Cleaner scanning interval in hours. int

ManagedClusterSecurityProfileWorkloadIdentity

Name Description Value
enabled Whether to enable workload identity. bool

ManagedClusterServicePrincipalProfile

Name Description Value
clientId The ID for the service principal. string (required)
secret The secret password associated with the service principal in plain text. string

ManagedClusterSKU

Name Description Value
name The name of a managed cluster SKU. 'Base'
tier The tier of a managed cluster SKU. If not specified, the default is 'Free'. See AKS Pricing Tier for more details. 'Free'
'Premium'
'Standard'

ManagedClusterStaticEgressGatewayProfile

Name Description Value
enabled Enable Static Egress Gateway addon. Indicates if Static Egress Gateway addon is enabled or not. bool

ManagedClusterStatus

Name Description Value

ManagedClusterStorageProfile

Name Description Value
blobCSIDriver AzureBlob CSI Driver settings for the storage profile. ManagedClusterStorageProfileBlobCSIDriver
diskCSIDriver AzureDisk CSI Driver settings for the storage profile. ManagedClusterStorageProfileDiskCSIDriver
fileCSIDriver AzureFile CSI Driver settings for the storage profile. ManagedClusterStorageProfileFileCSIDriver
snapshotController Snapshot Controller settings for the storage profile. ManagedClusterStorageProfileSnapshotController

ManagedClusterStorageProfileBlobCSIDriver

Name Description Value
enabled Whether to enable AzureBlob CSI Driver. The default value is false. bool

ManagedClusterStorageProfileDiskCSIDriver

Name Description Value
enabled Whether to enable AzureDisk CSI Driver. The default value is true. bool

ManagedClusterStorageProfileFileCSIDriver

Name Description Value
enabled Whether to enable AzureFile CSI Driver. The default value is true. bool

ManagedClusterStorageProfileSnapshotController

Name Description Value
enabled Whether to enable Snapshot Controller. The default value is true. bool

ManagedClusterWindowsProfile

Name Description Value
adminPassword Specifies the password of the administrator account.

Minimum-length: 8 characters

Max-length: 123 characters

Complexity requirements: 3 out of 4 conditions below need to be fulfilled
Has lower characters
Has upper characters
Has a digit
Has a special character (Regex match [\W_])

Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
string
adminUsername Specifies the name of the administrator account.

Restriction: Cannot end in "."

Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5".

Minimum-length: 1 character

Max-length: 20 characters
string (required)
enableCSIProxy Whether to enable CSI proxy. For more details on CSI proxy, see the CSI proxy GitHub repo. bool
gmsaProfile The Windows gMSA Profile in the Managed Cluster. WindowsGmsaProfile
licenseType The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details. 'None'
'Windows_Server'

ManagedClusterWorkloadAutoScalerProfile

Name Description Value
keda KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. ManagedClusterWorkloadAutoScalerProfileKeda
verticalPodAutoscaler VPA (Vertical Pod Autoscaler) settings for the workload auto-scaler profile. ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler

ManagedClusterWorkloadAutoScalerProfileKeda

Name Description Value
enabled Whether to enable KEDA. bool (required)

ManagedClusterWorkloadAutoScalerProfileVerticalPodAutoscaler

Name Description Value
enabled Whether to enable VPA. Default value is false. bool (required)

ManagedServiceIdentityUserAssignedIdentitiesValue

Name Description Value

ManualScaleProfile

Name Description Value
count Number of nodes. int
size VM size that AKS will use when creating and scaling e.g. 'Standard_E4s_v3', 'Standard_E16s_v3' or 'Standard_D16s_v5'. string

PortRange

Name Description Value
portEnd The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or equal to portStart. int

Constraints:
Min value = 1
Max value = 65535
portStart The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or equal to portEnd. int

Constraints:
Min value = 1
Max value = 65535
protocol The network protocol of the port. 'TCP'
'UDP'

PowerState

Name Description Value
code Tells whether the cluster is Running or Stopped 'Running'
'Stopped'

PrivateLinkResource

Name Description Value
groupId The group ID of the resource. string
id The ID of the private link resource. string
name The name of the private link resource. string
requiredMembers The RequiredMembers of the resource string[]
type The resource type. string

ResourceReference

Name Description Value
id The fully qualified Azure resource id. string

ScaleProfile

Name Description Value
manual Specifications on how to scale the VirtualMachines agent pool to a fixed size. ManualScaleProfile[]

ServiceMeshProfile

Name Description Value
istio Istio service mesh configuration. IstioServiceMesh
mode Mode of the service mesh. 'Disabled'
'Istio' (required)

SysctlConfig

Name Description Value
fsAioMaxNr Sysctl setting fs.aio-max-nr. int
fsFileMax Sysctl setting fs.file-max. int
fsInotifyMaxUserWatches Sysctl setting fs.inotify.max_user_watches. int
fsNrOpen Sysctl setting fs.nr_open. int
kernelThreadsMax Sysctl setting kernel.threads-max. int
netCoreNetdevMaxBacklog Sysctl setting net.core.netdev_max_backlog. int
netCoreOptmemMax Sysctl setting net.core.optmem_max. int
netCoreRmemDefault Sysctl setting net.core.rmem_default. int
netCoreRmemMax Sysctl setting net.core.rmem_max. int
netCoreSomaxconn Sysctl setting net.core.somaxconn. int
netCoreWmemDefault Sysctl setting net.core.wmem_default. int
netCoreWmemMax Sysctl setting net.core.wmem_max. int
netIpv4IpLocalPortRange Sysctl setting net.ipv4.ip_local_port_range. string
netIpv4NeighDefaultGcThresh1 Sysctl setting net.ipv4.neigh.default.gc_thresh1. int
netIpv4NeighDefaultGcThresh2 Sysctl setting net.ipv4.neigh.default.gc_thresh2. int
netIpv4NeighDefaultGcThresh3 Sysctl setting net.ipv4.neigh.default.gc_thresh3. int
netIpv4TcpFinTimeout Sysctl setting net.ipv4.tcp_fin_timeout. int
netIpv4TcpkeepaliveIntvl Sysctl setting net.ipv4.tcp_keepalive_intvl. int

Constraints:
Min value = 10
Max value = 90
netIpv4TcpKeepaliveProbes Sysctl setting net.ipv4.tcp_keepalive_probes. int
netIpv4TcpKeepaliveTime Sysctl setting net.ipv4.tcp_keepalive_time. int
netIpv4TcpMaxSynBacklog Sysctl setting net.ipv4.tcp_max_syn_backlog. int
netIpv4TcpMaxTwBuckets Sysctl setting net.ipv4.tcp_max_tw_buckets. int
netIpv4TcpTwReuse Sysctl setting net.ipv4.tcp_tw_reuse. bool
netNetfilterNfConntrackBuckets Sysctl setting net.netfilter.nf_conntrack_buckets. int

Constraints:
Min value = 65536
Max value = 524288
netNetfilterNfConntrackMax Sysctl setting net.netfilter.nf_conntrack_max. int

Constraints:
Min value = 131072
Max value = 2097152
vmMaxMapCount Sysctl setting vm.max_map_count. int
vmSwappiness Sysctl setting vm.swappiness. int
vmVfsCachePressure Sysctl setting vm.vfs_cache_pressure. int

TrackedResourceTags

Name Description Value

UpgradeOverrideSettings

Name Description Value
forceUpgrade Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution. bool
until Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the until expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect. string

UserAssignedIdentity

Name Description Value
clientId The client ID of the user assigned identity. string
objectId The object ID of the user assigned identity. string
resourceId The resource ID of the user assigned identity. string

VirtualMachineNodes

Name Description Value
count Number of nodes. int
size The VM size of the agents used to host this group of nodes. string

VirtualMachinesProfile

Name Description Value
scale Specifications on how to scale a VirtualMachines agent pool. ScaleProfile

WindowsGmsaProfile

Name Description Value
dnsServer Specifies the DNS server for Windows gMSA.

Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string
enabled Whether to enable Windows gMSA. Specifies whether to enable Windows gMSA in the managed cluster. bool
rootDomainName Specifies the root domain name for Windows gMSA.

Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
string

Usage Examples

Terraform Samples

A basic example of deploying managed Kubernetes Cluster (also known as AKS / Azure Kubernetes Service).

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "location" {
  type    = string
  default = "westeurope"
}

resource "azapi_resource" "resourceGroup" {
  type                      = "Microsoft.Resources/resourceGroups@2020-06-01"
  name                      = var.resource_name
  location                  = var.location
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "managedCluster" {
  type      = "Microsoft.ContainerService/managedClusters@2023-04-02-preview"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  identity {
    type         = "SystemAssigned"
    identity_ids = []
  }
  body = {
    properties = {
      agentPoolProfiles = [
        {
          count  = 1
          mode   = "System"
          name   = "default"
          vmSize = "Standard_DS2_v2"
        },
      ]
      dnsPrefix = var.resource_name
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

Module Description
AKS Managed Cluster AVM Resource Module for AKS Managed Cluster