Azure Container Kubernetes Cluster
This page shows how to write Terraform and Azure Resource Manager for Container Kubernetes Cluster and write them securely.
azurerm_kubernetes_cluster (Terraform)
The Kubernetes Cluster in Container can be configured in Terraform with the resource name azurerm_kubernetes_cluster
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_kubernetes_cluster" "free_D2V2" {
name = "example-aks1"
location = "eastus"
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "exampleaks1"
resource "azurerm_kubernetes_cluster" "positive1" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "exampleaks1"
resource "azurerm_kubernetes_cluster" "example" {
provisioner "local-exec" {
command = "sudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
resource "azurerm_kubernetes_cluster" "positive1" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "exampleaks1"
resource "azurerm_kubernetes_cluster" "denied" {}
resource "azurerm_kubernetes_cluster" "denied_2" {
api_server_authorized_ip_ranges = ["0.0.0.0/0"]
}
resource "azurerm_kubernetes_cluster" "allowed_2" {}
resource "azurerm_kubernetes_cluster" "allowed" {
role_based_access_control {
enabled = true
}
resource "azurerm_kubernetes_cluster" "denied" {}
resource "azurerm_kubernetes_cluster" "denied_2" {
addon_profile {
oms_agent {
enabled = false
resource "azurerm_kubernetes_cluster" "negative1" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "exampleaks1"
resource "azurerm_kubernetes_cluster" "negative1" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "exampleaks1"
resource "azurerm_kubernetes_cluster" "positive1" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "exampleaks1"
Security Best Practices for azurerm_kubernetes_cluster
There are 4 settings in azurerm_kubernetes_cluster that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to enable logging for AKS
It is better to enable AKS logging to Azure Monitoring. This provides useful information regarding access and usage.
Ensure to configure a network policy
It is better to configure NetworkPolicy to control traffic to pods. In the default settings, there are no restrictions and a pod can find and communicate with any other pods.
Ensure to enable RBAC on AKS clusters
It is better to enable role-based access control (RBAC) on AKS clusters. This provides you to grant users, groups, and service accounts access to only the required resources.
Ensure to limit the access to an AKS API server to a limited IP range
It is better to limit the access to the AKS API server in an AKS control plane to a limited IP range to mitigate unexpected attacks.
Parameters
-
api_server_authorized_ip_ranges
optional - set of string -
automatic_channel_upgrade
optional - string -
disk_encryption_set_id
optional - string -
dns_prefix
required - string -
enable_pod_security_policy
optional - bool -
fqdn
optional computed - string -
id
optional computed - string -
kube_admin_config
optional computed - list of object-
client_certificate
- string -
client_key
- string -
cluster_ca_certificate
- string -
host
- string -
password
- string -
username
- string
-
-
kube_admin_config_raw
optional computed - string -
kube_config
optional computed - list of object-
client_certificate
- string -
client_key
- string -
cluster_ca_certificate
- string -
host
- string -
password
- string -
username
- string
-
-
kube_config_raw
optional computed - string -
kubelet_identity
optional computed - list of object-
client_id
- string -
object_id
- string -
user_assigned_identity_id
- string
-
-
kubernetes_version
optional computed - string -
location
required - string -
name
required - string -
node_resource_group
optional computed - string -
private_cluster_enabled
optional computed - bool -
private_dns_zone_id
optional computed - string -
private_fqdn
optional computed - string -
private_link_enabled
optional computed - bool -
resource_group_name
required - string -
sku_tier
optional - string -
tags
optional - map from string to string -
addon_profile
list block-
aci_connector_linux
list block-
enabled
required - bool -
subnet_name
optional - string
-
-
azure_policy
list block-
enabled
required - bool
-
-
http_application_routing
list block-
enabled
required - bool -
http_application_routing_zone_name
optional computed - string
-
-
kube_dashboard
list block-
enabled
required - bool
-
-
oms_agent
list block-
enabled
required - bool -
log_analytics_workspace_id
optional - string -
oms_agent_identity
optional computed - list of object-
client_id
- string -
object_id
- string -
user_assigned_identity_id
- string
-
-
-
-
auto_scaler_profile
list block-
balance_similar_node_groups
optional - bool -
expander
optional computed - string -
max_graceful_termination_sec
optional computed - string -
new_pod_scale_up_delay
optional computed - string -
scale_down_delay_after_add
optional computed - string -
scale_down_delay_after_delete
optional computed - string -
scale_down_delay_after_failure
optional computed - string -
scale_down_unneeded
optional computed - string -
scale_down_unready
optional computed - string -
scale_down_utilization_threshold
optional computed - string -
scan_interval
optional computed - string -
skip_nodes_with_local_storage
optional - bool -
skip_nodes_with_system_pods
optional - bool
-
-
default_node_pool
list block-
availability_zones
optional - list of string -
enable_auto_scaling
optional - bool -
enable_host_encryption
optional - bool -
enable_node_public_ip
optional - bool -
max_count
optional - number -
max_pods
optional computed - number -
min_count
optional - number -
name
required - string -
node_count
optional computed - number -
node_labels
optional - map from string to string -
node_taints
optional - list of string -
only_critical_addons_enabled
optional - bool -
orchestrator_version
optional computed - string -
os_disk_size_gb
optional computed - number -
os_disk_type
optional - string -
proximity_placement_group_id
optional - string -
tags
optional - map from string to string -
type
optional - string -
vm_size
required - string -
vnet_subnet_id
optional - string -
upgrade_settings
list block-
max_surge
required - string
-
-
-
identity
list block-
principal_id
optional computed - string -
tenant_id
optional computed - string -
type
required - string -
user_assigned_identity_id
optional - string
-
-
linux_profile
list block-
admin_username
required - string -
ssh_key
list block-
key_data
required - string
-
-
-
network_profile
list block-
dns_service_ip
optional computed - string -
docker_bridge_cidr
optional computed - string -
load_balancer_sku
optional - string -
network_mode
optional computed - string -
network_plugin
required - string -
network_policy
optional computed - string -
outbound_type
optional - string -
pod_cidr
optional computed - string -
service_cidr
optional computed - string -
load_balancer_profile
list block-
effective_outbound_ips
optional computed - set of string -
idle_timeout_in_minutes
optional - number -
managed_outbound_ip_count
optional computed - number -
outbound_ip_address_ids
optional computed - set of string -
outbound_ip_prefix_ids
optional computed - set of string -
outbound_ports_allocated
optional - number
-
-
-
role_based_access_control
list block-
enabled
required - bool -
azure_active_directory
list block-
admin_group_object_ids
optional - set of string -
client_app_id
optional - string -
managed
optional - bool -
server_app_id
optional - string -
server_app_secret
optional - string -
tenant_id
optional computed - string
-
-
-
service_principal
list block-
client_id
required - string -
client_secret
required - string
-
-
timeouts
single block -
windows_profile
list block-
admin_password
optional - string -
admin_username
required - string
-
Explanation in Terraform Registry
Manages a Managed Kubernetes Cluster (also known as AKS / Azure Kubernetes Service) -> Note: Due to the fast-moving nature of AKS, we recommend using the latest version of the Azure Provider when using AKS - you can find the latest version of the Azure Provider here.
Note: All arguments including the client secret will be stored in the raw state as plain-text. Read more about sensitive data in state.
Microsoft.ContainerService/managedClusters (Azure Resource Manager)
The managedClusters in Microsoft.ContainerService can be configured in Azure Resource Manager with the resource name Microsoft.ContainerService/managedClusters
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "[variables('apiVersionManangedClusters')]",
"name": "[variables('clusterName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', variables('vnetName'))]",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-02-01",
"name": "[variables('clusterName')]",
"location": "[parameters('location')]",
"tags": {
"Application identifier": "[variables('appId')]"
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2020-11-01",
"name": "[variables('clusterName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.OperationsManagement/solutions', variables('containerInsightsSolutionName'))]"
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-02-01",
"name": "[variables('clusterName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.OperationsManagement/solutions', variables('containerInsightsSolutionName'))]",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2020-11-01",
"name": "[variables('clusterName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.OperationsManagement/solutions', variables('containerInsightsSolutionName'))]"
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-02-01",
"name": "[variables('clusterName')]",
"location": "[parameters('location')]",
"tags": {
"Business unit": "BU0001",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-02-01",
"name": "[variables('clusterName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.OperationsManagement/solutions', variables('containerInsightsSolutionName'))]",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-02-01",
"name": "[variables('clusterName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.OperationsManagement/solutions', variables('containerInsightsSolutionName'))]",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-02-01",
"name": "[variables('clusterName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.OperationsManagement/solutions', variables('containerInsightsSolutionName'))]",
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-02-01",
"name": "[variables('clusterName')]",
"location": "[parameters('location')]",
"tags": {
"Business unit": "BU0001",
Parameters
apiVersion
required - stringextendedLocation
optionalname
optional - stringThe name of the extended location.
type
optional - stringThe type of the extended location.
identity
optionaltype
optional - stringFor more information see use managed identities in AKS.
userAssignedIdentities
optional - undefinedThe keys must be ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
location
required - stringResource location
name
required - stringThe name of the managed cluster resource.
properties
requiredaadProfile
optionaladminGroupObjectIDs
optional - arrayThe list of AAD group object IDs that will have admin role of the cluster.
clientAppID
optional - stringThe client AAD application ID.
enableAzureRBAC
optional - booleanWhether to enable Azure RBAC for Kubernetes authorization.
managed
optional - booleanWhether to enable managed AAD.
serverAppID
optional - stringThe server AAD application ID.
serverAppSecret
optional - stringThe server AAD application secret.
tenantID
optional - stringThe AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription.
addonProfiles
optional - undefinedThe profile of managed cluster add-on.
agentPoolProfiles
optional arrayavailabilityZones
optional - arrayThe list of Availability zones to use for nodes. This can only be specified if the AgentPoolType property is 'VirtualMachineScaleSets'.
count
optional - integerNumber of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1.
creationData
optionalsourceResourceId
optional - stringThis is the ARM ID of the source object to be used to create the target object.
enableAutoScaling
optional - booleanWhether to enable auto-scaler
enableEncryptionAtHost
optional - booleanThis is only supported on certain VM sizes and in certain Azure regions. For more information, see: https://docs.microsoft.com/azure/aks/enable-host-encryption
enableFIPS
optional - booleanSee Add a FIPS-enabled node pool for more details.
enableNodePublicIP
optional - booleanSome scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node. The default is false.
enableUltraSSD
optional - booleanWhether to enable UltraSSD
gpuInstanceProfile
optional - stringGPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.
kubeletConfig
optionalallowedUnsafeSysctls
optional - arrayAllowed list of unsafe sysctls or unsafe sysctl patterns (ending in
*
).containerLogMaxFiles
optional - integerThe maximum number of container log files that can be present for a container. The number must be ≥ 2.
containerLogMaxSizeMB
optional - integerThe maximum size (e.g. 10Mi) of container log file before it is rotated.
cpuCfsQuota
optional - booleanThe default is true.
cpuCfsQuotaPeriod
optional - stringThe default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and a unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'.
cpuManagerPolicy
optional - stringThe default is 'none'. See Kubernetes CPU management policies for more information. Allowed values are 'none' and 'static'.
failSwapOn
optional - booleanIf set to true it will make the Kubelet fail to start if swap is enabled on the node.
imageGcHighThreshold
optional - integerTo disable image garbage collection, set to 100. The default is 85%
imageGcLowThreshold
optional - integerThis cannot be set higher than imageGcHighThreshold. The default is 80%
podMaxPids
optional - integerThe maximum number of processes per pod.
topologyManagerPolicy
optional - stringFor more information see Kubernetes Topology Manager. The default is 'none'. Allowed values are 'none', 'best-effort', 'restricted', and 'single-numa-node'.
kubeletDiskType
optional - stringlinuxOSConfig
optionalswapFileSizeMB
optional - integerThe size in MB of a swap file that will be created on each node.
sysctls
optionalfsAioMaxNr
optional - integerSysctl setting fs.aio-max-nr.
fsFileMax
optional - integerSysctl setting fs.file-max.
fsInotifyMaxUserWatches
optional - integerSysctl setting fs.inotify.max_user_watches.
fsNrOpen
optional - integerSysctl setting fs.nr_open.
kernelThreadsMax
optional - integerSysctl setting kernel.threads-max.
netCoreNetdevMaxBacklog
optional - integerSysctl setting net.core.netdev_max_backlog.
netCoreOptmemMax
optional - integerSysctl setting net.core.optmem_max.
netCoreRmemDefault
optional - integerSysctl setting net.core.rmem_default.
netCoreRmemMax
optional - integerSysctl setting net.core.rmem_max.
netCoreSomaxconn
optional - integerSysctl setting net.core.somaxconn.
netCoreWmemDefault
optional - integerSysctl setting net.core.wmem_default.
netCoreWmemMax
optional - integerSysctl setting net.core.wmem_max.
netIpv4IpLocalPortRange
optional - stringSysctl setting net.ipv4.ip_local_port_range.
netIpv4NeighDefaultGcThresh1
optional - integerSysctl setting net.ipv4.neigh.default.gc_thresh1.
netIpv4NeighDefaultGcThresh2
optional - integerSysctl setting net.ipv4.neigh.default.gc_thresh2.
netIpv4NeighDefaultGcThresh3
optional - integerSysctl setting net.ipv4.neigh.default.gc_thresh3.
netIpv4TcpFinTimeout
optional - integerSysctl setting net.ipv4.tcp_fin_timeout.
netIpv4TcpkeepaliveIntvl
optional - integerSysctl setting net.ipv4.tcp_keepalive_intvl.
netIpv4TcpKeepaliveProbes
optional - integerSysctl setting net.ipv4.tcp_keepalive_probes.
netIpv4TcpKeepaliveTime
optional - integerSysctl setting net.ipv4.tcp_keepalive_time.
netIpv4TcpMaxSynBacklog
optional - integerSysctl setting net.ipv4.tcp_max_syn_backlog.
netIpv4TcpMaxTwBuckets
optional - integerSysctl setting net.ipv4.tcp_max_tw_buckets.
netIpv4TcpTwReuse
optional - booleanSysctl setting net.ipv4.tcp_tw_reuse.
netNetfilterNfConntrackBuckets
optional - integerSysctl setting net.netfilter.nf_conntrack_buckets.
netNetfilterNfConntrackMax
optional - integerSysctl setting net.netfilter.nf_conntrack_max.
vmMaxMapCount
optional - integerSysctl setting vm.max_map_count.
vmSwappiness
optional - integerSysctl setting vm.swappiness.
vmVfsCachePressure
optional - integerSysctl setting vm.vfs_cache_pressure.
transparentHugePageDefrag
optional - stringValid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is 'madvise'. For more information see Transparent Hugepages.
transparentHugePageEnabled
optional - stringValid values are 'always', 'madvise', and 'never'. The default is 'always'. For more information see Transparent Hugepages.
maxCount
optional - integerThe maximum number of nodes for auto-scaling
maxPods
optional - integerThe maximum number of pods that can run on a node.
minCount
optional - integerThe minimum number of nodes for auto-scaling
mode
optional - stringname
required - stringWindows agent pool names must be 6 characters or less.
nodeLabels
optional - stringThe node labels to be persisted across all nodes in agent pool.
nodePublicIPPrefixID
optional - stringThis is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName}
nodeTaints
optional - arrayThe taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule.
orchestratorVersion
optional - stringAs a best practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version must have the same major version as the control plane. The node pool minor version must be within two minor versions of the control plane version. The node pool version cannot be greater than the control plane version. For more information see upgrading a node pool.
osDiskSizeGB
optional - integerOS Disk Size in GB to be used to specify the disk size for every machine in the master/agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.
osDiskType
optional - stringosSKU
optional - stringosType
optional - stringpodSubnetID
optional - stringIf omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}
powerState
optionalcode
optional - stringTells whether the cluster is Running or Stopped.
proximityPlacementGroupID
optional - stringThe ID for Proximity Placement Group.
scaleDownMode
optional - stringThis also effects the cluster autoscaler behavior. If not specified, it defaults to Delete.
scaleSetEvictionPolicy
optional - stringThis cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is 'Delete'.
scaleSetPriority
optional - stringThe Virtual Machine Scale Set priority. If not specified, the default is 'Regular'.
spotMaxPrice
optional - numberPossible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing
tags
optional - stringThe tags to be persisted on the agent pool virtual machine scale set.
type
optional - stringupgradeSettings
optionalmaxSurge
optional - stringThis can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it is the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded up. If not specified, the default is 1. For more information, including best practices, see: https://docs.microsoft.com/azure/aks/upgrade-cluster#customize-node-surge-upgrade
vmSize
optional - stringVM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods might fail to run correctly. For more details on restricted VM sizes, see: https://docs.microsoft.com/azure/aks/quotas-skus-regions
vnetSubnetID
optional - stringIf this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}
workloadRuntime
optional - string
apiServerAccessProfile
optionalauthorizedIPRanges
optional - arrayIP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges.
disableRunCommand
optional - booleanWhether to disable run command for the cluster or not.
enablePrivateCluster
optional - booleanFor more details, see Creating a private AKS cluster.
enablePrivateClusterPublicFQDN
optional - booleanWhether to create additional public FQDN for private cluster or not.
privateDNSZone
optional - stringThe default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'.
autoScalerProfile
optionalbalance-similar-node-groups
optional - stringValid values are 'true' and 'false'
expander
optional - stringIf not specified, the default is 'random'. See expanders for more information.
max-empty-bulk-delete
optional - stringThe default is 10.
max-graceful-termination-sec
optional - stringThe default is 600.
max-node-provision-time
optional - stringThe default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
max-total-unready-percentage
optional - stringThe default is 45. The maximum is 100 and the minimum is 0.
new-pod-scale-up-delay
optional - stringFor scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc).
ok-total-unready-count
optional - stringThis must be an integer. The default is 3.
scale-down-delay-after-add
optional - stringThe default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
scale-down-delay-after-delete
optional - stringThe default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
scale-down-delay-after-failure
optional - stringThe default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
scale-down-unneeded-time
optional - stringThe default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
scale-down-unready-time
optional - stringThe default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.
scale-down-utilization-threshold
optional - stringThe default is '0.5'.
scan-interval
optional - stringThe default is '10'. Values must be an integer number of seconds.
skip-nodes-with-local-storage
optional - stringThe default is true.
skip-nodes-with-system-pods
optional - stringThe default is true.
autoUpgradeProfile
optionalupgradeChannel
optional - stringFor more information see setting the AKS cluster auto-upgrade channel.
disableLocalAccounts
optional - booleanIf set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts.
diskEncryptionSetID
optional - stringThis is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}'
dnsPrefix
optional - stringThis cannot be updated once the Managed Cluster has been created.
enablePodSecurityPolicy
optional - boolean(DEPRECATING) Whether to enable Kubernetes pod security policy (preview). This feature is set for removal on October 15th, 2020. Learn more at aka.ms/aks/azpodpolicy.
enableRBAC
optional - booleanWhether to enable Kubernetes Role-Based Access Control.
fqdnSubdomain
optional - stringThis cannot be updated once the Managed Cluster has been created.
httpProxyConfig
optionalhttpProxy
optional - stringThe HTTP proxy server endpoint to use.
httpsProxy
optional - stringThe HTTPS proxy server endpoint to use.
noProxy
optional - arrayThe endpoints that should not go through proxy.
trustedCa
optional - stringAlternative CA cert to use for connecting to proxy servers.
identityProfile
optional - undefinedIdentities associated with the cluster.
kubernetesVersion
optional - stringWhen you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades must be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x -> 1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See upgrading an AKS cluster for more details.
linuxProfile
optionaladminUsername
required - stringThe administrator username to use for Linux VMs.
ssh
requiredpublicKeys
required arraykeyData
required - stringCertificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or without headers.
networkProfile
optionaldnsServiceIP
optional - stringAn IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr.
dockerBridgeCidr
optional - stringA CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range.
ipFamilies
optional - arrayIP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6.
loadBalancerProfile
optionalallocatedOutboundPorts
optional - integerThe desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000 (inclusive). The default value is 0 which results in Azure dynamically allocating ports.
effectiveOutboundIPs
optional arrayid
optional - stringThe fully qualified Azure resource id.
enableMultipleStandardLoadBalancers
optional - booleanEnable multiple standard load balancers per AKS cluster or not.
idleTimeoutInMinutes
optional - integerDesired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 30 minutes.
managedOutboundIPs
optionalcount
optional - integerThe desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1.
countIPv6
optional - integerThe desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.
outboundIPPrefixes
optionalpublicIPPrefixes
optional arrayid
optional - stringThe fully qualified Azure resource id.
outboundIPs
optionalpublicIPs
optional arrayid
optional - stringThe fully qualified Azure resource id.
loadBalancerSku
optional - stringThe default is 'standard'. See Azure Load Balancer SKUs for more information about the differences between load balancer SKUs.
natGatewayProfile
optionaleffectiveOutboundIPs
optional arrayid
optional - stringThe fully qualified Azure resource id.
idleTimeoutInMinutes
optional - integerDesired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120 (inclusive). The default value is 4 minutes.
managedOutboundIPProfile
optionalcount
optional - integerThe desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16 (inclusive). The default value is 1.
networkMode
optional - stringThis cannot be specified if networkPlugin is anything other than 'azure'.
networkPlugin
optional - stringNetwork plugin used for building the Kubernetes network.
networkPolicy
optional - stringNetwork policy used for building the Kubernetes network.
outboundType
optional - stringThis can only be set at cluster creation time and cannot be changed later. For more information see egress outbound type.
podCidr
optional - stringA CIDR notation IP range from which to assign pod IPs when kubenet is used.
podCidrs
optional - arrayOne IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking.
serviceCidr
optional - stringA CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges.
serviceCidrs
optional - arrayOne IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is expected for dual-stack networking. They must not overlap with any Subnet IP ranges.
nodeResourceGroup
optional - stringThe name of the resource group containing agent pool nodes.
podIdentityProfile
optionalallowNetworkPluginKubenet
optional - booleanRunning in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information.
enabled
optional - booleanWhether the pod identity addon is enabled.
userAssignedIdentities
optional arraybindingSelector
optional - stringThe binding selector to use for the AzureIdentityBinding resource.
identity
requiredclientId
optional - stringThe client ID of the user assigned identity.
objectId
optional - stringThe object ID of the user assigned identity.
resourceId
optional - stringThe resource ID of the user assigned identity.
name
required - stringThe name of the pod identity.
namespace
required - stringThe namespace of the pod identity.
userAssignedIdentityExceptions
optional arrayname
required - stringThe name of the pod identity exception.
namespace
required - stringThe namespace of the pod identity exception.
podLabels
required - stringThe pod labels to match.
privateLinkResources
optional arraygroupId
optional - stringThe group ID of the resource.
id
optional - stringThe ID of the private link resource.
name
optional - stringThe name of the private link resource.
requiredMembers
optional - arrayThe RequiredMembers of the resource
type
optional - stringThe resource type.
publicNetworkAccess
optional - stringAllow or deny public network access for AKS.
securityProfile
optionalazureDefender
optionalenabled
optional - booleanWhether to enable Azure Defender
logAnalyticsWorkspaceResourceId
optional - stringResource ID of the Log Analytics workspace to be associated with Azure Defender. When Azure Defender is enabled, this field is required and must be a valid workspace resource ID. When Azure Defender is disabled, leave the field empty.
servicePrincipalProfile
optionalclientId
required - stringThe ID for the service principal.
secret
optional - stringThe secret password associated with the service principal in plain text.
windowsProfile
optionaladminPassword
optional - stringSpecifies the password of the administrator account. Minimum-length: 8 characters Max-length: 123 characters Complexity requirements: 3 out of 4 conditions below need to be fulfilled Has lower characters Has upper characters Has a digit Has a special character (Regex match [\W_]) Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!"
adminUsername
required - stringSpecifies the name of the administrator account. Restriction: Cannot end in "." Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". Minimum-length: 1 character Max-length: 20 characters
enableCSIProxy
optional - booleanFor more details on CSI proxy, see the CSI proxy GitHub repo.
gmsaProfile
optionaldnsServer
optional - stringSpecifies the DNS server for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
enabled
optional - booleanSpecifies whether to enable Windows gMSA in the managed cluster.
rootDomainName
optional - stringSpecifies the root domain name for Windows gMSA. Set it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.
licenseType
optional - stringThe license type to use for Windows VMs. See Azure Hybrid User Benefits for more details.
sku
optionalname
optional - stringThe name of a managed cluster SKU.
tier
optional - stringIf not specified, the default is 'Free'. See uptime SLA for more details.
tags
optional - stringResource tags
type
required - string
Frequently asked questions
What is Azure Container Kubernetes Cluster?
Azure Container Kubernetes Cluster is a resource for Container of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Container Kubernetes Cluster?
For Terraform, the gilyas/infracost, leonidweinbergcx/mykics and Totix82/TerraformToAzureAKSIncludingDockerNginxAndHelm source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the ConsenSys/quorum-kubernetes, mspnp/aks-baseline-multi-region and dsanchor/aks-generic source code examples are useful. See the Azure Resource Manager Example section for further details.