IManagedClusterProperties Interface

The list of AAD group object IDs that will have admin role of the cluster.

(DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.

Whether to enable Azure RBAC for Kubernetes authorization.

Whether to enable managed AAD.

(DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.

(DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy.

The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment subscription.

The profile of managed cluster add-on.

The agent pool properties.

Whether to enable AI toolchain operator to the cluster. Indicates if AI toolchain operator enabled or not.

The IP ranges authorized to access the Kubernetes API server. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see API server authorized IP ranges.

Whether to disable run command for the cluster or not.

Whether to create the cluster as a private cluster or not. For more details, see Creating a private AKS cluster.

Whether to create additional public FQDN for private cluster or not.

Whether to enable apiserver vnet integration for the cluster or not. See aka.ms/AksVnetIntegration for more details.

The private DNS zone mode for the cluster. The default is System. For more details see configure private DNS zone. Allowed values are 'system' and 'none'.

The subnet to be used when apiserver vnet integration is enabled. It is required when creating a new cluster with BYO Vnet, or when updating an existing cluster to enable apiserver vnet integration.

Detects similar node pools and balances the number of nodes between them. Valid values are 'true' and 'false'

DaemonSet pods will be gracefully terminated from empty nodes. If set to true, all daemonset pods on empty nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.

DaemonSet pods will be gracefully terminated from non-empty nodes. If set to true, all daemonset pods on occupied nodes will be evicted before deletion of the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be deleted without ensuring that daemonset pods are deleted or evicted.

The expander to use when scaling up. If not specified, the default is 'random'. See expanders for more information.

Should CA ignore DaemonSet pods when calculating resource utilization for scaling down. If set to true, the resources used by daemonset will be taken into account when making scaling down decisions.

The maximum number of empty nodes that can be deleted at the same time. This must be a positive integer. The default is 10.

The maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. The default is 600.

The maximum time the autoscaler waits for a node to be provisioned. The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.

The maximum percentage of unready nodes in the cluster. After this percentage is exceeded, cluster autoscaler halts operations. The default is 45. The maximum is 100 and the minimum is 0.

Ignore unscheduled pods before they're a certain age. For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is '0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc).

The number of allowed unready nodes, irrespective of max-total-unready-percentage. This must be an integer. The default is 3.

How long after scale up that scale down evaluation resumes. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.

How long after node deletion that scale down evaluation resumes. The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.

How long after scale down failure that scale down evaluation resumes. The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.

How long a node should be unneeded before it is eligible for scale down. The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.

How long an unready node should be unneeded before it is eligible for scale down. The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than minutes (m) is supported.

Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. The default is '0.5'.

How often cluster is reevaluated for scale up or down. The default is '10'. Values must be an integer number of seconds.

If cluster autoscaler will skip deleting nodes with pods with local storage, for example, EmptyDir or HostPath. The default is true.

If cluster autoscaler will skip deleting nodes with pods from kube-system (except for DaemonSet or mirror pods). The default is true.

Node OS Upgrade Channel. Manner in which the OS on your nodes is updated. The default is NodeImage.

The upgrade channel for auto upgrade. The default is 'none'. For more information see setting the AKS cluster auto-upgrade channel.

Whether to enable Azure Key Vault key management service. The default is false.

Identifier of Azure Key Vault key. See key identifier format for more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. When Azure Key Vault key management service is disabled, leave the field empty.

Network access of the key vault. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.

Resource ID of key vault. When keyVaultNetworkAccess is Private, this field is required and must be a valid resource ID. When keyVaultNetworkAccess is Public, leave the field empty.

The special FQDN used by the Azure Portal to access the Managed Cluster. This FQDN is for use only by the Azure Portal and should not be used by other clients. The Azure Portal requires certain Cross-Origin Resource Sharing (CORS) headers to be sent in some responses, which Kubernetes APIServer doesn't handle by default. This special FQDN supports CORS, allowing the Azure Portal to function properly.

Whether to enable AzureBlob CSI Driver. The default value is false.

The artifact source. The source where the artifacts are downloaded from.

The resource Id of Azure Container Registry. The registry must have private network access, premium SKU and zone redundancy.

Istio egress gateways.

Istio ingress gateways.

Whether to enable cost analysis. The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the default is false. For more information see aka.ms/aks/docs/cost-analysis.

Resource ID of the Log Analytics workspace to be associated with Microsoft Defender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft Defender is disabled, leave the field empty.

If local accounts should be disabled on the Managed Cluster. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. For more details see disable local accounts.

Whether to enable AzureDisk CSI Driver. The default value is true.

The Resource ID of the disk encryption set to use for enabling encryption at rest. This is of the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}'

The DNS prefix of the Managed Cluster. This cannot be updated once the Managed Cluster has been created.

Whether to enable Kubernetes Role-Based Access Control.

Whether to enable AzureFile CSI Driver. The default value is true.

The FQDN of the master pool.

The FQDN subdomain of the private cluster with custom private dns zone. This cannot be updated once the Managed Cluster has been created.

Whether to enable Windows gMSA. Specifies whether to enable Windows gMSA in the managed cluster.

The HTTP proxy server endpoint to use.

The HTTPS proxy server endpoint to use.

The endpoints that should not go through proxy.

Alternative CA cert to use for connecting to proxy servers.

The client ID of the user assigned identity.

The object ID of the user assigned identity.

The user identity associated with the managed cluster. This identity will be used by the kubelet. Only one user assigned identity is allowed. The only accepted key is "kubeletidentity", with value of "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}".

The resource ID of the user assigned identity.

Whether to enable Image Cleaner on AKS cluster.

Image Cleaner scanning interval in hours.

The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value. When canary upgrade is in progress, this can only hold two consecutive values. For more information, see: https://learn.microsoft.com/en-us/azure/aks/istio-upgrade

Whether to enable KEDA.

Comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric (Example: 'namespaces=[kubernetes.io/team,...],pods=[kubernetes.io/team],...'). By default the metric contains only resource name and namespace labels.

Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric (Example: 'namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...'). By default the metric contains only resource name and namespace labels.

The administrator username to use for Linux VMs.

The max number of agent pools for the managed cluster.

Whether to enable or disable the Azure Managed Prometheus addon for Prometheus monitoring. See aka.ms/AzureManagedPrometheus-aks-enable for details on enabling and disabling.

The network configuration profile.

Ingress type for the default NginxIngressController custom resource

The set of default Karpenter NodePools (CRDs) configured for node provisioning. This field has no effect unless mode is 'Auto'. Warning: Changing this from Auto to None on an existing cluster will cause the default Karpenter NodePools to be deleted, which will drain and delete the nodes associated with those pools. It is strongly recommended to not do this unless there are idle nodes ready to take the pods evicted by that action. If not specified, the default is Auto. For more information see aka.ms/aks/nap#node-pools.

The node provisioning mode. If not specified, the default is Manual.

The name of the resource group containing agent pool nodes.

The restriction level applied to the cluster's node resource group. If not specified, the default is 'Unrestricted'

Whether the OIDC issuer is enabled.

The OIDC issuer url of the Managed Cluster.

Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade protections such as checking for deprecated API usage. Enable this option only with caution.

Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the effectiveness won't change once an upgrade starts even if the until expires as upgrade proceeds. This field is not set by default. It must be set for the overrides to take effect.

Certificate chain object name in Azure Key Vault.

Intermediate certificate object name in Azure Key Vault.

Intermediate certificate private key object name in Azure Key Vault.

The resource ID of the Key Vault.

Root certificate object name in Azure Key Vault.

Whether pod identity is allowed to run on clusters with Kubenet networking. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing. See using Kubenet network plugin with AAD Pod Identity for more information.

Whether the pod identity addon is enabled.

The pod identities to use in the cluster.

The pod identity exceptions to allow.

Tells whether the cluster is Running or Stopped

The FQDN of private cluster.

Private link resources associated with the cluster.

The error additional info.

The error code.

The error details.

The error message.

The error target.

The current provisioning state.

PublicNetworkAccess of the managedCluster. Allow or deny public network access for AKS

The resourceUID uniquely identifies ManagedClusters that reuse ARM ResourceIds (i.e: create, delete, create sequence)

Whether to enable Defender threat detection

A list of up to 10 base64 encoded CAs that will be added to the trust store on all nodes in the cluster. For more information see Custom CA Trust Certificates.

Mode of the service mesh.

The ID for the service principal.

The secret password associated with the service principal in plain text.

Whether to enable Snapshot Controller. The default value is true.

The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified.

The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'.

Whether to enable VPA. Default value is false.

Resource IDs of the DNS zones to be associated with the Application Routing add-on. Used only when Application Routing add-on is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must be in the same resource group and all private DNS zones must be in the same resource group.

Whether to enable the Application Routing add-on.

Whether to enable CSI proxy. For more details on CSI proxy, see the CSI proxy GitHub repo.

The license type to use for Windows VMs. See Azure Hybrid User Benefits for more details.

Whether to enable workload identity.