Share via


az aks

Note

This command group has commands that are defined in both Azure CLI and at least one extension. Install each extension to benefit from its extended capabilities. Learn more about extensions.

Manage Azure Kubernetes Services.

Commands

Name Description Type Status
az aks addon

Commands to manage and view single addon conditions.

Extension GA
az aks addon disable

Disable an enabled Kubernetes addon in a cluster.

Extension GA
az aks addon enable

Enable a Kubernetes addon.

Extension GA
az aks addon list

List status of all Kubernetes addons in given cluster.

Extension GA
az aks addon list-available

List available Kubernetes addons.

Extension GA
az aks addon show

Show status and configuration for an enabled Kubernetes addon in a given cluster.

Extension GA
az aks addon update

Update an already enabled Kubernetes addon.

Extension GA
az aks app

Commands to manage AKS app.

Extension Preview
az aks app up

Deploy to AKS via GitHub actions.

Extension Preview
az aks approuting

Commands to manage App Routing aadon.

Core and Extension GA
az aks approuting disable

Disable App Routing addon.

Core GA
az aks approuting disable (aks-preview extension)

Disable App Routing addon.

Extension GA
az aks approuting enable

Enable App Routing.

Core GA
az aks approuting enable (aks-preview extension)

Enable App Routing.

Extension GA
az aks approuting update

Update App Routing addon.

Core GA
az aks approuting update (aks-preview extension)

Update App Routing addon.

Extension GA
az aks approuting zone

Commands to manage App Routing DNS Zones.

Core and Extension GA
az aks approuting zone add

Add DNS Zone(s) to App Routing.

Core GA
az aks approuting zone add (aks-preview extension)

Add DNS Zone(s) to App Routing.

Extension GA
az aks approuting zone delete

Delete DNS Zone(s) from App Routing.

Core GA
az aks approuting zone delete (aks-preview extension)

Delete DNS Zone(s) from App Routing.

Extension GA
az aks approuting zone list

List DNS Zone IDs in App Routing.

Core GA
az aks approuting zone list (aks-preview extension)

List DNS Zone IDs in App Routing.

Extension GA
az aks approuting zone update

Replace DNS Zone(s) in App Routing.

Core GA
az aks approuting zone update (aks-preview extension)

Replace DNS Zone(s) in App Routing.

Extension GA
az aks browse

Show the dashboard for a Kubernetes cluster in a web browser.

Core GA
az aks browse (aks-preview extension)

Show the dashboard for a Kubernetes cluster in a web browser.

Extension GA
az aks check-acr

Validate an ACR is accessible from an AKS cluster.

Core GA
az aks check-network

Commands to troubleshoot network connectivity in managed Kubernetes cluster.

Extension GA
az aks check-network outbound

Perform outbound network connectivity check for a node in a managed Kubernetes cluster.

Extension GA
az aks command

See detail usage in 'az aks command invoke', 'az aks command result'.

Core GA
az aks command invoke

Run a shell command (with kubectl, helm) on your aks cluster, support attaching files as well.

Core GA
az aks command result

Fetch result from previously triggered 'aks command invoke'.

Core GA
az aks connection

Commands to manage aks connections.

Core and Extension Preview
az aks connection create

Create a connection between a aks and a target resource.

Core and Extension Preview
az aks connection create app-insights

Create a aks connection to app-insights.

Core Preview
az aks connection create appconfig

Create a aks connection to appconfig.

Core Preview
az aks connection create cognitiveservices

Create a aks connection to cognitiveservices.

Core Preview
az aks connection create confluent-cloud

Create a aks connection to confluent-cloud.

Core Preview
az aks connection create cosmos-cassandra

Create a aks connection to cosmos-cassandra.

Core Preview
az aks connection create cosmos-gremlin

Create a aks connection to cosmos-gremlin.

Core Preview
az aks connection create cosmos-mongo

Create a aks connection to cosmos-mongo.

Core Preview
az aks connection create cosmos-sql

Create a aks connection to cosmos-sql.

Core Preview
az aks connection create cosmos-table

Create a aks connection to cosmos-table.

Core Preview
az aks connection create eventhub

Create a aks connection to eventhub.

Core Preview
az aks connection create keyvault

Create a aks connection to keyvault.

Core Preview
az aks connection create mysql

Create a aks connection to mysql.

Core Preview and Deprecated
az aks connection create mysql-flexible

Create a aks connection to mysql-flexible.

Core Preview
az aks connection create mysql-flexible (serviceconnector-passwordless extension)

Create a aks connection to mysql-flexible.

Extension GA
az aks connection create postgres

Create a aks connection to postgres.

Core Preview and Deprecated
az aks connection create postgres-flexible

Create a aks connection to postgres-flexible.

Core Preview
az aks connection create postgres-flexible (serviceconnector-passwordless extension)

Create a aks connection to postgres-flexible.

Extension GA
az aks connection create redis

Create a aks connection to redis.

Core Preview
az aks connection create redis-enterprise

Create a aks connection to redis-enterprise.

Core Preview
az aks connection create servicebus

Create a aks connection to servicebus.

Core Preview
az aks connection create signalr

Create a aks connection to signalr.

Core Preview
az aks connection create sql

Create a aks connection to sql.

Core Preview
az aks connection create sql (serviceconnector-passwordless extension)

Create a aks connection to sql.

Extension GA
az aks connection create storage-blob

Create a aks connection to storage-blob.

Core Preview
az aks connection create storage-file

Create a aks connection to storage-file.

Core Preview
az aks connection create storage-queue

Create a aks connection to storage-queue.

Core Preview
az aks connection create storage-table

Create a aks connection to storage-table.

Core Preview
az aks connection create webpubsub

Create a aks connection to webpubsub.

Core Preview
az aks connection delete

Delete a aks connection.

Core Preview
az aks connection list

List connections of a aks.

Core Preview
az aks connection list-configuration

List source configurations of a aks connection.

Core Preview
az aks connection list-support-types

List client types and auth types supported by aks connections.

Core Preview
az aks connection show

Get the details of a aks connection.

Core Preview
az aks connection update

Update a aks connection.

Core Preview
az aks connection update app-insights

Update a aks to app-insights connection.

Core Preview
az aks connection update appconfig

Update a aks to appconfig connection.

Core Preview
az aks connection update cognitiveservices

Update a aks to cognitiveservices connection.

Core Preview
az aks connection update confluent-cloud

Update a aks to confluent-cloud connection.

Core Preview
az aks connection update cosmos-cassandra

Update a aks to cosmos-cassandra connection.

Core Preview
az aks connection update cosmos-gremlin

Update a aks to cosmos-gremlin connection.

Core Preview
az aks connection update cosmos-mongo

Update a aks to cosmos-mongo connection.

Core Preview
az aks connection update cosmos-sql

Update a aks to cosmos-sql connection.

Core Preview
az aks connection update cosmos-table

Update a aks to cosmos-table connection.

Core Preview
az aks connection update eventhub

Update a aks to eventhub connection.

Core Preview
az aks connection update keyvault

Update a aks to keyvault connection.

Core Preview
az aks connection update mysql

Update a aks to mysql connection.

Core Preview and Deprecated
az aks connection update mysql-flexible

Update a aks to mysql-flexible connection.

Core Preview
az aks connection update postgres

Update a aks to postgres connection.

Core Preview and Deprecated
az aks connection update postgres-flexible

Update a aks to postgres-flexible connection.

Core Preview
az aks connection update redis

Update a aks to redis connection.

Core Preview
az aks connection update redis-enterprise

Update a aks to redis-enterprise connection.

Core Preview
az aks connection update servicebus

Update a aks to servicebus connection.

Core Preview
az aks connection update signalr

Update a aks to signalr connection.

Core Preview
az aks connection update sql

Update a aks to sql connection.

Core Preview
az aks connection update storage-blob

Update a aks to storage-blob connection.

Core Preview
az aks connection update storage-file

Update a aks to storage-file connection.

Core Preview
az aks connection update storage-queue

Update a aks to storage-queue connection.

Core Preview
az aks connection update storage-table

Update a aks to storage-table connection.

Core Preview
az aks connection update webpubsub

Update a aks to webpubsub connection.

Core Preview
az aks connection validate

Validate a aks connection.

Core Preview
az aks connection wait

Place the CLI in a waiting state until a condition of the connection is met.

Core Preview
az aks create

Create a new managed Kubernetes cluster.

Core GA
az aks create (aks-preview extension)

Create a new managed Kubernetes cluster.

Extension GA
az aks delete

Delete a managed Kubernetes cluster.

Core GA
az aks delete (aks-preview extension)

Delete a managed Kubernetes cluster.

Extension GA
az aks disable-addons

Disable Kubernetes addons.

Core GA
az aks disable-addons (aks-preview extension)

Disable Kubernetes addons.

Extension GA
az aks draft

Commands to build deployment files in a project directory and deploy to an AKS cluster.

Extension GA
az aks draft create

Generate a Dockerfile and the minimum required Kubernetes deployment files (helm, kustomize, manifests) for your project directory.

Extension GA
az aks draft generate-workflow

Generate a GitHub workflow for automatic build and deploy to AKS.

Extension GA
az aks draft setup-gh

Set up GitHub OIDC for your application.

Extension GA
az aks draft up

Run az aks draft setup-gh then az aks draft generate-workflow.

Extension GA
az aks draft update

Update your application to be internet accessible.

Extension GA
az aks egress-endpoints

Commands to manage egress endpoints in managed Kubernetes cluster.

Extension GA
az aks egress-endpoints list

List egress endpoints that are required or recommended to be whitelisted for a cluster.

Extension GA
az aks enable-addons

Enable Kubernetes addons.

Core GA
az aks enable-addons (aks-preview extension)

Enable Kubernetes addons.

Extension GA
az aks get-credentials

Get access credentials for a managed Kubernetes cluster.

Core GA
az aks get-credentials (aks-preview extension)

Get access credentials for a managed Kubernetes cluster.

Extension GA
az aks get-upgrades

Get the upgrade versions available for a managed Kubernetes cluster.

Core GA
az aks get-upgrades (aks-preview extension)

Get the upgrade versions available for a managed Kubernetes cluster.

Extension GA
az aks get-versions

Get the versions available for creating a managed Kubernetes cluster.

Core GA
az aks get-versions (aks-preview extension)

Get the versions available for creating a managed Kubernetes cluster.

Extension GA
az aks install-cli

Download and install kubectl, the Kubernetes command-line tool. Download and install kubelogin, a client-go credential (exec) plugin implementing azure authentication.

Core GA
az aks kanalyze

Display diagnostic results for the Kubernetes cluster after kollect is done.

Extension GA
az aks kollect

Collecting diagnostic information for the Kubernetes cluster.

Extension GA
az aks list

List managed Kubernetes clusters.

Core GA
az aks list (aks-preview extension)

List managed Kubernetes clusters.

Extension GA
az aks machine

Get information about machines in a nodepool of a managed clusters.

Extension GA
az aks machine list

Get information about IP Addresses, Hostname for all machines in an agentpool.

Extension GA
az aks machine show

Show IP Addresses, Hostname for a specific machine in an agentpool for a managedcluster.

Extension GA
az aks maintenanceconfiguration

Commands to manage maintenance configurations in managed Kubernetes cluster.

Core and Extension GA
az aks maintenanceconfiguration add

Add a maintenance configuration in managed Kubernetes cluster.

Core GA
az aks maintenanceconfiguration add (aks-preview extension)

Add a maintenance configuration in managed Kubernetes cluster.

Extension GA
az aks maintenanceconfiguration delete

Delete a maintenance configuration in managed Kubernetes cluster.

Core GA
az aks maintenanceconfiguration delete (aks-preview extension)

Delete a maintenance configuration in managed Kubernetes cluster.

Extension GA
az aks maintenanceconfiguration list

List maintenance configurations in managed Kubernetes cluster.

Core GA
az aks maintenanceconfiguration list (aks-preview extension)

List maintenance configurations in managed Kubernetes cluster.

Extension GA
az aks maintenanceconfiguration show

Show the details of a maintenance configuration in managed Kubernetes cluster.

Core GA
az aks maintenanceconfiguration show (aks-preview extension)

Show the details of a maintenance configuration in managed Kubernetes cluster.

Extension GA
az aks maintenanceconfiguration update

Update a maintenance configuration of a managed Kubernetes cluster.

Core GA
az aks maintenanceconfiguration update (aks-preview extension)

Update a maintenance configuration of a managed Kubernetes cluster.

Extension GA
az aks mesh

Commands to manage Azure Service Mesh.

Core and Extension GA
az aks mesh disable

Disable Azure Service Mesh.

Core GA
az aks mesh disable (aks-preview extension)

Disable Azure Service Mesh.

Extension GA
az aks mesh disable-ingress-gateway

Disable an Azure Service Mesh ingress gateway.

Core GA
az aks mesh disable-ingress-gateway (aks-preview extension)

Disable an Azure Service Mesh ingress gateway.

Extension GA
az aks mesh enable

Enable Azure Service Mesh.

Core GA
az aks mesh enable (aks-preview extension)

Enable Azure Service Mesh.

Extension GA
az aks mesh enable-ingress-gateway

Enable an Azure Service Mesh ingress gateway.

Core GA
az aks mesh enable-ingress-gateway (aks-preview extension)

Enable an Azure Service Mesh ingress gateway.

Extension GA
az aks mesh get-revisions

Discover available Azure Service Mesh revisions and their compatibility.

Core GA
az aks mesh get-revisions (aks-preview extension)

Discover available Azure Service Mesh revisions and their compatibility.

Extension GA
az aks mesh get-upgrades

Discover available Azure Service Mesh upgrades.

Core GA
az aks mesh get-upgrades (aks-preview extension)

Discover available Azure Service Mesh upgrades.

Extension GA
az aks mesh upgrade

Commands to manage the upgrades for Azure Service Mesh.

Core and Extension GA
az aks mesh upgrade complete

Complete Azure Service Mesh upgrade.

Core GA
az aks mesh upgrade complete (aks-preview extension)

Complete Azure Service Mesh upgrade.

Extension GA
az aks mesh upgrade rollback

Rollback Azure Service Mesh upgrade.

Core GA
az aks mesh upgrade rollback (aks-preview extension)

Rollback Azure Service Mesh upgrade.

Extension GA
az aks mesh upgrade start

Initiate Azure Service Mesh upgrade.

Core GA
az aks mesh upgrade start (aks-preview extension)

Initiate Azure Service Mesh upgrade.

Extension GA
az aks nodepool

Commands to manage node pools in Kubernetes kubernetes cluster.

Core and Extension GA
az aks nodepool add

Add a node pool to the managed Kubernetes cluster.

Core GA
az aks nodepool add (aks-preview extension)

Add a node pool to the managed Kubernetes cluster.

Extension GA
az aks nodepool delete

Delete the agent pool in the managed Kubernetes cluster.

Core GA
az aks nodepool delete (aks-preview extension)

Delete the agent pool in the managed Kubernetes cluster.

Extension GA
az aks nodepool delete-machines

Delete specific machines in an agentpool for a managed cluster.

Core GA
az aks nodepool delete-machines (aks-preview extension)

Delete specific machines in an agentpool for a managed cluster.

Extension GA
az aks nodepool get-upgrades

Get the available upgrade versions for an agent pool of the managed Kubernetes cluster.

Core GA
az aks nodepool get-upgrades (aks-preview extension)

Get the available upgrade versions for an agent pool of the managed Kubernetes cluster.

Extension GA
az aks nodepool list

List node pools in the managed Kubernetes cluster. To get list of nodes in the cluster run kubectl get nodes command.

Core GA
az aks nodepool list (aks-preview extension)

List node pools in the managed Kubernetes cluster.

Extension GA
az aks nodepool manual-scale

Commands to manage nodepool virtualMachineProfile.scale.manual.

Extension GA
az aks nodepool manual-scale add

Add a new manual to a VirtualMachines agentpool in the managed Kubernetes cluster.

Extension GA
az aks nodepool manual-scale delete

Delete an existing manual to a VirtualMachines agentpool in the managed Kubernetes cluster.

Extension GA
az aks nodepool manual-scale update

Update an existing manual of a VirtualMachines agentpool in the managed Kubernetes cluster.

Extension GA
az aks nodepool operation-abort

Abort last running operation on nodepool.

Core GA
az aks nodepool operation-abort (aks-preview extension)

Abort last running operation on nodepool.

Extension GA
az aks nodepool scale

Scale the node pool in a managed Kubernetes cluster.

Core GA
az aks nodepool scale (aks-preview extension)

Scale the node pool in a managed Kubernetes cluster.

Extension GA
az aks nodepool show

Show the details for a node pool in the managed Kubernetes cluster.

Core GA
az aks nodepool show (aks-preview extension)

Show the details for a node pool in the managed Kubernetes cluster.

Extension GA
az aks nodepool snapshot

Commands to manage nodepool snapshots.

Core and Extension GA
az aks nodepool snapshot create

Create a nodepool snapshot.

Core GA
az aks nodepool snapshot create (aks-preview extension)

Create a nodepool snapshot.

Extension GA
az aks nodepool snapshot delete

Delete a nodepool snapshot.

Core GA
az aks nodepool snapshot delete (aks-preview extension)

Delete a nodepool snapshot.

Extension GA
az aks nodepool snapshot list

List nodepool snapshots.

Core GA
az aks nodepool snapshot list (aks-preview extension)

List nodepool snapshots.

Extension GA
az aks nodepool snapshot show

Show the details of a nodepool snapshot.

Core GA
az aks nodepool snapshot show (aks-preview extension)

Show the details of a nodepool snapshot.

Extension GA
az aks nodepool snapshot update

Update tags on a snapshot of a nodepool.

Core GA
az aks nodepool snapshot update (aks-preview extension)

Update tags on a snapshot of a nodepool.

Extension GA
az aks nodepool snapshot wait

Wait for a nodepool snapshot to reach a desired state.

Core GA
az aks nodepool start

Start stopped agent pool in the managed Kubernetes cluster.

Core GA
az aks nodepool start (aks-preview extension)

Start stopped agent pool in the managed Kubernetes cluster.

Extension GA
az aks nodepool stop

Stop running agent pool in the managed Kubernetes cluster.

Core GA
az aks nodepool stop (aks-preview extension)

Stop running agent pool in the managed Kubernetes cluster.

Extension GA
az aks nodepool update

Update a node pool properties.

Core GA
az aks nodepool update (aks-preview extension)

Update a node pool properties.

Extension GA
az aks nodepool upgrade

Upgrade the node pool in a managed Kubernetes cluster.

Core GA
az aks nodepool upgrade (aks-preview extension)

Upgrade the node pool in a managed Kubernetes cluster.

Extension GA
az aks nodepool wait

Wait for a node pool to reach a desired state.

Core GA
az aks oidc-issuer

Oidc issuer related commands.

Core GA
az aks oidc-issuer rotate-signing-keys

Rotate oidc issuer service account signing keys.

Core GA
az aks operation

Commands to manage and view operations on managed Kubernetes cluster.

Extension GA
az aks operation-abort

Abort last running operation on managed cluster.

Core GA
az aks operation-abort (aks-preview extension)

Abort last running operation on managed cluster.

Extension GA
az aks operation show

Show the details for a specific operation on managed Kubernetes cluster.

Extension GA
az aks operation show-latest

Show the details for the latest operation on managed Kubernetes cluster.

Extension GA
az aks pod-identity

Commands to manage pod identities in managed Kubernetes cluster.

Extension GA
az aks pod-identity add

Add a pod identity to a managed Kubernetes cluster.

Extension GA
az aks pod-identity delete

Remove a pod identity from a managed Kubernetes cluster.

Extension GA
az aks pod-identity exception

Commands to manage pod identity exceptions in managed Kubernetes cluster.

Extension GA
az aks pod-identity exception add

Add a pod identity exception to a managed Kubernetes cluster.

Extension GA
az aks pod-identity exception delete

Remove a pod identity exception from a managed Kubernetes cluster.

Extension GA
az aks pod-identity exception list

List pod identity exceptions in a managed Kubernetes cluster.

Extension GA
az aks pod-identity exception update

Update a pod identity exception in a managed Kubernetes cluster.

Extension GA
az aks pod-identity list

List pod identities in a managed Kubernetes cluster.

Extension GA
az aks remove-dev-spaces

Remove Azure Dev Spaces from a managed Kubernetes cluster.

Core Deprecated
az aks rotate-certs

Rotate certificates and keys on a managed Kubernetes cluster.

Core GA
az aks rotate-certs (aks-preview extension)

Rotate certificates and keys on a managed Kubernetes cluster.

Extension GA
az aks scale

Scale the node pool in a managed Kubernetes cluster.

Core GA
az aks scale (aks-preview extension)

Scale the node pool in a managed Kubernetes cluster.

Extension GA
az aks show

Show the details for a managed Kubernetes cluster.

Core GA
az aks show (aks-preview extension)

Show the details for a managed Kubernetes cluster.

Extension GA
az aks snapshot

Commands to manage nodepool snapshots.

Core and Extension Deprecated
az aks snapshot create

Create a nodepool snapshot.

Core Deprecated
az aks snapshot create (aks-preview extension)

Create a snapshot of a cluster.

Extension GA
az aks snapshot delete

Delete a nodepool snapshot.

Core Deprecated
az aks snapshot delete (aks-preview extension)

Delete a cluster snapshot.

Extension GA
az aks snapshot list

List nodepool snapshots.

Core Deprecated
az aks snapshot list (aks-preview extension)

List cluster snapshots.

Extension GA
az aks snapshot show

Show the details of a nodepool snapshot.

Core Deprecated
az aks snapshot show (aks-preview extension)

Show the details of a cluster snapshot.

Extension GA
az aks snapshot wait

Wait for a nodepool snapshot to reach a desired state.

Core Deprecated
az aks start

Starts a previously stopped Managed Cluster.

Core GA
az aks start (aks-preview extension)

Starts a previously stopped Managed Cluster.

Extension GA
az aks stop

Stop a managed cluster.

Core GA
az aks stop (aks-preview extension)

Stop a managed cluster.

Extension GA
az aks trustedaccess

Commands to manage trusted access security features.

Core and Extension GA
az aks trustedaccess role

Commands to manage trusted access roles.

Core and Extension GA
az aks trustedaccess role list

List trusted access roles.

Core GA
az aks trustedaccess role list (aks-preview extension)

List trusted access roles.

Extension GA
az aks trustedaccess rolebinding

Commands to manage trusted access role bindings.

Core and Extension GA
az aks trustedaccess rolebinding create

Create a new trusted access role binding.

Core GA
az aks trustedaccess rolebinding create (aks-preview extension)

Create a new trusted access role binding.

Extension GA
az aks trustedaccess rolebinding delete

Delete a trusted access role binding according to name.

Core GA
az aks trustedaccess rolebinding delete (aks-preview extension)

Delete a trusted access role binding according to name.

Extension GA
az aks trustedaccess rolebinding list

List all the trusted access role bindings.

Core GA
az aks trustedaccess rolebinding list (aks-preview extension)

List all the trusted access role bindings.

Extension GA
az aks trustedaccess rolebinding show

Get the specific trusted access role binding according to binding name.

Core GA
az aks trustedaccess rolebinding show (aks-preview extension)

Get the specific trusted access role binding according to binding name.

Extension GA
az aks trustedaccess rolebinding update

Update a trusted access role binding.

Core GA
az aks trustedaccess rolebinding update (aks-preview extension)

Update a trusted access role binding.

Extension GA
az aks update

Update a managed Kubernetes cluster. When called with no optional arguments this attempts to move the cluster to its goal state without changing the current cluster configuration. This can be used to move out of a non succeeded state.

Core GA
az aks update (aks-preview extension)

Update the properties of a managed Kubernetes cluster.

Extension GA
az aks update-credentials

Update credentials for a managed Kubernetes cluster, like service principal.

Core GA
az aks upgrade

Upgrade a managed Kubernetes cluster to a newer version.

Core GA
az aks upgrade (aks-preview extension)

Upgrade a managed Kubernetes cluster to a newer version.

Extension GA
az aks use-dev-spaces

Use Azure Dev Spaces with a managed Kubernetes cluster.

Core Deprecated
az aks use-dev-spaces (dev-spaces extension)

Use Azure Dev Spaces with a managed Kubernetes cluster.

Extension GA
az aks wait

Wait for a managed Kubernetes cluster to reach a desired state.

Core GA
az aks wait (aks-preview extension)

Wait for a managed Kubernetes cluster to reach a desired state.

Extension GA

az aks browse

Show the dashboard for a Kubernetes cluster in a web browser.

az aks browse --name
              --resource-group
              [--disable-browser]
              [--listen-address]
              [--listen-port]

Examples

Show the dashboard for a Kubernetes cluster in a web browser. (autogenerated)

az aks browse --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--disable-browser

Don't launch a web browser after establishing port-forwarding.

Add this argument when launching a web browser manually, or for automated testing.

Default value: False
--listen-address

The listening address for the dashboard.

Add this argument to listen on a specific IP address.

Default value: 127.0.0.1
--listen-port

The listening port for the dashboard.

Add this argument when the default listening port is used by another process or unavailable.

Default value: 8001
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks browse (aks-preview extension)

Show the dashboard for a Kubernetes cluster in a web browser.

az aks browse --name
              --resource-group
              [--disable-browser]
              [--listen-address]
              [--listen-port]

Examples

Show the dashboard for a Kubernetes cluster in a web browser. (autogenerated)

az aks browse --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--disable-browser

Don't launch a web browser after establishing port-forwarding.

Add this argument when launching a web browser manually, or for automated testing.

Default value: False
--listen-address

The listening address for the dashboard.

Add this argument to listen on a specific IP address.

Default value: 127.0.0.1
--listen-port

The listening port for the dashboard.

Add this argument when the default listening port is used by another process or unavailable.

Default value: 8001
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks check-acr

Validate an ACR is accessible from an AKS cluster.

az aks check-acr --acr
                 --name
                 --resource-group
                 [--node-name]

Examples

Validate the ACR is accessible from the AKS cluster.

az aks check-acr --name MyManagedCluster --resource-group MyResourceGroup --acr myacr.azurecr.io

Required Parameters

--acr

The FQDN of the ACR.

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--node-name

The name of a specific node to perform acr pull test checks. If not specified, it will be checked on a random node.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks create

Create a new managed Kubernetes cluster.

az aks create --name
              --resource-group
              [--aad-admin-group-object-ids]
              [--aad-client-app-id]
              [--aad-server-app-id]
              [--aad-server-app-secret]
              [--aad-tenant-id]
              [--aci-subnet-name]
              [--admin-username]
              [--aks-custom-headers]
              [--ampls-resource-id]
              [--api-server-authorized-ip-ranges]
              [--appgw-id]
              [--appgw-name]
              [--appgw-subnet-cidr]
              [--appgw-subnet-id]
              [--appgw-watch-namespace]
              [--assign-identity]
              [--assign-kubelet-identity]
              [--attach-acr]
              [--auto-upgrade-channel {node-image, none, patch, rapid, stable}]
              [--azure-keyvault-kms-key-id]
              [--azure-keyvault-kms-key-vault-network-access {Private, Public}]
              [--azure-keyvault-kms-key-vault-resource-id]
              [--azure-monitor-workspace-resource-id]
              [--ca-profile]
              [--client-secret]
              [--crg-id]
              [--data-collection-settings]
              [--defender-config]
              [--disable-disk-driver]
              [--disable-file-driver]
              [--disable-local-accounts]
              [--disable-public-fqdn]
              [--disable-rbac]
              [--disable-snapshot-controller]
              [--dns-name-prefix]
              [--dns-service-ip]
              [--docker-bridge-address]
              [--edge-zone]
              [--enable-aad]
              [--enable-addons]
              [--enable-ahub]
              [--enable-app-routing]
              [--enable-asm]
              [--enable-azure-container-storage {azureDisk, elasticSan, ephemeralDisk}]
              [--enable-azure-keyvault-kms]
              [--enable-azure-monitor-metrics]
              [--enable-azure-rbac]
              [--enable-blob-driver]
              [--enable-cluster-autoscaler]
              [--enable-cost-analysis]
              [--enable-defender]
              [--enable-encryption-at-host]
              [--enable-fips-image]
              [--enable-high-log-scale-mode {false, true}]
              [--enable-image-cleaner]
              [--enable-keda]
              [--enable-managed-identity]
              [--enable-msi-auth-for-monitoring {false, true}]
              [--enable-node-public-ip]
              [--enable-oidc-issuer]
              [--enable-private-cluster]
              [--enable-secret-rotation]
              [--enable-secure-boot]
              [--enable-sgxquotehelper]
              [--enable-syslog {false, true}]
              [--enable-ultra-ssd]
              [--enable-vpa]
              [--enable-vtpm]
              [--enable-windows-gmsa]
              [--enable-windows-recording-rules]
              [--enable-workload-identity]
              [--ephemeral-disk-nvme-perf-tier {Basic, Premium, Standard}]
              [--ephemeral-disk-volume-type {EphemeralVolumeOnly, PersistentVolumeWithAnnotation}]
              [--fqdn-subdomain]
              [--generate-ssh-keys]
              [--gmsa-dns-server]
              [--gmsa-root-domain-name]
              [--gpu-instance-profile {MIG1g, MIG2g, MIG3g, MIG4g, MIG7g}]
              [--grafana-resource-id]
              [--host-group-id]
              [--http-proxy-config]
              [--image-cleaner-interval-hours]
              [--ip-families]
              [--k8s-support-plan {AKSLongTermSupport, KubernetesOfficial}]
              [--ksm-metric-annotations-allow-list]
              [--ksm-metric-labels-allow-list]
              [--kubelet-config]
              [--kubernetes-version]
              [--linux-os-config]
              [--load-balancer-backend-pool-type {nodeIP, nodeIPConfiguration}]
              [--load-balancer-idle-timeout]
              [--load-balancer-managed-outbound-ip-count]
              [--load-balancer-managed-outbound-ipv6-count]
              [--load-balancer-outbound-ip-prefixes]
              [--load-balancer-outbound-ips]
              [--load-balancer-outbound-ports]
              [--load-balancer-sku {basic, standard}]
              [--location]
              [--max-count]
              [--max-pods]
              [--min-count]
              [--nat-gateway-idle-timeout]
              [--nat-gateway-managed-outbound-ip-count]
              [--network-dataplane {azure, cilium}]
              [--network-plugin {azure, kubenet, none}]
              [--network-plugin-mode {overlay}]
              [--network-policy]
              [--no-ssh-key]
              [--no-wait]
              [--node-count]
              [--node-os-upgrade-channel {NodeImage, None, SecurityPatch, Unmanaged}]
              [--node-osdisk-diskencryptionset-id]
              [--node-osdisk-size]
              [--node-osdisk-type {Ephemeral, Managed}]
              [--node-public-ip-prefix-id]
              [--node-public-ip-tags]
              [--node-resource-group]
              [--node-vm-size]
              [--nodepool-allowed-host-ports]
              [--nodepool-asg-ids]
              [--nodepool-labels]
              [--nodepool-name]
              [--nodepool-tags]
              [--nodepool-taints]
              [--os-sku {AzureLinux, CBLMariner, Mariner, Ubuntu}]
              [--outbound-type {loadBalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting}]
              [--pod-cidr]
              [--pod-cidrs]
              [--pod-subnet-id]
              [--ppg]
              [--private-dns-zone]
              [--revision]
              [--rotation-poll-interval]
              [--service-cidr]
              [--service-cidrs]
              [--service-principal]
              [--skip-subnet-role-assignment]
              [--snapshot-id]
              [--ssh-key-value]
              [--storage-pool-name]
              [--storage-pool-option {NVMe, Temp}]
              [--storage-pool-size]
              [--storage-pool-sku {PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS}]
              [--tags]
              [--tier {free, premium, standard}]
              [--uptime-sla]
              [--vm-set-type]
              [--vnet-subnet-id]
              [--windows-admin-password]
              [--windows-admin-username]
              [--workspace-resource-id]
              [--yes]
              [--zones]

Examples

Create a Kubernetes cluster with an existing SSH public key.

az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey

Create a Kubernetes cluster with a specific version.

az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.16.9

Create a Kubernetes cluster with a larger node pool.

az aks create -g MyResourceGroup -n MyManagedCluster --node-count 7

Create a kubernetes cluster with default kubernetes version, default SKU load balancer (Standard) and default vm set type (VirtualMachineScaleSets).

az aks create -g MyResourceGroup -n MyManagedCluster

Create a kubernetes cluster with standard SKU load balancer and two AKS created IPs for the load balancer outbound connection usage.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2

Create a kubernetes cluster with a standard SKU load balancer, with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000

Create a kubernetes cluster with standard SKU load balancer and use the provided public IPs for the load balancer outbound connection usage.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ips <ip-resource-id-1,ip-resource-id-2>

Create a kubernetes cluster with standard SKU load balancer and use the provided public IP prefixes for the load balancer outbound connection usage.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>

Create a kubernetes cluster with a AKS managed NAT gateway, with two outbound AKS managed IPs an idle flow timeout of 4 minutes

az aks create -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4 --outbound-type managedNATGateway --generate-ssh-keys

Create a kubernetes cluster with basic SKU load balancer and AvailabilitySet vm set type.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku basic --vm-set-type AvailabilitySet

Create a kubernetes cluster with authorized apiserver IP ranges.

az aks create -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24,195.168.1.0

Create a kubernetes cluster which enables managed identity.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-managed-identity

Create a kubernetes cluster with userDefinedRouting, standard load balancer SKU and a custom subnet preconfigured with a route table

az aks create -g MyResourceGroup -n MyManagedCluster --outbound-type userDefinedRouting --load-balancer-sku standard --vnet-subnet-id customUserSubnetVnetID

Create a kubernetes cluster with supporting Windows agent pools.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$'

Create a kubernetes cluster with supporting Windows agent pools with AHUB enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-ahub

Create a kubernetes cluster with managed AAD enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>

Create a kubernetes cluster with server side encryption using your owned key.

az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-diskencryptionset-id <disk-encryption-set-resource-id>

Create a kubernetes cluster with ephemeral OS enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-type Ephemeral --node-osdisk-size 48

Create a kubernetes cluster with EncryptionAtHost enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-encryption-at-host

Create a kubernetes cluster with UltraSSD enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-ultra-ssd

Create a kubernetes cluster with Azure RBAC enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac

Create a kubernetes cluster with custom control plane identity and kubelet identity.

az aks create -g MyResourceGroup -n MyManagedCluster --assign-identity <control-plane-identity-resource-id> --assign-kubelet-identity <kubelet-identity-resource-id>

Create a kubernetes cluster in the Edge Zone.

az aks create -g MyResourceGroup -n MyManagedCluster --location <location> --kubernetes-version 1.20.7 --edge-zone <edge-zone-name>

Create a kubernetes cluster with a specific OS SKU

az aks create -g MyResourceGroup -n MyManagedCluster --os-sku Ubuntu

Create a kubernetes cluster with custom tags

az aks create -g MyResourceGroup -n MyManagedCluster --tags "foo=bar" "baz=qux"

Create a kubernetes cluster with custom headers

az aks create -g MyResourceGroup -n MyManagedCluster --aks-custom-headers WindowsContainerRuntime=containerd

Create a kubernetes cluster with FIPS-enabled OS

az aks create -g MyResourceGroup -n MyManagedCluster --enable-fips-image

Create a kubernetes cluster with enabling Windows gmsa and with setting DNS server in the vnet used by the cluster.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa

Create a kubernetes cluster with enabling Windows gmsa but without setting DNS server in the vnet used by the cluster.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"

create a kubernetes cluster with a snapshot id.

az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.20.9 --snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/snapshots/mysnapshot1"

create a kubernetes cluster with support of hostgroup id.

az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.13 --location westus2 --host-group-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/hostGroups/myHostGroup --node-vm-size VMSize --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>

Create a kubernetes cluster with no CNI installed.

az aks create -g MyResourceGroup -n MyManagedCluster --network-plugin none

Create a kubernetes cluster with KEDA workload autoscaler enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-keda

Create a kubernetes cluster with the Azure Monitor managed service for Prometheus integration enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-monitor-metrics

Create a kubernetes cluster with vertical pod autoscaler enaled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-vpa

create a kubernetes cluster with a Capacity Reservation Group(CRG) ID.

az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.9 --node-vm-size VMSize --assign-identity "subscriptions/SubID/resourceGroups/RGName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID" --enable-managed-identity --crg-id "subscriptions/SubID/resourceGroups/RGName/providers/Microsoft.ContainerService/CapacityReservationGroups/MyCRGID"

Create a kubernetes cluster with Azure Service Mesh enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-service-mesh

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aad-admin-group-object-ids

Comma-separated list of aad group object IDs that will be set as cluster admin.

--aad-client-app-id
Deprecated

Option '--aad-client-app-id' has been deprecated and will be removed in a future release.

The ID of an Azure Active Directory client application of type "Native". This application is for user login via kubectl.

--aad-client-app-id is deprecated. See https://aka.ms/aks/aad-legacy for details.

--aad-server-app-id
Deprecated

Option '--aad-server-app-id' has been deprecated and will be removed in a future release.

The ID of an Azure Active Directory server application of type "Web app/API". This application represents the managed cluster's apiserver (Server application).

--aad-server-app-id is deprecated. See https://aka.ms/aks/aad-legacy for details.

--aad-server-app-secret
Deprecated

Option '--aad-server-app-secret' has been deprecated and will be removed in a future release.

The secret of an Azure Active Directory server application.

--aad-server-app-secret is deprecated. See https://aka.ms/aks/aad-legacy for details.

--aad-tenant-id

The ID of an Azure Active Directory tenant.

--aci-subnet-name

The name of a subnet in an existing VNet into which to deploy the virtual nodes.

--admin-username -u

User account to create on node VMs for SSH access.

Default value: azureuser
--aks-custom-headers

Comma-separated key-value pairs to specify custom headers.

--ampls-resource-id

Resource ID of Azure Monitor Private Link scope for Monitoring Addon.

--api-server-authorized-ip-ranges

Comma-separated list of authorized apiserver IP ranges. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.

--appgw-id

Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.

--appgw-name

Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.

--appgw-subnet-cidr

Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-subnet-id

Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-watch-namespace

Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces.

--assign-identity

Specify an existing user assigned identity for control plane's usage in order to manage cluster resource group.

--assign-kubelet-identity

Specify an existing user assigned identity for kubelet's usage, which is typically used to pull image from ACR.

--attach-acr

Grant the 'acrpull' role assignment to the ACR specified by name or resource ID.

--auto-upgrade-channel

Specify the upgrade channel for autoupgrade.

Accepted values: node-image, none, patch, rapid, stable
--azure-keyvault-kms-key-id

Identifier of Azure Key Vault key.

--azure-keyvault-kms-key-vault-network-access

Network Access of Azure Key Vault.

Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used.

Accepted values: Private, Public
--azure-keyvault-kms-key-vault-resource-id

Resource ID of Azure Key Vault.

--azure-monitor-workspace-resource-id

Resource ID of the Azure Monitor Workspace.

--ca-profile --cluster-autoscaler-profile

Comma-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.

--client-secret

Secret associated with the service principal. This argument is required if --service-principal is specified.

--crg-id

The crg id used to associate the new cluster with the existed Capacity Reservation Group resource.

--data-collection-settings

Path to JSON file containing data collection settings for Monitoring addon.

--defender-config

Path to JSON file containing Microsoft Defender profile configurations.

--disable-disk-driver

Disable AzureDisk CSI Driver.

Default value: False
--disable-file-driver

Disable AzureFile CSI Driver.

Default value: False
--disable-local-accounts

If set to true, getting static credential will be disabled for this cluster.

Default value: False
--disable-public-fqdn

Disable public fqdn feature for private cluster.

Default value: False
--disable-rbac

Disable Kubernetes Role-Based Access Control.

--disable-snapshot-controller

Disable CSI Snapshot Controller.

Default value: False
--dns-name-prefix -p

Prefix for hostnames that are created. If not specified, generate a hostname using the managed cluster and resource group names.

--dns-service-ip

An IP address assigned to the Kubernetes DNS service.

This address must be within the Kubernetes service address range specified by "--service-cidr". For example, 10.0.0.10.

--docker-bridge-address
Deprecated

Option '--docker-bridge-address' has been deprecated and will be removed in a future release.

A specific IP address and netmask for the Docker bridge, using standard CIDR notation.

This address must not be in any Subnet IP ranges, or the Kubernetes service address range. For example, 172.17.0.1/16.

--edge-zone

The name of the Edge Zone.

--enable-aad

Enable managed AAD feature for cluster.

Default value: False
--enable-addons -a

Enable the Kubernetes addons in a comma-separated list.

These addons are available: - http_application_routing : configure ingress with automatic public DNS name creation. - monitoring : turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. Specify "--enable-msi-auth-for-monitoring" to use Managed Identity Auth. Specify "--enable-syslog" to enable syslog data collection from nodes. Note MSI must be enabled Specify "--data-collection-settings" to configure data collection settings Specify "--ampls-resource-id" for private link. Note MSI must be enabled. Specify "--enable-high-log-scale-mode" to enable high log scale mode for container logs. Note MSI must be enabled. If monitoring addon is enabled --no-wait argument will have no effect - azure-policy : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Learn more at aka.ms/aks/policy. - virtual-node : enable AKS Virtual Node. Requires --aci-subnet-name to provide the name of an existing subnet for the Virtual Node to use. aci-subnet-name must be in the same vnet which is specified by --vnet-subnet-id (required as well). - confcom : enable confcom addon, this will enable SGX device plugin by default. - open-service-mesh : enable Open Service Mesh addon. - azure-keyvault-secrets-provider : enable Azure Keyvault Secrets Provider addon.

--enable-ahub

Enable Azure Hybrid User Benefits (AHUB) for Windows VMs.

Default value: False
--enable-app-routing

Enable Application Routing addon.

Default value: False
--enable-asm --enable-azure-service-mesh

Enable Azure Service Mesh addon.

--enable-azure-container-storage

Enable azure container storage and define storage pool type.

Accepted values: azureDisk, elasticSan, ephemeralDisk
--enable-azure-keyvault-kms

Enable Azure KeyVault Key Management Service.

Default value: False
--enable-azure-monitor-metrics

Enable a kubernetes cluster with the Azure Monitor managed service for Prometheus integration.

Default value: False
--enable-azure-rbac

Enable Azure RBAC to control authorization checks on cluster.

Default value: False
--enable-blob-driver

Enable AzureBlob CSI Driver.

--enable-cluster-autoscaler

Enable cluster autoscaler, default value is false.

If specified, please make sure the kubernetes version is larger than 1.10.6.

Default value: False
--enable-cost-analysis

Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.

Default value: False
--enable-defender

Enable Microsoft Defender security profile.

Default value: False
--enable-encryption-at-host

Enable EncryptionAtHost, default value is false.

Default value: False
--enable-fips-image

Use FIPS-enabled OS on agent nodes.

Default value: False
--enable-high-log-scale-mode
Preview

Enable High Log Scale Mode for Container Logs.

Accepted values: false, true
Default value: False
--enable-image-cleaner

Enable ImageCleaner Service.

Default value: False
--enable-keda

Enable KEDA workload auto-scaler.

Default value: False
--enable-managed-identity

Using a system assigned managed identity to manage cluster resource group. You can explicitly specify "--service-principal" and "--client-secret" to disable managed identity, otherwise it will be enabled.

--enable-msi-auth-for-monitoring

Enable Managed Identity Auth for Monitoring addon.

Accepted values: false, true
Default value: True
--enable-node-public-ip

Enable VMSS node public IP.

Default value: False
--enable-oidc-issuer

Enable OIDC issuer.

Default value: False
--enable-private-cluster

Enable private cluster.

Default value: False
--enable-secret-rotation

Enable secret rotation. Use with azure-keyvault-secrets-provider addon.

Default value: False
--enable-secure-boot

Enable Secure Boot on all node pools in the cluster. Must use VMSS agent pool type.

Default value: False
--enable-sgxquotehelper

Enable SGX quote helper for confcom addon.

Default value: False
--enable-syslog

Enable syslog data collection for Monitoring addon.

Accepted values: false, true
Default value: False
--enable-ultra-ssd

Enable UltraSSD, default value is false.

Default value: False
--enable-vpa

Enable vertical pod autoscaler for cluster.

Default value: False
--enable-vtpm

Enable vTPM on all node pools in the cluster. Must use VMSS agent pool type.

Default value: False
--enable-windows-gmsa

Enable Windows gmsa.

Default value: False
--enable-windows-recording-rules

Enable Windows Recording Rules when enabling the Azure Monitor Metrics addon.

Default value: False
--enable-workload-identity

Enable workload identity addon.

Default value: False
--ephemeral-disk-nvme-perf-tier

Set ephemeral disk volume type for azure container storage.

Accepted values: Basic, Premium, Standard
--ephemeral-disk-volume-type

Set ephemeral disk volume type for azure container storage.

Accepted values: EphemeralVolumeOnly, PersistentVolumeWithAnnotation
--fqdn-subdomain

Prefix for FQDN that is created for private cluster with custom private dns zone scenario.

--generate-ssh-keys

Generate SSH public and private key files if missing. The keys will be stored in the ~/.ssh directory.

Default value: False
--gmsa-dns-server

Specify DNS server for Windows gmsa for this cluster.

You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.

--gmsa-root-domain-name

Specify root domain name for Windows gmsa for this cluster.

You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.

--gpu-instance-profile

GPU instance profile to partition multi-gpu Nvidia GPUs.

Accepted values: MIG1g, MIG2g, MIG3g, MIG4g, MIG7g
--grafana-resource-id

Resource ID of the Azure Managed Grafana Workspace.

--host-group-id

The fully qualified dedicated host group id used to provision agent node pool.

--http-proxy-config

HTTP Proxy configuration for this cluster.

--image-cleaner-interval-hours

ImageCleaner scanning interval.

--ip-families

A comma-separated list of IP versions to use for cluster networking.

Each IP version should be in the format IPvN. For example, IPv4.

--k8s-support-plan

Choose from "KubernetesOfficial" or "AKSLongTermSupport", with "AKSLongTermSupport" you get 1 extra year of CVE patchs.

Accepted values: AKSLongTermSupport, KubernetesOfficial
--ksm-metric-annotations-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g.'=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--ksm-metric-labels-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g. '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--kubelet-config

Path to JSON file containing Kubelet configurations for agent nodes. https://aka.ms/aks/custom-node-config.

--kubernetes-version -k

Version of Kubernetes to use for creating the cluster, such as "1.16.9".

Value from: `az aks get-versions`
--linux-os-config

Path to JSON file containing OS configurations for Linux agent nodes. https://aka.ms/aks/custom-node-config.

--load-balancer-backend-pool-type

Load balancer backend pool type.

Define the LoadBalancer backend pool type of managed inbound backend pool. The nodeIP means the VMs will be attached to the LoadBalancer by adding its private IP address to the backend pool. The nodeIPConfiguration means the VMs will be attached to the LoadBalancer by referencing the backend pool ID in the VM's NIC.

Accepted values: nodeIP, nodeIPConfiguration
--load-balancer-idle-timeout

Load balancer idle timeout in minutes.

Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].

--load-balancer-managed-outbound-ip-count

Load balancer managed outbound IP count.

Desired number of managed outbound IPs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.

--load-balancer-managed-outbound-ipv6-count

Load balancer managed outbound IPv6 IP count.

Desired number of managed outbound IPv6 IPs for load balancer outbound connection. Valid for dual-stack (--ip-families IPv4,IPv6) only.

--load-balancer-outbound-ip-prefixes

Load balancer outbound IP prefix resource IDs.

Comma-separated public IP prefix resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.

--load-balancer-outbound-ips

Load balancer outbound IP resource IDs.

Comma-separated public IP resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.

--load-balancer-outbound-ports

Load balancer outbound allocated ports.

Desired static number of outbound ports per VM in the load balancer backend pool. By default, set to 0 which uses the default allocation based on the number of VMs.

--load-balancer-sku

Azure Load Balancer SKU selection for your cluster. basic or standard. Defaults to 'standard'.

Select between Basic or Standard Azure Load Balancer SKU for your AKS cluster.

Accepted values: basic, standard
--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--max-count

Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--max-pods -m

The maximum number of pods deployable to a node.

If not specified, defaults based on network-plugin. 30 for "azure", 110 for "kubenet", or 250 for "none".

--min-count

Minimum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--nat-gateway-idle-timeout

NAT gateway idle timeout in minutes.

Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.

--nat-gateway-managed-outbound-ip-count

NAT gateway managed outbound IP count.

Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.

--network-dataplane

The network dataplane to use.

Network dataplane used in the Kubernetes cluster. Specify "azure" to use the Azure dataplane (default) or "cilium" to enable Cilium dataplane.

Accepted values: azure, cilium
--network-plugin

The Kubernetes network plugin to use.

Specify "azure" for routable pod IPs from VNET, "kubenet" for non-routable pod IPs with an overlay network, or "none" for no networking configured. Defaults to "kubenet".

Accepted values: azure, kubenet, none
--network-plugin-mode

The network plugin mode to use.

Used to control the mode the network plugin should operate in. For example, "overlay" used with --network-plugin=azure will use an overlay network (non-VNET IPs) for pods in the cluster.

Accepted values: overlay
--network-policy

Network Policy Engine to use.

Azure provides three Network Policy Engines for enforcing network policies that can be used together with "azure" network plugin. The following values can be specified:

  • "azure" for Azure Network Policy Manager,
  • "cilium" for Azure CNI Powered by Cilium,
  • "calico" for open-source network and network security solution founded by Tigera,
  • "none" when no Network Policy Engine is installed (default value). Defaults to "none" (network policy disabled).
--no-ssh-key -x

Do not use or create a local SSH key.

To access nodes after creating a cluster with this option, use the Azure Portal.

Default value: False
--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--node-count -c

Number of nodes in the Kubernetes node pool. After creating a cluster, you can change the size of its node pool with az aks scale.

Default value: 3
--node-os-upgrade-channel

Manner in which the OS on your nodes is updated. It could be NodeImage, None, SecurityPatch or Unmanaged.

Accepted values: NodeImage, None, SecurityPatch, Unmanaged
--node-osdisk-diskencryptionset-id -d

ResourceId of the disk encryption set to use for enabling encryption at rest on agent node os disk.

--node-osdisk-size

Size in GiB of the OS disk for each node in the node pool. Minimum 30 GiB.

--node-osdisk-type

OS disk type to be used for machines in a given agent pool: Ephemeral or Managed. Defaults to 'Ephemeral' when possible in conjunction with VM size and OS disk size. May not be changed for this pool after creation.

Accepted values: Ephemeral, Managed
--node-public-ip-prefix-id

Public IP prefix ID used to assign public IPs to VMSS nodes.

--node-public-ip-tags

The ipTags of the node public IPs.

--node-resource-group

The node resource group is the resource group where all customer's resources will be created in, such as virtual machines.

--node-vm-size -s

Size of Virtual Machines to create as Kubernetes nodes.

--nodepool-allowed-host-ports

Expose host ports on the node pool. When specified, format should be a space-separated list of ranges with protocol, eg. 80/TCP 443/TCP 4000-5000/TCP.

--nodepool-asg-ids

The IDs of the application security groups to which the node pool's network interface should belong. When specified, format should be a space-separated list of IDs.

--nodepool-labels

The node labels for all node pool. See https://aka.ms/node-labels for syntax of labels.

--nodepool-name

Node pool name, up to 12 alphanumeric characters.

Default value: nodepool1
--nodepool-tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--nodepool-taints

The node taints for all node pool.

--os-sku

The OS SKU of the agent node pool. Ubuntu or CBLMariner.

Accepted values: AzureLinux, CBLMariner, Mariner, Ubuntu
--outbound-type

How outbound traffic will be configured for a cluster.

Select between loadBalancer, userDefinedRouting, managedNATGateway and userAssignedNATGateway. If not set, defaults to type loadBalancer. Requires --vnet-subnet-id to be provided with a preconfigured route table and --load-balancer-sku to be Standard.

Accepted values: loadBalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting
--pod-cidr

A CIDR notation IP range from which to assign pod IPs when kubenet is used.

This range must not overlap with any Subnet IP ranges. For example, 172.244.0.0/16.

--pod-cidrs

A comma-separated list of CIDR notation IP ranges from which to assign pod IPs when kubenet is used.

Each range must not overlap with any Subnet IP ranges. For example, "172.244.0.0/16,fd0:abcd::/64".

--pod-subnet-id

The ID of a subnet in an existing VNet into which to assign pods in the cluster (requires azure network-plugin).

--ppg

The ID of a PPG.

--private-dns-zone

Private dns zone mode for private cluster.

Allowed values are "system", "none" or custom private dns zone resource id. If not set, defaults to type system. Requires --enable-private-cluster to be used.

--revision

Azure Service Mesh revision to install.

--rotation-poll-interval

Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.

--service-cidr

A CIDR notation IP range from which to assign service cluster IPs.

This range must not overlap with any Subnet IP ranges. For example, 10.0.0.0/16.

--service-cidrs

A comma-separated list of CIDR notation IP ranges from which to assign service cluster IPs.

Each range must not overlap with any Subnet IP ranges. For example, "10.0.0.0/16,2001:abcd::/108".

--service-principal

Service principal used for authentication to Azure APIs.

--skip-subnet-role-assignment

Skip role assignment for subnet (advanced networking).

If specified, please make sure your service principal has the access to your subnet.

Default value: False
--snapshot-id

The source snapshot id used to create this cluster.

--ssh-key-value

Public key path or key contents to install on node VMs for SSH access. For example, 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'.

Default value: ~\.ssh\id_rsa.pub
--storage-pool-name

Set storage pool name for azure container storage.

--storage-pool-option

Set ephemeral disk storage pool option for azure container storage.

Accepted values: NVMe, Temp
--storage-pool-size

Set storage pool size for azure container storage.

--storage-pool-sku

Set azure disk type storage pool sku for azure container storage.

Accepted values: PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS
--tags

The tags of the managed cluster. The managed cluster instance and all resources managed by the cloud provider will be tagged.

--tier

Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' does not have a financially backed SLA.

Accepted values: free, premium, standard
--uptime-sla
Deprecated

Option '--uptime-sla' has been deprecated and will be removed in a future release.

--uptime-sla is deprecated. Please use '--tier standard' instead.

Default value: False
--vm-set-type

Agent pool vm set type. VirtualMachineScaleSets or AvailabilitySet. Defaults to 'VirtualMachineScaleSets'.

--vnet-subnet-id

The ID of a subnet in an existing VNet into which to deploy the cluster.

--windows-admin-password

User account password to use on windows node VMs.

Rules for windows-admin-password: - Minimum-length: 14 characters - Max-length: 123 characters - Complexity requirements: 3 out of 4 conditions below need to be fulfilled * Has lower characters * Has upper characters * Has a digit * Has a special character (Regex match [\W_]) - Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" Reference: https://docs.microsoft.com/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminpassword?view=azure-dotnet.

--windows-admin-username

User account to create on windows node VMs.

Rules for windows-admin-username: - restriction: Cannot end in "." - Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". - Minimum-length: 1 character - Max-length: 20 characters Reference: https://docs.microsoft.com/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminusername?view=azure-dotnet.

--workspace-resource-id

The resource ID of an existing Log Analytics Workspace to use for storing monitoring data. If not specified, uses the default Log Analytics Workspace if it exists, otherwise creates one.

--yes -y

Do not prompt for confirmation.

Default value: False
--zones -z

Availability zones where agent nodes will be placed. Also, to install agent nodes to more than one zones you need to pass zone numbers (1,2 or 3) separated by blanks. For example - To have all 3 zones, you are expected to enter --zones 1 2 3.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks create (aks-preview extension)

Create a new managed Kubernetes cluster.

az aks create --name
              --resource-group
              [--aad-admin-group-object-ids]
              [--aad-tenant-id]
              [--aci-subnet-name]
              [--admin-username]
              [--aks-custom-headers]
              [--ampls-resource-id]
              [--api-server-authorized-ip-ranges]
              [--apiserver-subnet-id]
              [--app-routing-default-nginx-controller {AnnotationControlled, External, Internal, None}]
              [--appgw-id]
              [--appgw-name]
              [--appgw-subnet-cidr]
              [--appgw-subnet-id]
              [--appgw-watch-namespace]
              [--assign-identity]
              [--assign-kubelet-identity]
              [--attach-acr]
              [--auto-upgrade-channel {node-image, none, patch, rapid, stable}]
              [--azure-keyvault-kms-key-id]
              [--azure-keyvault-kms-key-vault-network-access {Private, Public}]
              [--azure-keyvault-kms-key-vault-resource-id]
              [--azure-monitor-workspace-resource-id]
              [--bootstrap-artifact-source {Cache, Direct}]
              [--bootstrap-container-registry-resource-id]
              [--ca-certs]
              [--ca-profile]
              [--client-secret]
              [--cluster-service-load-balancer-health-probe-mode {Servicenodeport, Shared}]
              [--cluster-snapshot-id]
              [--crg-id]
              [--data-collection-settings]
              [--defender-config]
              [--disable-acns-observability]
              [--disable-acns-security]
              [--disable-disk-driver]
              [--disable-file-driver]
              [--disable-local-accounts]
              [--disable-public-fqdn]
              [--disable-rbac]
              [--disable-snapshot-controller]
              [--disk-driver-version {v1, v2}]
              [--dns-name-prefix]
              [--dns-service-ip]
              [--dns-zone-resource-id]
              [--dns-zone-resource-ids]
              [--docker-bridge-address]
              [--edge-zone]
              [--enable-aad]
              [--enable-acns]
              [--enable-addon-autoscaling]
              [--enable-addons]
              [--enable-ahub]
              [--enable-ai-toolchain-operator]
              [--enable-apiserver-vnet-integration]
              [--enable-app-routing]
              [--enable-asm]
              [--enable-azure-container-storage {azureDisk, elasticSan, ephemeralDisk}]
              [--enable-azure-keyvault-kms]
              [--enable-azure-monitor-app-monitoring]
              [--enable-azure-monitor-metrics]
              [--enable-azure-rbac]
              [--enable-azuremonitormetrics]
              [--enable-blob-driver]
              [--enable-cilium-dataplane]
              [--enable-cluster-autoscaler]
              [--enable-cost-analysis]
              [--enable-custom-ca-trust]
              [--enable-defender]
              [--enable-encryption-at-host]
              [--enable-fips-image]
              [--enable-high-log-scale-mode {false, true}]
              [--enable-image-cleaner]
              [--enable-image-integrity]
              [--enable-imds-restriction]
              [--enable-keda]
              [--enable-managed-identity]
              [--enable-msi-auth-for-monitoring {false, true}]
              [--enable-node-public-ip]
              [--enable-oidc-issuer]
              [--enable-pod-identity]
              [--enable-pod-identity-with-kubenet]
              [--enable-pod-security-policy]
              [--enable-private-cluster]
              [--enable-secret-rotation]
              [--enable-secure-boot]
              [--enable-sgxquotehelper]
              [--enable-static-egress-gateway]
              [--enable-syslog {false, true}]
              [--enable-ultra-ssd]
              [--enable-vpa]
              [--enable-vtpm]
              [--enable-windows-gmsa]
              [--enable-windows-recording-rules]
              [--enable-workload-identity]
              [--ephemeral-disk-nvme-perf-tier {Basic, Premium, Standard}]
              [--ephemeral-disk-volume-type {EphemeralVolumeOnly, PersistentVolumeWithAnnotation}]
              [--fqdn-subdomain]
              [--generate-ssh-keys]
              [--gmsa-dns-server]
              [--gmsa-root-domain-name]
              [--gpu-instance-profile {MIG1g, MIG2g, MIG3g, MIG4g, MIG7g}]
              [--grafana-resource-id]
              [--host-group-id]
              [--http-proxy-config]
              [--if-match]
              [--if-none-match]
              [--image-cleaner-interval-hours]
              [--ip-families]
              [--k8s-support-plan {AKSLongTermSupport, KubernetesOfficial}]
              [--ksm-metric-annotations-allow-list]
              [--ksm-metric-labels-allow-list]
              [--kube-proxy-config]
              [--kubelet-config]
              [--kubernetes-version]
              [--linux-os-config]
              [--load-balancer-backend-pool-type]
              [--load-balancer-idle-timeout]
              [--load-balancer-managed-outbound-ip-count]
              [--load-balancer-managed-outbound-ipv6-count]
              [--load-balancer-outbound-ip-prefixes]
              [--load-balancer-outbound-ips]
              [--load-balancer-outbound-ports]
              [--load-balancer-sku {basic, standard}]
              [--location]
              [--max-count]
              [--max-pods]
              [--message-of-the-day]
              [--min-count]
              [--nat-gateway-idle-timeout]
              [--nat-gateway-managed-outbound-ip-count]
              [--network-dataplane {azure, cilium}]
              [--network-plugin {azure, kubenet, none}]
              [--network-plugin-mode {overlay}]
              [--network-policy]
              [--no-ssh-key]
              [--no-wait]
              [--node-count]
              [--node-init-taints]
              [--node-os-upgrade-channel {NodeImage, None, SecurityPatch, Unmanaged}]
              [--node-osdisk-diskencryptionset-id]
              [--node-osdisk-size]
              [--node-osdisk-type {Ephemeral, Managed}]
              [--node-provisioning-mode {Auto, Manual}]
              [--node-public-ip-prefix-id]
              [--node-public-ip-tags]
              [--node-resource-group]
              [--node-vm-size]
              [--nodepool-allowed-host-ports]
              [--nodepool-asg-ids]
              [--nodepool-labels]
              [--nodepool-name]
              [--nodepool-tags]
              [--nodepool-taints]
              [--nrg-lockdown-restriction-level {ReadOnly, Unrestricted}]
              [--os-sku {AzureLinux, CBLMariner, Mariner, Ubuntu}]
              [--outbound-type {block, loadBalancer, managedNATGateway, none, userAssignedNATGateway, userDefinedRouting}]
              [--pod-cidr]
              [--pod-cidrs]
              [--pod-ip-allocation-mode {DynamicIndividual, StaticBlock}]
              [--pod-subnet-id]
              [--ppg]
              [--private-dns-zone]
              [--revision]
              [--rotation-poll-interval]
              [--safeguards-excluded-ns]
              [--safeguards-level {Enforcement, Off, Warning}]
              [--safeguards-version]
              [--service-cidr]
              [--service-cidrs]
              [--service-principal]
              [--skip-subnet-role-assignment]
              [--sku {automatic, base}]
              [--snapshot-id]
              [--ssh-access {disabled, localuser}]
              [--ssh-key-value]
              [--storage-pool-name]
              [--storage-pool-option {NVMe, Temp}]
              [--storage-pool-size]
              [--storage-pool-sku {PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS}]
              [--tags]
              [--tier {free, premium, standard}]
              [--vm-set-type]
              [--vm-sizes]
              [--vnet-subnet-id]
              [--windows-admin-password]
              [--windows-admin-username]
              [--workload-runtime {KataCcIsolation, KataMshvVmIsolation, OCIContainer, WasmWasi}]
              [--workspace-resource-id]
              [--yes]
              [--zones]

Examples

Create a Kubernetes cluster with an existing SSH public key.

az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey

Create a Kubernetes cluster with a specific version.

az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.13.9

Create a Kubernetes cluster with a larger node pool.

az aks create -g MyResourceGroup -n MyManagedCluster --node-count 7

Create a kubernetes cluster with cluster autosclaler enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.13.9 --node-count 3 --enable-cluster-autoscaler --min-count 1 --max-count 5

Create a kubernetes cluster with k8s 1.13.9 but use vmas.

az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.13.9 --vm-set-type AvailabilitySet

Create a kubernetes cluster with default kubernetes vesrion, default SKU load balancer(standard) and default vm set type(VirtualMachineScaleSets).

az aks create -g MyResourceGroup -n MyManagedCluster

Create a kubernetes cluster with standard SKU load balancer and two AKS created IPs for the load balancer outbound connection usage.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2

Create a kubernetes cluster with standard SKU load balancer and use the provided public IPs for the load balancer outbound connection usage.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ips <ip-resource-id-1,ip-resource-id-2>

Create a kubernetes cluster with standard SKU load balancer and use the provided public IP prefixes for the load balancer outbound connection usage.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>

Create a kubernetes cluster with a standard SKU load balancer, with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000

Create a kubernetes cluster with a AKS managed NAT gateway, with two outbound AKS managed IPs an idle flow timeout of 4 minutes

az aks create -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4

Create a kubernetes cluster with basic SKU load balancer and AvailabilitySet vm set type.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku basic --vm-set-type AvailabilitySet

Create a kubernetes cluster with authorized apiserver IP ranges.

az aks create -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24,195.168.1.0

Create a kubernetes cluster with server side encryption using your owned key.

az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-diskencryptionset-id <disk-encryption-set-resource-id>

Create a kubernetes cluster with userDefinedRouting, standard load balancer SKU and a custom subnet preconfigured with a route table

az aks create -g MyResourceGroup -n MyManagedCluster --outbound-type userDefinedRouting --load-balancer-sku standard --vnet-subnet-id customUserSubnetVnetID

Create a kubernetes cluster with supporting Windows agent pools with AHUB enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-ahub

Create a kubernetes cluster with managed AAD enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>

Create a kubernetes cluster with ephemeral os enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-type Ephemeral --node-osdisk-size 48

Create a kubernetes cluster with custom tags

az aks create -g MyResourceGroup -n MyManagedCluster --tags "foo=bar" "baz=qux"

Create a kubernetes cluster with EncryptionAtHost enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-encryption-at-host

Create a kubernetes cluster with UltraSSD enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-ultra-ssd

Create a kubernetes cluster with custom control plane identity and kubelet identity.

az aks create -g MyResourceGroup -n MyManagedCluster --assign-identity <control-plane-identity-resource-id> --assign-kubelet-identity <kubelet-identity-resource-id>

Create a kubernetes cluster with Azure RBAC enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac

Create a kubernetes cluster with a specific os-sku

az aks create -g MyResourceGroup -n MyManagedCluster --os-sku Ubuntu

Create a kubernetes cluster with enabling Windows gmsa and with setting DNS server in the vnet used by the cluster.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa

Create a kubernetes cluster with enabling Windows gmsa but without setting DNS server in the vnet used by the cluster.

az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"

create a kubernetes cluster with a nodepool snapshot id.

az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.20.9 --snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/snapshots/mysnapshot1"

create a kubernetes cluster with a cluster snapshot id.

az aks create -g MyResourceGroup -n MyManagedCluster --cluster-snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/managedclustersnapshots/mysnapshot1"

create a kubernetes cluster with a Capacity Reservation Group(CRG) ID.

az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.9 --node-vm-size VMSize --assign-identity CRG-RG-ID --enable-managed-identity --crg-id "subscriptions/SubID/resourceGroups/RGName/providers/Microsoft.ContainerService/CapacityReservationGroups/MyCRGID"

create a kubernetes cluster with support of hostgroup id.

az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.13 --location westus2 --host-group-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/hostGroups/myHostGroup --node-vm-size VMSize --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>

Create a kubernetes cluster with no CNI installed.

az aks create -g MyResourceGroup -n MyManagedCluster --network-plugin none

Create a kubernetes cluster with Custom CA Trust enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-custom-ca-trust

Create a kubernetes cluster with safeguards set to "Warning"

az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --enable-addons azure-policy

Create a kubernetes cluster with safeguards set to "Warning" and some namespaces excluded

az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --safeguards-excluded-ns ns1,ns2 --enable-addons azure-policy

Create a kubernetes cluster with Azure Service Mesh enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-service-mesh

Create a kubernetes cluster with Azure Monitor Metrics enabled.

az aks create -g MyResourceGroup -n MyManagedCluster --enable-azuremonitormetrics

Create a kubernetes cluster with Azure Monitor App Monitoring enabled

az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-monitor-app-monitoring

Create a kubernetes cluster with a nodepool having ip allocation mode set to "StaticBlock"

az aks create -g MyResourceGroup -n MyManagedCluster --os-sku Ubuntu --max-pods MaxPodsPerNode --network-plugin azure --vnet-subnet-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVnet/subnets/NodeSubnet --pod-subnet-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVnet/subnets/PodSubnet --pod-ip-allocation-mode StaticBlock

Create a kubernetes cluster with a VirtualMachines nodepool

az aks create -g MyResourceGroup -n MyManagedCluster --vm-set-type VirtualMachines --vm-sizes "VMSize1,VMSize2" --node-count 3

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aad-admin-group-object-ids

Comma-separated list of aad group object IDs that will be set as cluster admin.

--aad-tenant-id

The ID of an Azure Active Directory tenant.

--aci-subnet-name

The name of a subnet in an existing VNet into which to deploy the virtual nodes.

--admin-username -u

User account to create on node VMs for SSH access.

Default value: azureuser
--aks-custom-headers

Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.

--ampls-resource-id
Preview

Resource ID of Azure Monitor Private Link scope for Monitoring Addon.

--api-server-authorized-ip-ranges

Comma-separated list of authorized apiserver IP ranges. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.

--apiserver-subnet-id
Preview

The ID of a subnet in an existing VNet into which to assign control plane apiserver pods(requires --enable-apiserver-vnet-integration).

--app-routing-default-nginx-controller --ardnc

Configure default nginx ingress controller type. Valid values are annotationControlled (default behavior), external, internal, or none.

Accepted values: AnnotationControlled, External, Internal, None
--appgw-id

Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.

--appgw-name

Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.

--appgw-subnet-cidr

Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-subnet-id

Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-watch-namespace

Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces.

--assign-identity

Specify an existing user assigned identity to manage cluster resource group.

--assign-kubelet-identity

Specify an existing user assigned identity for kubelet's usage, which is typically used to pull image from ACR.

--attach-acr

Grant the 'acrpull' role assignment to the ACR specified by name or resource ID.

--auto-upgrade-channel

Specify the upgrade channel for autoupgrade. It could be rapid, stable, patch, node-image or none, none means disable autoupgrade.

Accepted values: node-image, none, patch, rapid, stable
--azure-keyvault-kms-key-id

Identifier of Azure Key Vault key.

--azure-keyvault-kms-key-vault-network-access

Network Access of Azure Key Vault.

Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used.

Accepted values: Private, Public
Default value: Public
--azure-keyvault-kms-key-vault-resource-id

Resource ID of Azure Key Vault.

--azure-monitor-workspace-resource-id

Resource ID of the Azure Monitor Workspace.

--bootstrap-artifact-source
Preview

Configure artifact source when bootstraping the cluster.

The artifacts include the addon image. Use "Direct" to download artifacts from MCR, "Cache" to downalod artifacts from Azure Container Registry.

Accepted values: Cache, Direct
Default value: Direct
--bootstrap-container-registry-resource-id
Preview

Configure container registry resource ID. Must use "Cache" as bootstrap artifact source.

--ca-certs --custom-ca-trust-certificates
Preview

Path to a file containing up to 10 blank line separated certificates. Only valid for linux nodes.

These certificates are used by Custom CA Trust features and will be added to trust stores of nodes. Requires Custom CA Trust to be enabled on the node.

--ca-profile --cluster-autoscaler-profile

Space-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.

--client-secret

Secret associated with the service principal. This argument is required if --service-principal is specified.

--cluster-service-load-balancer-health-probe-mode
Preview

Set the cluster service health probe mode.

Set the cluster service health probe mode. Default is "Servicenodeport".

Accepted values: Servicenodeport, Shared
--cluster-snapshot-id
Preview

The source cluster snapshot id is used to create new cluster.

--crg-id
Preview

The crg-id used to associate the new cluster with the existed Capacity Reservation Group resource.

--data-collection-settings
Preview

Path to JSON file containing data collection settings for Monitoring addon.

--defender-config

Path to JSON file containing Microsoft Defender profile configurations.

--disable-acns-observability

Used to disable advanced networking observability features on a clusters when enabling advanced networking features with "--enable-acns".

--disable-acns-security

Used to disable advanced networking security features on a clusters when enabling advanced networking features with "--enable-acns".

--disable-disk-driver

Disable AzureDisk CSI Driver.

Default value: False
--disable-file-driver

Disable AzureFile CSI Driver.

Default value: False
--disable-local-accounts

(Preview) If set to true, getting static credential will be disabled for this cluster.

Default value: False
--disable-public-fqdn

Disable public fqdn feature for private cluster.

Default value: False
--disable-rbac

Disable Kubernetes Role-Based Access Control.

--disable-snapshot-controller

Disable CSI Snapshot Controller.

Default value: False
--disk-driver-version

Specify AzureDisk CSI Driver version.

Accepted values: v1, v2
--dns-name-prefix -p

Prefix for hostnames that are created. If not specified, generate a hostname using the managed cluster and resource group names.

--dns-service-ip

An IP address assigned to the Kubernetes DNS service.

This address must be within the Kubernetes service address range specified by "--service-cidr". For example, 10.0.0.10.

--dns-zone-resource-id
Deprecated

Option '--dns-zone-resource-id' has been deprecated and will be removed in a future release. Use '--dns-zone-resource-ids' instead.

The resource ID of the DNS zone resource to use with the web_application_routing addon.

--dns-zone-resource-ids
Preview

A comma separated list of resource IDs of the DNS zone resource to use with the web_application_routing addon.

--docker-bridge-address
Deprecated

Option '--docker-bridge-address' has been deprecated and will be removed in a future release.

A specific IP address and netmask for the Docker bridge, using standard CIDR notation.

This address must not be in any Subnet IP ranges, or the Kubernetes service address range. For example, 172.17.0.1/16.

--edge-zone

The name of edge zone.

--enable-aad

Enable managed AAD feature for cluster.

Default value: False
--enable-acns

Enable advanced network functionalities on a cluster. Enabling this will incur additional costs. For non-cilium clusters, acns security will be disabled by default until further notice.

--enable-addon-autoscaling
Preview

Enable addon autoscaling for cluster.

Default value: False
--enable-addons -a

Enable the Kubernetes addons in a comma-separated list.

These addons are available:

  • http_application_routing : configure ingress with automatic public DNS name creation.
  • monitoring : turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. If monitoring addon is enabled --no-wait argument will have no effect
  • virtual-node : enable AKS Virtual Node. Requires --aci-subnet-name to provide the name of an existing subnet for the Virtual Node to use. aci-subnet-name must be in the same vnet which is specified by --vnet-subnet-id (required as well).
  • azure-policy : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Required if enabling deployment safeguards. Learn more at aka.ms/aks/policy.
  • ingress-appgw : enable Application Gateway Ingress Controller addon (PREVIEW).
  • confcom : enable confcom addon, this will enable SGX device plugin by default(PREVIEW).
  • open-service-mesh : enable Open Service Mesh addon (PREVIEW).
  • gitops : enable GitOps (PREVIEW).
  • azure-keyvault-secrets-provider : enable Azure Keyvault Secrets Provider addon.
  • web_application_routing : enable Web Application Routing addon (PREVIEW). Specify "--dns-zone-resource-id" to configure DNS.
--enable-ahub

Enable Azure Hybrid User Benefits (AHUB) for Windows VMs.

Default value: False
--enable-ai-toolchain-operator
Preview

Enable AI toolchain operator to the cluster.

Default value: False
--enable-apiserver-vnet-integration
Preview

Enable integration of user vnet with control plane apiserver pods.

Default value: False
--enable-app-routing
Preview

Enable Application Routing addon.

Default value: False
--enable-asm --enable-azure-service-mesh

Enable Azure Service Mesh.

--enable-azure-container-storage

Enable azure container storage and define storage pool type.

Accepted values: azureDisk, elasticSan, ephemeralDisk
--enable-azure-keyvault-kms

Enable Azure KeyVault Key Management Service.

Default value: False
--enable-azure-monitor-app-monitoring
Preview

Enable Azure Monitor Application Monitoring.

Default value: False
--enable-azure-monitor-metrics

Enable Azure Monitor Metrics Profile.

Default value: False
--enable-azure-rbac

Enable Azure RBAC to control authorization checks on cluster.

Default value: False
--enable-azuremonitormetrics
Deprecated

Option '--enable-azuremonitormetrics' has been deprecated and will be removed in a future release. Use '--enable-azure-monitor-metrics' instead.

Enable Azure Monitor Metrics Profile.

Default value: False
--enable-blob-driver

Enable AzureBlob CSI Driver.

--enable-cilium-dataplane
Preview Deprecated

Option '--enable-cilium-dataplane' has been deprecated and will be removed in a future release. Use '--network-dataplane' instead.

Use Cilium as the networking dataplane for the Kubernetes cluster.

Used together with the "azure" network plugin. Requires either --pod-subnet-id or --network-plugin-mode=overlay. This flag is deprecated in favor of --network-dataplane=cilium.

Default value: False
--enable-cluster-autoscaler

Enable cluster autoscaler, default value is false.

If specified, please make sure the kubernetes version is larger than 1.10.6.

Default value: False
--enable-cost-analysis

Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.

Default value: False
--enable-custom-ca-trust

Enable Custom CA Trust on agent node pool.

Default value: False
--enable-defender

Enable Microsoft Defender security profile.

Default value: False
--enable-encryption-at-host

Enable EncryptionAtHost on agent node pool.

Default value: False
--enable-fips-image

Use FIPS-enabled OS on agent nodes.

Default value: False
--enable-high-log-scale-mode
Preview

Enable High Log Scale Mode for Container Logs.

Accepted values: false, true
Default value: False
--enable-image-cleaner

Enable ImageCleaner Service.

Default value: False
--enable-image-integrity

Enable ImageIntegrity Service.

Default value: False
--enable-imds-restriction
Preview

Enable IMDS restriction in the cluster. Non-hostNetwork Pods will not be able to access IMDS.

Default value: False
--enable-keda
Preview

Enable KEDA workload auto-scaler.

Default value: False
--enable-managed-identity

Using managed identity to manage cluster resource group. You can explicitly specify "--service-principal" and "--client-secret" to disable managed identity, otherwise it will be enabled.

--enable-msi-auth-for-monitoring
Preview

Send monitoring data to Log Analytics using the cluster's assigned identity (instead of the Log Analytics Workspace's shared key).

Accepted values: false, true
Default value: True
--enable-node-public-ip

Enable VMSS node public IP.

Default value: False
--enable-oidc-issuer

Enable OIDC issuer.

Default value: False
--enable-pod-identity

(PREVIEW) Enable pod identity addon.

Default value: False
--enable-pod-identity-with-kubenet

(PREVIEW) Enable pod identity addon for cluster using Kubnet network plugin.

Default value: False
--enable-pod-security-policy
Deprecated

Option '--enable-pod-security-policy' has been deprecated and will be removed in a future release.

Enable pod security policy.

--enable-pod-security-policy is deprecated. See https://aka.ms/aks/psp for details.

Default value: False
--enable-private-cluster

Enable private cluster.

Default value: False
--enable-secret-rotation

Enable secret rotation. Use with azure-keyvault-secrets-provider addon.

Default value: False
--enable-secure-boot
Preview

Enable Secure Boot on all node pools in the cluster. Must use VMSS agent pool type.

Default value: False
--enable-sgxquotehelper

Enable SGX quote helper for confcom addon.

Default value: False
--enable-static-egress-gateway
Preview

Enable Static Egress Gateway addon to the cluster.

Default value: False
--enable-syslog
Preview

Enable syslog data collection for Monitoring addon.

Accepted values: false, true
Default value: False
--enable-ultra-ssd

Enable UltraSSD on agent node pool.

Default value: False
--enable-vpa
Preview

Enable vertical pod autoscaler for cluster.

Default value: False
--enable-vtpm
Preview

Enable vTPM on all node pools in the cluster. Must use VMSS agent pool type.

Default value: False
--enable-windows-gmsa

Enable Windows gmsa.

Default value: False
--enable-windows-recording-rules

Enable Windows Recording Rules when enabling the Azure Monitor Metrics addon.

Default value: False
--enable-workload-identity

(PREVIEW) Enable workload identity addon.

Default value: False
--ephemeral-disk-nvme-perf-tier

Set ephemeral disk volume type for azure container storage.

Accepted values: Basic, Premium, Standard
--ephemeral-disk-volume-type

Set ephemeral disk volume type for azure container storage.

Accepted values: EphemeralVolumeOnly, PersistentVolumeWithAnnotation
--fqdn-subdomain

Prefix for FQDN that is created for private cluster with custom private dns zone scenario.

--generate-ssh-keys

Generate SSH public and private key files if missing.

Default value: False
--gmsa-dns-server

Specify DNS server for Windows gmsa for this cluster.

You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.

--gmsa-root-domain-name

Specify root domain name for Windows gmsa for this cluster.

You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.

--gpu-instance-profile

GPU instance profile to partition multi-gpu Nvidia GPUs.

Accepted values: MIG1g, MIG2g, MIG3g, MIG4g, MIG7g
--grafana-resource-id

Resource ID of the Azure Managed Grafana Workspace.

--host-group-id

(PREVIEW) The fully qualified dedicated host group id used to provision agent node pool.

--http-proxy-config

Http Proxy configuration for this cluster.

--if-match

The value provided will be compared to the ETag of the managed cluster, if it matches the operation will proceed. If it does not match, the request will be rejected to prevent accidental overwrites. This must not be specified when creating a new cluster.

--if-none-match

Set to '*' to allow a new cluster to be created, but to prevent updating an existing cluster. Other values will be ignored.

--image-cleaner-interval-hours

ImageCleaner scanning interval.

--ip-families

A comma separated list of IP versions to use for cluster networking.

Each IP version should be in the format IPvN. For example, IPv4.

--k8s-support-plan

Choose from "KubernetesOfficial" or "AKSLongTermSupport", with "AKSLongTermSupport" you get 1 extra year of CVE patchs.

Accepted values: AKSLongTermSupport, KubernetesOfficial
--ksm-metric-annotations-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g.'=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--ksm-metric-labels-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g. '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--kube-proxy-config

Kube-proxy configuration for this cluster.

--kubelet-config

Kubelet configurations for agent nodes.

--kubernetes-version -k

Version of Kubernetes to use for creating the cluster, such as "1.7.12" or "1.8.7".

Value from: `az aks get-versions`
--linux-os-config

OS configurations for Linux agent nodes.

--load-balancer-backend-pool-type

Load balancer backend pool type.

Load balancer backend pool type, supported values are nodeIP and nodeIPConfiguration.

--load-balancer-idle-timeout

Load balancer idle timeout in minutes.

Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].

--load-balancer-managed-outbound-ip-count

Load balancer managed outbound IP count.

Desired number of managed outbound IPs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.

--load-balancer-managed-outbound-ipv6-count

Load balancer managed outbound IPv6 IP count.

Desired number of managed outbound IPv6 IPs for load balancer outbound connection. Valid for dual-stack (--ip-families IPv4,IPv6) only.

--load-balancer-outbound-ip-prefixes

Load balancer outbound IP prefix resource IDs.

Comma-separated public IP prefix resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.

--load-balancer-outbound-ips

Load balancer outbound IP resource IDs.

Comma-separated public IP resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.

--load-balancer-outbound-ports

Load balancer outbound allocated ports.

Desired static number of outbound ports per VM in the load balancer backend pool. By default, set to 0 which uses the default allocation based on the number of VMs. Please specify a value in the range of [0, 64000] that is a multiple of 8.

--load-balancer-sku

Azure Load Balancer SKU selection for your cluster. basic or standard.

Select between Basic or Standard Azure Load Balancer SKU for your AKS cluster.

Accepted values: basic, standard
--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

--max-count

Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--max-pods -m

The maximum number of pods deployable to a node.

If not specified, defaults based on network-plugin. 30 for "azure", 110 for "kubenet", or 250 for "none".

Default value: 0
--message-of-the-day

Path to a file containing the desired message of the day. Only valid for linux nodes. Will be written to /etc/motd.

--min-count

Minimun nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--nat-gateway-idle-timeout

NAT gateway idle timeout in minutes.

Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.

--nat-gateway-managed-outbound-ip-count

NAT gateway managed outbound IP count.

Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.

--network-dataplane

The network dataplane to use.

Network dataplane used in the Kubernetes cluster. Specify "azure" to use the Azure dataplane (default) or "cilium" to enable Cilium dataplane.

Accepted values: azure, cilium
--network-plugin

The Kubernetes network plugin to use.

Specify "azure" for routable pod IPs from VNET, "kubenet" for non-routable pod IPs with an overlay network, or "none" for no networking configured.

Accepted values: azure, kubenet, none
--network-plugin-mode

The network plugin mode to use.

Used to control the mode the network plugin should operate in. For example, "overlay" used with --network-plugin=azure will use an overlay network (non-VNET IPs) for pods in the cluster.

Accepted values: overlay
--network-policy

(PREVIEW) The Kubernetes network policy to use.

Using together with "azure" network plugin. Specify "azure" for Azure network policy manager, "calico" for calico network policy controller, "cilium" for Azure CNI Overlay powered by Cilium. Defaults to "" (network policy disabled).

--no-ssh-key -x

Do not use or create a local SSH key.

To access nodes after creating a cluster with this option, use the Azure Portal.

Default value: False
--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--node-count -c

Number of nodes in the Kubernetes node pool. It is required when --enable-cluster-autoscaler specified. After creating a cluster, you can change the size of its node pool with az aks scale.

Default value: 3
--node-init-taints --nodepool-initialization-taints
Preview

The node initialization taints for node pools created with aks create operation.

--node-os-upgrade-channel

Manner in which the OS on your nodes is updated. It could be NodeImage, None, SecurityPatch or Unmanaged.

Accepted values: NodeImage, None, SecurityPatch, Unmanaged
--node-osdisk-diskencryptionset-id -d

ResourceId of the disk encryption set to use for enabling encryption at rest on agent node os disk.

--node-osdisk-size

Size in GiB of the OS disk for each node in the node pool. Minimum 30 GiB.

Default value: 0
--node-osdisk-type

OS disk type to be used for machines in a given agent pool. Defaults to 'Ephemeral' when possible in conjunction with VM size and OS disk size. May not be changed for this pool after creation. ('Ephemeral' or 'Managed').

Accepted values: Ephemeral, Managed
--node-provisioning-mode
Preview

Set the node provisioning mode of the cluster. Valid values are "Auto" and "Manual". For more information on "Auto" mode see aka.ms/aks/nap.

Accepted values: Auto, Manual
--node-public-ip-prefix-id

Public IP prefix ID used to assign public IPs to VMSS nodes.

--node-public-ip-tags

The ipTags of the node public IPs.

--node-resource-group

The node resource group is the resource group where all customer's resources will be created in, such as virtual machines.

--node-vm-size -s

Size of Virtual Machines to create as Kubernetes nodes.

--nodepool-allowed-host-ports
Preview

Expose host ports on the node pool. When specified, format should be a comma-separated list of ranges with protocol, eg. 80/TCP,443/TCP,4000-5000/TCP.

--nodepool-asg-ids
Preview

The IDs of the application security groups to which the node pool's network interface should belong. When specified, format should be a comma-separated list of IDs.

--nodepool-labels

The node labels for all node pools in this cluster. See https://aka.ms/node-labels for syntax of labels.

--nodepool-name

Node pool name, upto 12 alphanumeric characters.

Default value: nodepool1
--nodepool-tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--nodepool-taints

The node taints for all node pools in this cluster.

--nrg-lockdown-restriction-level

Restriction level on the managed node resource group.

The restriction level of permissions allowed on the cluster's managed node resource group, supported values are Unrestricted, and ReadOnly (recommended ReadOnly).

Accepted values: ReadOnly, Unrestricted
--os-sku

The os-sku of the agent node pool. Ubuntu or CBLMariner.

Accepted values: AzureLinux, CBLMariner, Mariner, Ubuntu
--outbound-type

How outbound traffic will be configured for a cluster.

Select between loadBalancer, userDefinedRouting, managedNATGateway, userAssignedNATGateway, none and block. If not set, defaults to type loadBalancer. Requires --vnet-subnet-id to be provided with a preconfigured route table and --load-balancer-sku to be Standard.

Accepted values: block, loadBalancer, managedNATGateway, none, userAssignedNATGateway, userDefinedRouting
--pod-cidr

A CIDR notation IP range from which to assign pod IPs when kubenet is used.

This range must not overlap with any Subnet IP ranges. For example, 172.244.0.0/16.

--pod-cidrs

A comma separated list of CIDR notation IP ranges from which to assign pod IPs when kubenet is used.

Each range must not overlap with any Subnet IP ranges. For example, 172.244.0.0/16.

--pod-ip-allocation-mode

Set the ip allocation mode for how Pod IPs from the Azure Pod Subnet are allocated to the nodes in the AKS cluster. The choice is between dynamic batches of individual IPs or static allocation of a set of CIDR blocks. Accepted Values are "DynamicIndividual" or "StaticBlock".

Used together with the "azure" network plugin. Requires --pod-subnet-id.

Accepted values: DynamicIndividual, StaticBlock
--pod-subnet-id

The ID of a subnet in an existing VNet into which to assign pods in the cluster (requires azure network-plugin).

--ppg

The ID of a PPG.

--private-dns-zone

Private dns zone mode for private cluster. "none" mode is in preview.

Allowed values are "system", "none" (Preview) or your custom private dns zone resource id. If not set, defaults to type system. Requires --enable-private-cluster to be used.

--revision

Azure Service Mesh revision to install.

--rotation-poll-interval

Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.

--safeguards-excluded-ns
Preview

Comma-separated list of Kubernetes namespaces to exclude from deployment safeguards.

--safeguards-level
Preview

The deployment safeguards Level. Accepted Values are [Off, Warning, Enforcement]. Requires azure policy addon to be enabled.

Accepted values: Enforcement, Off, Warning
--safeguards-version
Preview

The version of deployment safeguards to use. Default "v1.0.0" Use the ListSafeguardsVersions API to discover available versions.

--service-cidr

A CIDR notation IP range from which to assign service cluster IPs.

This range must not overlap with any Subnet IP ranges. For example, 10.0.0.0/16.

--service-cidrs

A comma separated list of CIDR notation IP ranges from which to assign service cluster IPs.

Each range must not overlap with any Subnet IP ranges. For example, 10.0.0.0/16.

--service-principal

Service principal used for authentication to Azure APIs.

If not specified, a new service principal is created and cached at $HOME.azure\aksServicePrincipal.json to be used by subsequent az aks commands.

--skip-subnet-role-assignment

Skip role assignment for subnet (advanced networking).

If specified, please make sure your service principal has the access to your subnet.

Default value: False
--sku
Preview

Specify SKU name for managed clusters. '--sku base' enables a base managed cluster. '--sku automatic' enables an automatic managed cluster.

Accepted values: automatic, base
--snapshot-id

The source nodepool snapshot id used to create this cluster.

--ssh-access
Preview

Configure SSH setting for the first system pool in this cluster. Use "disabled" to disable SSH access, "localuser" to enable SSH access using private key. Note, this configuration will not take effect for later created new node pools, please use option az aks nodepool add --ssh-access to configure SSH access for new node pools.

Accepted values: disabled, localuser
Default value: localuser
--ssh-key-value

Public key path or key contents to install on node VMs for SSH access. For example, 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'.

Default value: ~\.ssh\id_rsa.pub
--storage-pool-name

Set storage pool name for azure container storage.

--storage-pool-option

Set ephemeral disk storage pool option for azure container storage.

Accepted values: NVMe, Temp
--storage-pool-size

Set storage pool size for azure container storage.

--storage-pool-sku

Set azure disk type storage pool sku for azure container storage.

Accepted values: PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS
--tags

The tags of the managed cluster. The managed cluster instance and all resources managed by the cloud provider will be tagged.

--tier

Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' does not have a financially backed SLA.

Accepted values: free, premium, standard
--vm-set-type

Agent pool vm set type. VirtualMachineScaleSets, AvailabilitySet or VirtualMachines(Preview).

--vm-sizes
Preview

Comma-separated list of sizes. Must use VirtualMachines agent pool type.

--vnet-subnet-id

The ID of a subnet in an existing VNet into which to deploy the cluster.

--windows-admin-password

User account password to use on windows node VMs.

Rules for windows-admin-password: - Minimum-length: 14 characters - Max-length: 123 characters - Complexity requirements: 3 out of 4 conditions below need to be fulfilled * Has lower characters * Has upper characters * Has a digit * Has a special character (Regex match [\W_]) - Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" Reference: https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminpassword?view=azure-dotnet.

--windows-admin-username

User account to create on windows node VMs.

Rules for windows-admin-username: - restriction: Cannot end in "." - Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". - Minimum-length: 1 character - Max-length: 20 characters Reference: https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminusername?view=azure-dotnet.

--workload-runtime

Determines the type of workload a node can run. Defaults to OCIContainer.

Accepted values: KataCcIsolation, KataMshvVmIsolation, OCIContainer, WasmWasi
Default value: OCIContainer
--workspace-resource-id

The resource ID of an existing Log Analytics Workspace to use for storing monitoring data. If not specified, uses the default Log Analytics Workspace if it exists, otherwise creates one.

--yes -y

Do not prompt for confirmation.

Default value: False
--zones -z

Space-separated list of availability zones where agent nodes will be placed.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks delete

Delete a managed Kubernetes cluster.

az aks delete --name
              --resource-group
              [--no-wait]
              [--yes]

Examples

Delete a managed Kubernetes cluster. (autogenerated)

az aks delete --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks delete (aks-preview extension)

Delete a managed Kubernetes cluster.

az aks delete --name
              --resource-group
              [--if-match]
              [--ignore-pod-disruption-budget]
              [--no-wait]
              [--yes]

Examples

Delete a managed Kubernetes cluster. (autogenerated)

az aks delete --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--if-match

The request should only proceed if an entity matches this string. Default value is None.

--ignore-pod-disruption-budget

Ignore-pod-disruption-budget=true to delete those pods on a node without considering Pod Disruption Budget. Default value is None.

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks disable-addons

Disable Kubernetes addons.

az aks disable-addons --addons
                      --name
                      --resource-group
                      [--no-wait]

Examples

Disable Kubernetes addons. (autogenerated)

az aks disable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--addons -a

Disable the Kubernetes addons in a comma-separated list.

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks disable-addons (aks-preview extension)

Disable Kubernetes addons.

az aks disable-addons --addons
                      --name
                      --resource-group
                      [--no-wait]

Examples

Disable Kubernetes addons. (autogenerated)

az aks disable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--addons -a

Disable the Kubernetes addons in a comma-separated list.

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks enable-addons

Enable Kubernetes addons.

These addons are available:

  • http_application_routing : configure ingress with automatic public DNS name creation.
  • monitoring : turn on Log Analytics monitoring. Requires "--workspace-resource-id". Requires "--enable-msi-auth-for-monitoring" for managed identity auth. Requires "--enable-syslog" to enable syslog data collection from nodes. Note MSI must be enabled. Requires "--ampls-resource-id" for private link. Note MSI must be enabled. Requires "--enable-high-log-scale-mode" to enable high log scale mode for container logs. Note MSI must be enabled. If monitoring addon is enabled --no-wait argument will have no effect
  • virtual-node : enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use.
  • azure-policy : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Learn more at aka.ms/aks/policy.
  • ingress-appgw : enable Application Gateway Ingress Controller addon.
  • open-service-mesh : enable Open Service Mesh addon.
  • azure-keyvault-secrets-provider : enable Azure Keyvault Secrets Provider addon.
az aks enable-addons --addons
                     --name
                     --resource-group
                     [--ampls-resource-id]
                     [--appgw-id]
                     [--appgw-name]
                     [--appgw-subnet-cidr]
                     [--appgw-subnet-id]
                     [--appgw-watch-namespace]
                     [--data-collection-settings]
                     [--enable-high-log-scale-mode {false, true}]
                     [--enable-msi-auth-for-monitoring {false, true}]
                     [--enable-secret-rotation]
                     [--enable-sgxquotehelper]
                     [--enable-syslog {false, true}]
                     [--no-wait]
                     [--rotation-poll-interval]
                     [--subnet-name]
                     [--workspace-resource-id]

Examples

Enable Kubernetes addons. (autogenerated)

az aks enable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup --subnet MySubnetName

Enable ingress-appgw addon with subnet prefix.

az aks enable-addons --name MyManagedCluster --resource-group MyResourceGroup --addons ingress-appgw --appgw-subnet-cidr 10.225.0.0/16 --appgw-name gateway

Enable open-service-mesh addon.

az aks enable-addons --name MyManagedCluster --resource-group MyResourceGroup --addons open-service-mesh

Required Parameters

--addons -a

Enable the Kubernetes addons in a comma-separated list.

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--ampls-resource-id

Resource ID of Azure Monitor Private Link scope for Monitoring Addon.

--appgw-id

Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.

--appgw-name

Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.

--appgw-subnet-cidr

Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-subnet-id

Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-watch-namespace

Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces.

--data-collection-settings

Path to JSON file containing data collection settings for Monitoring addon.

--enable-high-log-scale-mode
Preview

Enable High Log Scale Mode for Container Logs.

Accepted values: false, true
Default value: False
--enable-msi-auth-for-monitoring

Enable Managed Identity Auth for Monitoring addon.

Accepted values: false, true
Default value: True
--enable-secret-rotation

Enable secret rotation. Use with azure-keyvault-secrets-provider addon.

Default value: False
--enable-sgxquotehelper

Enable SGX quote helper for confcom addon.

Default value: False
--enable-syslog

Enable syslog data collection for Monitoring addon.

Accepted values: false, true
Default value: False
--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--rotation-poll-interval

Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.

--subnet-name -s

Name of an existing subnet to use with the virtual-node add-on.

--workspace-resource-id

The resource ID of an existing Log Analytics Workspace to use for storing monitoring data.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks enable-addons (aks-preview extension)

Enable Kubernetes addons.

These addons are available: http_application_routing - configure ingress with automatic public DNS name creation. monitoring - turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. If monitoring addon is enabled --no-wait argument will have no effect virtual-node - enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use. azure-policy - enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Learn more at aka.ms/aks/policy. ingress-appgw - enable Application Gateway Ingress Controller addon (PREVIEW). open-service-mesh - enable Open Service Mesh addon (PREVIEW). gitops - enable GitOps (PREVIEW). azure-keyvault-secrets-provider - enable Azure Keyvault Secrets Provider addon. web_application_routing - enable Web Application Routing addon (PREVIEW). Specify "--dns-zone-resource-id" to configure DNS.

az aks enable-addons --addons
                     --name
                     --resource-group
                     [--aks-custom-headers]
                     [--ampls-resource-id]
                     [--appgw-id]
                     [--appgw-name]
                     [--appgw-subnet-cidr]
                     [--appgw-subnet-id]
                     [--appgw-subnet-prefix]
                     [--appgw-watch-namespace]
                     [--data-collection-settings]
                     [--dns-zone-resource-id]
                     [--dns-zone-resource-ids]
                     [--enable-high-log-scale-mode {false, true}]
                     [--enable-msi-auth-for-monitoring {false, true}]
                     [--enable-secret-rotation]
                     [--enable-sgxquotehelper]
                     [--enable-syslog {false, true}]
                     [--no-wait]
                     [--rotation-poll-interval]
                     [--subnet-name]
                     [--workspace-resource-id]

Examples

Enable Kubernetes addons. (autogenerated)

az aks enable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup --subnet-name VirtualNodeSubnet

Enable ingress-appgw addon with subnet prefix.

az aks enable-addons --name MyManagedCluster --resource-group MyResourceGroup --addons ingress-appgw --appgw-subnet-cidr 10.2.0.0/16 --appgw-name gateway

Enable open-service-mesh addon.

az aks enable-addons --name MyManagedCluster --resource-group MyResourceGroup --addons open-service-mesh

Required Parameters

--addons -a

Enable the Kubernetes addons in a comma-separated list.

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aks-custom-headers

Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.

--ampls-resource-id
Preview

Resource ID of Azure Monitor Private Link scope for Monitoring Addon.

--appgw-id

Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.

--appgw-name

Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.

--appgw-subnet-cidr

Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-subnet-id

Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-subnet-prefix
Deprecated

Argument 'appgw_subnet_prefix' has been deprecated and will be removed in a future release. Use '--appgw-subnet-cidr' instead.

Subnet Prefix to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.

--appgw-watch-namespace

Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces. Use with ingress-azure addon.

--data-collection-settings
Preview

Path to JSON file containing data collection settings for Monitoring addon.

--dns-zone-resource-id
Deprecated

Option '--dns-zone-resource-id' has been deprecated and will be removed in a future release. Use '--dns-zone-resource-ids' instead.

The resource ID of the DNS zone resource to use with the web_application_routing addon.

--dns-zone-resource-ids
Preview

A comma separated list of resource IDs of the DNS zone resource to use with the web_application_routing addon.

--enable-high-log-scale-mode
Preview

Enable High Log Scale Mode for Container Logs.

Accepted values: false, true
Default value: False
--enable-msi-auth-for-monitoring
Preview

Send monitoring data to Log Analytics using the cluster's assigned identity (instead of the Log Analytics Workspace's shared key).

Accepted values: false, true
Default value: True
--enable-secret-rotation

Enable secret rotation. Use with azure-keyvault-secrets-provider addon.

Default value: False
--enable-sgxquotehelper

Enable SGX quote helper for confcom addon.

Default value: False
--enable-syslog
Preview

Enable syslog data collection for Monitoring addon.

Accepted values: false, true
Default value: False
--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--rotation-poll-interval

Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.

--subnet-name -s

The subnet name for the virtual node to use.

--workspace-resource-id

The resource ID of an existing Log Analytics Workspace to use for storing monitoring data.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks get-credentials

Get access credentials for a managed Kubernetes cluster.

By default, the credentials are merged into the .kube/config file so kubectl can use them. See -f parameter for details.

az aks get-credentials --name
                       --resource-group
                       [--admin]
                       [--context]
                       [--file]
                       [--format]
                       [--overwrite-existing]
                       [--public-fqdn]

Examples

Get access credentials for a managed Kubernetes cluster. (autogenerated)

az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--admin -a

Get cluster administrator credentials. Default: cluster user credentials.

On clusters with Azure Active Directory integration, this bypasses normal Azure AD authentication and can be used if you're permanently blocked by not having access to a valid Azure AD group with access to your cluster. Requires 'Azure Kubernetes Service Cluster Admin' role.

Default value: False
--context

If specified, overwrite the default context name. The --admin parameter takes precedence over --context.

--file -f

Kubernetes configuration file to update. Use "-" to print YAML to stdout instead.

Default value: ~\.kube\config
--format

Specify the format of the returned credential. Available values are ["exec", "azure"]. Only take effect when requesting clusterUser credential of AAD clusters.

--overwrite-existing

Overwrite any existing cluster entry with the same name.

Default value: False
--public-fqdn

Get private cluster credential with server address to be public fqdn.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks get-credentials (aks-preview extension)

Get access credentials for a managed Kubernetes cluster.

az aks get-credentials --name
                       --resource-group
                       [--admin]
                       [--aks-custom-headers]
                       [--context]
                       [--file]
                       [--format {azure, exec}]
                       [--overwrite-existing]
                       [--public-fqdn]
                       [--user]

Examples

Get access credentials for a managed Kubernetes cluster. (autogenerated)

az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--admin -a

Get cluster administrator credentials. Default: cluster user credentials.

Default value: False
--aks-custom-headers

Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.

--context

If specified, overwrite the default context name.

--file -f

Kubernetes configuration file to update. Use "-" to print YAML to stdout instead.

Default value: ~\.kube\config
--format

Specify the format of the returned credential. Available values are ["exec", "azure"]. Only take effect when requesting clusterUser credential of AAD clusters.

Accepted values: azure, exec
--overwrite-existing

Overwrite any existing cluster entry with the same name.

Default value: False
--public-fqdn

Get private cluster credential with server address to be public fqdn.

Default value: False
--user -u

Get credentials for the user. Only valid when --admin is False. Default: cluster user credentials.

Default value: clusterUser
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks get-upgrades

Get the upgrade versions available for a managed Kubernetes cluster.

az aks get-upgrades --name
                    --resource-group

Examples

Get the upgrade versions available for a managed Kubernetes cluster

az aks get-upgrades --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks get-upgrades (aks-preview extension)

Get the upgrade versions available for a managed Kubernetes cluster.

az aks get-upgrades --name
                    --resource-group

Examples

Get the upgrade versions available for a managed Kubernetes cluster

az aks get-upgrades --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks get-versions

Get the versions available for creating a managed Kubernetes cluster.

az aks get-versions --location

Examples

Get the versions available for creating a managed Kubernetes cluster

az aks get-versions --location westus2

Required Parameters

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks get-versions (aks-preview extension)

Get the versions available for creating a managed Kubernetes cluster.

az aks get-versions --location

Examples

Get the versions available for creating a managed Kubernetes cluster

az aks get-versions --location westus2

Required Parameters

--location -l

Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks install-cli

Download and install kubectl, the Kubernetes command-line tool. Download and install kubelogin, a client-go credential (exec) plugin implementing azure authentication.

az aks install-cli [--base-src-url]
                   [--client-version]
                   [--install-location]
                   [--kubelogin-base-src-url]
                   [--kubelogin-install-location]
                   [--kubelogin-version]

Optional Parameters

--base-src-url

Base download source URL for kubectl releases.

--client-version

Version of kubectl to install.

Default value: latest
--install-location

Path at which to install kubectl. Note: the path should contain the binary filename.

Default value: ~\.azure-kubectl\kubectl.exe
--kubelogin-base-src-url -l

Base download source URL for kubelogin releases.

--kubelogin-install-location

Path at which to install kubelogin. Note: the path should contain the binary filename.

Default value: ~\.azure-kubelogin\kubelogin.exe
--kubelogin-version

Version of kubelogin to install.

Default value: latest
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks kanalyze

Display diagnostic results for the Kubernetes cluster after kollect is done.

az aks kanalyze --name
                --resource-group

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks kollect

Collecting diagnostic information for the Kubernetes cluster.

Collect diagnostic information for the Kubernetes cluster and store it in the specified storage account. You can provide the storage account in three ways: storage account name and a shared access signature with write permission. resource Id to a storage account you own. the storagea account in diagnostics settings for your managed cluster.

az aks kollect --name
               --resource-group
               [--container-logs]
               [--kube-objects]
               [--node-logs]
               [--node-logs-windows]
               [--sas-token]
               [--storage-account]

Examples

using storage account name and a shared access signature token with write permission

az aks kollect -g MyResourceGroup -n MyManagedCluster --storage-account MyStorageAccount --sas-token "MySasToken"

using the resource id of a storagea account resource you own.

az aks kollect -g MyResourceGroup -n MyManagedCluster --storage-account "MyStoreageAccountResourceId"

using the storagea account in diagnostics settings for your managed cluster.

az aks kollect -g MyResourceGroup -n MyManagedCluster

customize the container logs to collect.

az aks kollect -g MyResourceGroup -n MyManagedCluster --container-logs "mynamespace1/mypod1 myns2"

customize the kubernetes objects to collect.

az aks kollect -g MyResourceGroup -n MyManagedCluster --kube-objects "mynamespace1/service myns2/deployment/deployment1"

customize the node log files to collect.

az aks kollect -g MyResourceGroup -n MyManagedCluster --node-logs "/var/log/azure-vnet.log /var/log/azure-vnet-ipam.log"

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--container-logs

The list of container logs to collect.

The list of container logs to collect. Its value can be either all containers in a namespace, for example, kube-system, or a specific container in a namespace, for example, kube-system/tunnelfront.

--kube-objects

The list of kubernetes objects to describe.

The list of kubernetes objects to describe. Its value can be either all objects of a type in a namespace, for example, kube-system/pod, or a specific object of a type in a namespace, for example, kube-system/deployment/tunnelfront.

--node-logs

The list of node logs to collect for Linux nodes. For example, /var/log/cloud-init.log.

--node-logs-windows

The list of node logs to collect for Windows nodes. For example, C:\AzureData\CustomDataSetupScript.log.

--sas-token

The SAS token with writable permission for the storage account.

--storage-account

Name or ID of the storage account to save the diagnostic information.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks list

List managed Kubernetes clusters.

az aks list [--resource-group]

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks list (aks-preview extension)

List managed Kubernetes clusters.

az aks list [--resource-group]

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks operation-abort

Abort last running operation on managed cluster.

az aks operation-abort --name
                       --resource-group
                       [--no-wait]

Examples

Abort operation on managed cluster

az aks operation-abort -g myResourceGroup -n myAKSCluster

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks operation-abort (aks-preview extension)

Abort last running operation on managed cluster.

az aks operation-abort --name
                       --resource-group
                       [--aks-custom-headers]
                       [--no-wait]

Examples

Abort operation on managed cluster

az aks operation-abort -g myResourceGroup -n myAKSCluster

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aks-custom-headers

Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks remove-dev-spaces

Deprecated

This command has been deprecated and will be removed in a future release.

Remove Azure Dev Spaces from a managed Kubernetes cluster.

az aks remove-dev-spaces --name
                         --resource-group
                         [--yes]

Examples

Remove Azure Dev Spaces from a managed Kubernetes cluster.

az aks remove-dev-spaces -g my-aks-group -n my-aks

Remove Azure Dev Spaces from a managed Kubernetes cluster without prompting.

az aks remove-dev-spaces -g my-aks-group -n my-aks --yes

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks rotate-certs

Rotate certificates and keys on a managed Kubernetes cluster.

Kubernetes will be unavailable during cluster certificate rotation.

az aks rotate-certs --name
                    --resource-group
                    [--no-wait]
                    [--yes]

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks rotate-certs (aks-preview extension)

Rotate certificates and keys on a managed Kubernetes cluster.

Kubernetes will be unavailable during cluster certificate rotation.

az aks rotate-certs --name
                    --resource-group
                    [--no-wait]
                    [--yes]

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks scale

Scale the node pool in a managed Kubernetes cluster.

az aks scale --name
             --node-count
             --resource-group
             [--no-wait]
             [--nodepool-name]

Examples

Scale the node pool in a managed Kubernetes cluster. (autogenerated)

az aks scale --name MyManagedCluster --node-count 3 --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--node-count -c

Number of nodes in the Kubernetes node pool.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--nodepool-name

Node pool name, up to 12 alphanumeric characters.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks scale (aks-preview extension)

Scale the node pool in a managed Kubernetes cluster.

az aks scale --name
             --node-count
             --resource-group
             [--aks-custom-headers]
             [--no-wait]
             [--nodepool-name]

Required Parameters

--name -n

Name of the managed cluster.

--node-count -c

Number of nodes in the Kubernetes node pool.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aks-custom-headers

Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--nodepool-name

Node pool name, upto 12 alphanumeric characters.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks show

Show the details for a managed Kubernetes cluster.

az aks show --name
            --resource-group

Examples

Show the details for a managed Kubernetes cluster

az aks show --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks show (aks-preview extension)

Show the details for a managed Kubernetes cluster.

az aks show --name
            --resource-group
            [--aks-custom-headers]

Examples

Show the details for a managed Kubernetes cluster

az aks show -g MyResourceGroup -n MyManagedCluster

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aks-custom-headers

Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks start

Starts a previously stopped Managed Cluster.

See starting a cluster <https://docs.microsoft.com/azure/aks/start-stop-cluster>_ for more details about starting a cluster.

az aks start --name
             --resource-group
             [--no-wait]

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks start (aks-preview extension)

Starts a previously stopped Managed Cluster.

See starting a cluster <https://docs.microsoft.com/azure/aks/start-stop-cluster>_ for more details about starting a cluster.

az aks start --name
             --resource-group
             [--no-wait]

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks stop

Stop a managed cluster.

This can only be performed on Azure Virtual Machine Scale set backed clusters. Stopping a cluster stops the control plane and agent nodes entirely, while maintaining all object and cluster state. A cluster does not accrue charges while it is stopped. See stopping a cluster <https://docs.microsoft.com/azure/aks/start-stop-cluster>_ for more details about stopping a cluster.

az aks stop --name
            --resource-group
            [--no-wait]

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks stop (aks-preview extension)

Stop a managed cluster.

This can only be performed on Azure Virtual Machine Scale set backed clusters. Stopping a cluster stops the control plane and agent nodes entirely, while maintaining all object and cluster state. A cluster does not accrue charges while it is stopped. See stopping a cluster <https://docs.microsoft.com/azure/aks/start-stop-cluster>_ for more details about stopping a cluster.

az aks stop --name
            --resource-group
            [--no-wait]

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks update

Update a managed Kubernetes cluster. When called with no optional arguments this attempts to move the cluster to its goal state without changing the current cluster configuration. This can be used to move out of a non succeeded state.

az aks update --name
              --resource-group
              [--aad-admin-group-object-ids]
              [--aad-tenant-id]
              [--aks-custom-headers]
              [--api-server-authorized-ip-ranges]
              [--assign-identity]
              [--assign-kubelet-identity]
              [--attach-acr]
              [--auto-upgrade-channel {node-image, none, patch, rapid, stable}]
              [--azure-container-storage-nodepools]
              [--azure-keyvault-kms-key-id]
              [--azure-keyvault-kms-key-vault-network-access {Private, Public}]
              [--azure-keyvault-kms-key-vault-resource-id]
              [--azure-monitor-workspace-resource-id]
              [--ca-profile]
              [--defender-config]
              [--detach-acr]
              [--disable-ahub]
              [--disable-azure-container-storage {all, azureDisk, elasticSan, ephemeralDisk}]
              [--disable-azure-keyvault-kms]
              [--disable-azure-monitor-metrics]
              [--disable-azure-rbac]
              [--disable-blob-driver]
              [--disable-cluster-autoscaler]
              [--disable-cost-analysis]
              [--disable-defender]
              [--disable-disk-driver]
              [--disable-file-driver]
              [--disable-force-upgrade]
              [--disable-image-cleaner]
              [--disable-keda]
              [--disable-local-accounts]
              [--disable-public-fqdn]
              [--disable-secret-rotation]
              [--disable-snapshot-controller]
              [--disable-vpa]
              [--disable-windows-gmsa]
              [--disable-workload-identity]
              [--enable-aad]
              [--enable-ahub]
              [--enable-azure-container-storage {azureDisk, elasticSan, ephemeralDisk}]
              [--enable-azure-keyvault-kms]
              [--enable-azure-monitor-metrics]
              [--enable-azure-rbac]
              [--enable-blob-driver]
              [--enable-cluster-autoscaler]
              [--enable-cost-analysis]
              [--enable-defender]
              [--enable-disk-driver]
              [--enable-file-driver]
              [--enable-force-upgrade]
              [--enable-image-cleaner]
              [--enable-keda]
              [--enable-local-accounts]
              [--enable-managed-identity]
              [--enable-oidc-issuer]
              [--enable-public-fqdn]
              [--enable-secret-rotation]
              [--enable-snapshot-controller]
              [--enable-vpa]
              [--enable-windows-gmsa]
              [--enable-windows-recording-rules]
              [--enable-workload-identity]
              [--ephemeral-disk-nvme-perf-tier {Basic, Premium, Standard}]
              [--ephemeral-disk-volume-type {EphemeralVolumeOnly, PersistentVolumeWithAnnotation}]
              [--gmsa-dns-server]
              [--gmsa-root-domain-name]
              [--grafana-resource-id]
              [--http-proxy-config]
              [--image-cleaner-interval-hours]
              [--k8s-support-plan {AKSLongTermSupport, KubernetesOfficial}]
              [--ksm-metric-annotations-allow-list]
              [--ksm-metric-labels-allow-list]
              [--load-balancer-backend-pool-type {nodeIP, nodeIPConfiguration}]
              [--load-balancer-idle-timeout]
              [--load-balancer-managed-outbound-ip-count]
              [--load-balancer-managed-outbound-ipv6-count]
              [--load-balancer-outbound-ip-prefixes]
              [--load-balancer-outbound-ips]
              [--load-balancer-outbound-ports]
              [--max-count]
              [--min-count]
              [--nat-gateway-idle-timeout]
              [--nat-gateway-managed-outbound-ip-count]
              [--network-dataplane {azure, cilium}]
              [--network-plugin {azure, kubenet, none}]
              [--network-plugin-mode]
              [--network-policy {azure, calico, cilium, none}]
              [--no-uptime-sla]
              [--no-wait]
              [--node-os-upgrade-channel]
              [--nodepool-labels]
              [--nodepool-taints]
              [--outbound-type {loadBalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting}]
              [--pod-cidr]
              [--private-dns-zone]
              [--rotation-poll-interval]
              [--storage-pool-name]
              [--storage-pool-option {NVMe, Temp, all}]
              [--storage-pool-size]
              [--storage-pool-sku {PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS}]
              [--tags]
              [--tier {free, premium, standard}]
              [--update-cluster-autoscaler]
              [--upgrade-override-until]
              [--uptime-sla]
              [--windows-admin-password]
              [--yes]

Examples

Reconcile the cluster back to its current state.

az aks update -g MyResourceGroup -n MyManagedCluster

Update a kubernetes cluster with standard SKU load balancer to use two AKS created IPs for the load balancer outbound connection usage.

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2

Update a kubernetes cluster with standard SKU load balancer to use the provided public IPs for the load balancer outbound connection usage.

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ips <ip-resource-id-1,ip-resource-id-2>

Update a kubernetes cluster with a standard SKU load balancer, with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000

Update a kubernetes cluster with standard SKU load balancer to use the provided public IP prefixes for the load balancer outbound connection usage.

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>

Update a kubernetes cluster of managedNATGateway outbound type with two outbound AKS managed IPs an idle flow timeout of 4 minutes

az aks update -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4

Attach AKS cluster to ACR by name "acrName"

az aks update -g MyResourceGroup -n MyManagedCluster --attach-acr acrName

Update a kubernetes cluster with authorized apiserver ip ranges.

az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24

Disable authorized apiserver ip ranges feature for a kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges ""

Restrict apiserver traffic in a kubernetes cluster to agentpool nodes.

az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 0.0.0.0/32

Update a AKS-managed AAD cluster with tenant ID or admin group object IDs.

az aks update -g MyResourceGroup -n MyManagedCluster --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>

Migrate a AKS AAD-Integrated cluster or a non-AAD cluster to a AKS-managed AAD cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>

Enable Azure Hybrid User Benefits featture for a kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-ahub

Disable Azure Hybrid User Benefits featture for a kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --disable-ahub

Update Windows password of a kubernetes cluster

az aks update -g MyResourceGroup -n MyManagedCLuster --windows-admin-password "Repl@cePassw0rd12345678"

Update the cluster to use system assigned managed identity in control plane.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity

Update the cluster to use user assigned managed identity in control plane.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>

Update a non managed AAD AKS cluster to use Azure RBAC

az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac

Update a managed AAD AKS cluster to use Azure RBAC

az aks update -g MyResourceGroup -n MyManagedCluster --enable-azure-rbac

Disable Azure RBAC in a managed AAD AKS cluster

az aks update -g MyResourceGroup -n MyManagedCluster --disable-azure-rbac

Update the tags of a kubernetes cluster

az aks update -g MyResourceGroup -n MyManagedCLuster --tags "foo=bar" "baz=qux"

Update a kubernetes cluster with custom headers

az aks update -g MyResourceGroup -n MyManagedCluster --aks-custom-headers WindowsContainerRuntime=containerd,AKSHTTPCustomFeatures=Microsoft.ContainerService/CustomNodeConfigPreview

Enable Windows gmsa for a kubernetes cluster with setting DNS server in the vnet used by the cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa

Enable Windows gmsa for a kubernetes cluster without setting DNS server in the vnet used by the cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"

Disable Windows gmsa for a kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --disable-windows-gmsa

Enable KEDA workload autoscaler for an existing kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-keda

Disable KEDA workload autoscaler for an existing kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --disable-keda

Enable VPA(Vertical Pod Autoscaler) for an existing kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCLuster --enable-vpa

Disable VPA(Vertical Pod Autoscaler) for an existing kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCLuster --disable-vpa

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aad-admin-group-object-ids

Comma-separated list of aad group object IDs that will be set as cluster admin.

--aad-tenant-id

The ID of an Azure Active Directory tenant.

--aks-custom-headers

Comma-separated key-value pairs to specify custom headers.

--api-server-authorized-ip-ranges

Comma-separated list of authorized apiserver IP ranges. Set to "" to allow all traffic on a previously restricted cluster. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.

--assign-identity

Specify an existing user assigned identity to manage cluster resource group.

--assign-kubelet-identity

Update cluster's kubelet identity to an existing user assigned identity. Please note this operation will recreate all agent nodes in the cluster.

--attach-acr

Grant the 'acrpull' role assignment to the ACR specified by name or resource ID.

--auto-upgrade-channel

Specify the upgrade channel for autoupgrade.

Accepted values: node-image, none, patch, rapid, stable
--azure-container-storage-nodepools

Define the comma separated nodepool list to install azure container storage.

--azure-keyvault-kms-key-id

Identifier of Azure Key Vault key.

--azure-keyvault-kms-key-vault-network-access

Network Access of Azure Key Vault.

Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used.

Accepted values: Private, Public
--azure-keyvault-kms-key-vault-resource-id

Resource ID of Azure Key Vault.

--azure-monitor-workspace-resource-id

Resource ID of the Azure Monitor Workspace.

--ca-profile --cluster-autoscaler-profile

Comma-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.

--defender-config

Path to JSON file containing Microsoft Defender profile configurations.

--detach-acr

Disable the 'acrpull' role assignment to the ACR specified by name or resource ID.

--disable-ahub

Disable Azure Hybrid User Benefits (AHUB) feature for cluster.

Default value: False
--disable-azure-container-storage

Disable azure container storage or any one of the storage pool types.

Accepted values: all, azureDisk, elasticSan, ephemeralDisk
--disable-azure-keyvault-kms

Disable Azure KeyVault Key Management Service.

Default value: False
--disable-azure-monitor-metrics

Disable Azure Monitor Metrics Profile. This will delete all DCRA's associated with the cluster, any linked DCRs with the data stream = prometheus-stream and the recording rule groups created by the addon for this AKS cluster.

Default value: False
--disable-azure-rbac

Disable Azure RBAC to control authorization checks on cluster.

Default value: False
--disable-blob-driver

Disable AzureBlob CSI Driver.

--disable-cluster-autoscaler -d

Disable cluster autoscaler.

Default value: False
--disable-cost-analysis

Disable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal.

Default value: False
--disable-defender

Disable defender profile.

Default value: False
--disable-disk-driver

Disable AzureDisk CSI Driver.

Default value: False
--disable-file-driver

Disable AzureFile CSI Driver.

Default value: False
--disable-force-upgrade

Disable forceUpgrade cluster upgrade settings override.

Default value: False
--disable-image-cleaner

Disable ImageCleaner Service.

Default value: False
--disable-keda

Disable KEDA workload auto-scaler.

Default value: False
--disable-local-accounts

If set to true, getting static credential will be disabled for this cluster.

Default value: False
--disable-public-fqdn

Disable public fqdn feature for private cluster.

Default value: False
--disable-secret-rotation

Disable secret rotation. Use with azure-keyvault-secrets-provider addon.

Default value: False
--disable-snapshot-controller

Disable CSI Snapshot Controller.

Default value: False
--disable-vpa

Disable vertical pod autoscaler for cluster.

Default value: False
--disable-windows-gmsa

Disable Windows gmsa on cluster.

Default value: False
--disable-workload-identity

Disable workload identity addon.

Default value: False
--enable-aad

Enable managed AAD feature for cluster.

Default value: False
--enable-ahub

Enable Azure Hybrid User Benefits (AHUB) feature for cluster.

Default value: False
--enable-azure-container-storage

Enable azure container storage and define storage pool type.

Accepted values: azureDisk, elasticSan, ephemeralDisk
--enable-azure-keyvault-kms

Enable Azure KeyVault Key Management Service.

Default value: False
--enable-azure-monitor-metrics

Enable a kubernetes cluster with the Azure Monitor managed service for Prometheus integration.

Default value: False
--enable-azure-rbac

Enable Azure RBAC to control authorization checks on cluster.

Default value: False
--enable-blob-driver

Enable AzureBlob CSI Driver.

--enable-cluster-autoscaler -e

Enable cluster autoscaler.

Default value: False
--enable-cost-analysis

Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.

Default value: False
--enable-defender

Enable Microsoft Defender security profile.

Default value: False
--enable-disk-driver

Enable AzureDisk CSI Driver.

Default value: False
--enable-file-driver

Enable AzureFile CSI Driver.

Default value: False
--enable-force-upgrade

Enable forceUpgrade cluster upgrade settings override.

Default value: False
--enable-image-cleaner

Enable ImageCleaner Service.

Default value: False
--enable-keda

Enable KEDA workload auto-scaler.

Default value: False
--enable-local-accounts

If set to true, will enable getting static credential for this cluster.

Default value: False
--enable-managed-identity

Update current cluster to use managed identity to manage cluster resource group.

Default value: False
--enable-oidc-issuer

Enable OIDC issuer.

Default value: False
--enable-public-fqdn

Enable public fqdn feature for private cluster.

Default value: False
--enable-secret-rotation

Enable secret rotation. Use with azure-keyvault-secrets-provider addon.

Default value: False
--enable-snapshot-controller

Enable Snapshot Controller.

Default value: False
--enable-vpa

Enable vertical pod autoscaler for cluster.

Default value: False
--enable-windows-gmsa

Enable Windows gmsa on cluster.

Default value: False
--enable-windows-recording-rules

Enable Windows Recording Rules when enabling the Azure Monitor Metrics addon.

Default value: False
--enable-workload-identity

Enable workload identity addon.

Default value: False
--ephemeral-disk-nvme-perf-tier

Set ephemeral disk volume type for azure container storage.

Accepted values: Basic, Premium, Standard
--ephemeral-disk-volume-type

Set ephemeral disk volume type for azure container storage.

Accepted values: EphemeralVolumeOnly, PersistentVolumeWithAnnotation
--gmsa-dns-server

Specify DNS server for Windows gmsa on cluster.

You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.

--gmsa-root-domain-name

Specify root domain name for Windows gmsa on cluster.

You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.

--grafana-resource-id

Resource ID of the Azure Managed Grafana Workspace.

--http-proxy-config

HTTP Proxy configuration for this cluster.

--image-cleaner-interval-hours

ImageCleaner scanning interval.

--k8s-support-plan

Choose from "KubernetesOfficial" or "AKSLongTermSupport", with "AKSLongTermSupport" you get 1 extra year of CVE patchs.

Accepted values: AKSLongTermSupport, KubernetesOfficial
--ksm-metric-annotations-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g.'=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--ksm-metric-labels-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g. '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--load-balancer-backend-pool-type

Load balancer backend pool type.

Define the LoadBalancer backend pool type of managed inbound backend pool. The nodeIP means the VMs will be attached to the LoadBalancer by adding its private IP address to the backend pool. The nodeIPConfiguration means the VMs will be attached to the LoadBalancer by referencing the backend pool ID in the VM's NIC.

Accepted values: nodeIP, nodeIPConfiguration
--load-balancer-idle-timeout

Load balancer idle timeout in minutes.

Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].

--load-balancer-managed-outbound-ip-count

Load balancer managed outbound IP count.

Desired number of managed outbound IPs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only. If the new value is greater than the original value, new additional outbound IPs will be created. If the value is less than the original value, existing outbound IPs will be deleted and outbound connections may fail due to configuration update.

--load-balancer-managed-outbound-ipv6-count

Load balancer managed outbound IPv6 IP count.

Desired number of managed outbound IPv6 IPs for load balancer outbound connection. Valid for dual-stack (--ip-families IPv4,IPv6) only.

--load-balancer-outbound-ip-prefixes

Load balancer outbound IP prefix resource IDs.

Comma-separated public IP prefix resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.

--load-balancer-outbound-ips

Load balancer outbound IP resource IDs.

Comma-separated public IP resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.

--load-balancer-outbound-ports

Load balancer outbound allocated ports.

Desired static number of outbound ports per VM in the load balancer backend pool. By default, set to 0 which uses the default allocation based on the number of VMs.

--max-count

Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--min-count

Minimum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--nat-gateway-idle-timeout

NAT gateway idle timeout in minutes.

Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.

--nat-gateway-managed-outbound-ip-count

NAT gateway managed outbound IP count.

Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.

--network-dataplane

The network dataplane to use.

Network dataplane used in the Kubernetes cluster. Specify "azure" to use the Azure dataplane (default) or "cilium" to enable Cilium dataplane.

Accepted values: azure, cilium
--network-plugin

The Kubernetes network plugin to use.

Specify "azure" along with --network-plugin-mode=overlay to update a cluster to use Azure CNI Overlay. For more information see https://aka.ms/aks/azure-cni-overlay.

Accepted values: azure, kubenet, none
--network-plugin-mode

Update the mode of a network plugin to migrate to a different pod networking setup.

--network-policy

Update Network Policy Engine.

Azure provides three Network Policy Engines for enforcing network policies. The following values can be specified:

  • "azure" for Azure Network Policy Manager,
  • "cilium" for Azure CNI Powered by Cilium,
  • "calico" for open-source network and network security solution founded by Tigera,
  • "none" to uninstall Network Policy Engine (Azure Network Policy Manager or Calico). Defaults to "none" (network policy disabled).
Accepted values: azure, calico, cilium, none
--no-uptime-sla
Deprecated

Option '--no-uptime-sla' has been deprecated and will be removed in a future release.

Change a standard managed cluster to a free one. --no-uptime-sla is deprecated. Please use '--tier free' instead.

Default value: False
--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--node-os-upgrade-channel

Manner in which the OS on your nodes is updated. It could be NodeImage, None, SecurityPatch or Unmanaged.

--nodepool-labels

The node labels for all node pool. See https://aka.ms/node-labels for syntax of labels.

--nodepool-taints

The node taints for all node pool.

--outbound-type

How outbound traffic will be configured for a cluster.

This option will change the way how the outbound connections are managed in the AKS cluster. Available options are loadbalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting. For custom vnet, loadbalancer, userAssignedNATGateway and userDefinedRouting are supported. For aks managed vnet, loadbalancer, managedNATGateway and userDefinedRouting are supported.

Accepted values: loadBalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting
--pod-cidr

Update the pod CIDR for a cluster. Used when updating a cluster from Azure CNI to Azure CNI Overlay.

--private-dns-zone

The private dns zone mode for private cluster.

Only allow changing private dns zone from byo/system mode to none for private cluster. Others are denied.

--rotation-poll-interval

Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.

--storage-pool-name

Set storage pool name for azure container storage.

--storage-pool-option

Set ephemeral disk storage pool option for azure container storage.

Accepted values: NVMe, Temp, all
--storage-pool-size

Set storage pool size for azure container storage.

--storage-pool-sku

Set azure disk type storage pool sku for azure container storage.

Accepted values: PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS
--tags

The tags of the managed cluster. The managed cluster instance and all resources managed by the cloud provider will be tagged.

--tier

Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' changes a standard managed cluster to a free one.

Accepted values: free, premium, standard
--update-cluster-autoscaler -u

Update min-count or max-count for cluster autoscaler.

Default value: False
--upgrade-override-until

Until when the cluster upgradeSettings overrides are effective. It needs to be in a valid date-time format that's within the next 30 days. For example, 2023-04-01T13:00:00Z. Note that if --force-upgrade is set to true and --upgrade-override-until is not set, by default it will be set to 3 days from now.

--uptime-sla
Deprecated

Option '--uptime-sla' has been deprecated and will be removed in a future release.

Enable a standard managed cluster service with a financially backed SLA. --uptime-sla is deprecated. Please use '--tier standard' instead.

Default value: False
--windows-admin-password

User account password to use on windows node VMs.

Rules for windows-admin-password: - Minimum-length: 14 characters - Max-length: 123 characters - Complexity requirements: 3 out of 4 conditions below need to be fulfilled * Has lower characters * Has upper characters * Has a digit * Has a special character (Regex match [\W_]) - Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" Reference: https://docs.microsoft.com/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminpassword?view=azure-dotnet.

--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks update (aks-preview extension)

Update the properties of a managed Kubernetes cluster.

Update the properties of a managed Kubernetes cluster. Can be used for example to enable/disable cluster-autoscaler. When called with no optional arguments this attempts to move the cluster to its goal state without changing the current cluster configuration. This can be used to move out of a non succeeded state.

az aks update --name
              --resource-group
              [--aad-admin-group-object-ids]
              [--aad-tenant-id]
              [--aks-custom-headers]
              [--api-server-authorized-ip-ranges]
              [--apiserver-subnet-id]
              [--assign-identity]
              [--assign-kubelet-identity]
              [--attach-acr]
              [--auto-upgrade-channel {node-image, none, patch, rapid, stable}]
              [--azure-container-storage-nodepools]
              [--azure-keyvault-kms-key-id]
              [--azure-keyvault-kms-key-vault-network-access {Private, Public}]
              [--azure-keyvault-kms-key-vault-resource-id]
              [--azure-monitor-workspace-resource-id]
              [--bootstrap-artifact-source {Cache, Direct}]
              [--bootstrap-container-registry-resource-id]
              [--ca-certs]
              [--ca-profile]
              [--cluster-service-load-balancer-health-probe-mode {Servicenodeport, Shared}]
              [--cluster-snapshot-id]
              [--defender-config]
              [--detach-acr]
              [--disable-acns]
              [--disable-acns-observability]
              [--disable-acns-security]
              [--disable-addon-autoscaling]
              [--disable-ahub]
              [--disable-ai-toolchain-operator]
              [--disable-azure-container-storage {all, azureDisk, elasticSan, ephemeralDisk}]
              [--disable-azure-keyvault-kms]
              [--disable-azure-monitor-app-monitoring]
              [--disable-azure-monitor-metrics]
              [--disable-azure-rbac]
              [--disable-azuremonitormetrics]
              [--disable-blob-driver]
              [--disable-cluster-autoscaler]
              [--disable-cost-analysis]
              [--disable-defender]
              [--disable-disk-driver]
              [--disable-file-driver]
              [--disable-force-upgrade]
              [--disable-image-cleaner]
              [--disable-image-integrity]
              [--disable-imds-restriction]
              [--disable-keda]
              [--disable-local-accounts]
              [--disable-pod-identity]
              [--disable-pod-security-policy]
              [--disable-private-cluster]
              [--disable-public-fqdn]
              [--disable-secret-rotation]
              [--disable-snapshot-controller]
              [--disable-static-egress-gateway]
              [--disable-vpa]
              [--disable-workload-identity]
              [--disk-driver-version {v1, v2}]
              [--enable-aad]
              [--enable-acns]
              [--enable-addon-autoscaling]
              [--enable-ahub]
              [--enable-ai-toolchain-operator]
              [--enable-apiserver-vnet-integration]
              [--enable-azure-container-storage {azureDisk, elasticSan, ephemeralDisk}]
              [--enable-azure-keyvault-kms]
              [--enable-azure-monitor-app-monitoring]
              [--enable-azure-monitor-metrics]
              [--enable-azure-rbac]
              [--enable-azuremonitormetrics]
              [--enable-blob-driver]
              [--enable-cluster-autoscaler]
              [--enable-cost-analysis]
              [--enable-defender]
              [--enable-disk-driver]
              [--enable-file-driver]
              [--enable-force-upgrade]
              [--enable-image-cleaner]
              [--enable-image-integrity]
              [--enable-imds-restriction]
              [--enable-keda]
              [--enable-local-accounts]
              [--enable-managed-identity]
              [--enable-oidc-issuer]
              [--enable-pod-identity]
              [--enable-pod-identity-with-kubenet]
              [--enable-pod-security-policy]
              [--enable-private-cluster]
              [--enable-public-fqdn]
              [--enable-secret-rotation]
              [--enable-snapshot-controller]
              [--enable-static-egress-gateway]
              [--enable-vpa]
              [--enable-windows-gmsa]
              [--enable-windows-recording-rules]
              [--enable-workload-identity]
              [--ephemeral-disk-nvme-perf-tier {Basic, Premium, Standard}]
              [--ephemeral-disk-volume-type {EphemeralVolumeOnly, PersistentVolumeWithAnnotation}]
              [--gmsa-dns-server]
              [--gmsa-root-domain-name]
              [--grafana-resource-id]
              [--http-proxy-config]
              [--if-match]
              [--if-none-match]
              [--image-cleaner-interval-hours]
              [--ip-families]
              [--k8s-support-plan {AKSLongTermSupport, KubernetesOfficial}]
              [--ksm-metric-annotations-allow-list]
              [--ksm-metric-labels-allow-list]
              [--kube-proxy-config]
              [--load-balancer-backend-pool-type]
              [--load-balancer-idle-timeout]
              [--load-balancer-managed-outbound-ip-count]
              [--load-balancer-managed-outbound-ipv6-count]
              [--load-balancer-outbound-ip-prefixes]
              [--load-balancer-outbound-ips]
              [--load-balancer-outbound-ports]
              [--max-count]
              [--min-count]
              [--nat-gateway-idle-timeout]
              [--nat-gateway-managed-outbound-ip-count]
              [--network-dataplane {azure, cilium}]
              [--network-plugin {azure, kubenet, none}]
              [--network-plugin-mode]
              [--network-policy]
              [--no-wait]
              [--node-init-taints]
              [--node-os-upgrade-channel {NodeImage, None, SecurityPatch, Unmanaged}]
              [--node-provisioning-mode {Auto, Manual}]
              [--nodepool-labels]
              [--nodepool-taints]
              [--nrg-lockdown-restriction-level {ReadOnly, Unrestricted}]
              [--outbound-type {block, loadBalancer, managedNATGateway, none, userAssignedNATGateway, userDefinedRouting}]
              [--pod-cidr]
              [--private-dns-zone]
              [--rotation-poll-interval]
              [--safeguards-excluded-ns]
              [--safeguards-level {Enforcement, Off, Warning}]
              [--safeguards-version]
              [--sku {automatic, base}]
              [--ssh-key-value]
              [--storage-pool-name]
              [--storage-pool-option {NVMe, Temp, all}]
              [--storage-pool-size]
              [--storage-pool-sku {PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS}]
              [--tags]
              [--tier {free, premium, standard}]
              [--update-cluster-autoscaler]
              [--upgrade-override-until]
              [--windows-admin-password]
              [--yes]

Examples

Reconcile the cluster back to its current state.

az aks update -g MyResourceGroup -n MyManagedCluster

Enable cluster-autoscaler within node count range [1,5]

az aks update --enable-cluster-autoscaler --min-count 1 --max-count 5 -g MyResourceGroup -n MyManagedCluster

Disable cluster-autoscaler for an existing cluster

az aks update --disable-cluster-autoscaler -g MyResourceGroup -n MyManagedCluster

Update min-count or max-count for cluster autoscaler.

az aks update --update-cluster-autoscaler --min-count 1 --max-count 10 -g MyResourceGroup -n MyManagedCluster

Disable pod security policy.

az aks update --disable-pod-security-policy -g MyResourceGroup -n MyManagedCluster

Update a kubernetes cluster with standard SKU load balancer to use two AKS created IPs for the load balancer outbound connection usage.

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2

Update a kubernetes cluster with standard SKU load balancer to use the provided public IPs for the load balancer outbound connection usage.

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ips <ip-resource-id-1,ip-resource-id-2>

Update a kubernetes cluster with standard SKU load balancer to use the provided public IP prefixes for the load balancer outbound connection usage.

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>

Update a kubernetes cluster with new outbound type

az aks update -g MyResourceGroup -n MyManagedCluster --outbound-type managedNATGateway

Update a kubernetes cluster with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine

az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000

Update a kubernetes cluster of managedNATGateway outbound type with two outbound AKS managed IPs an idle flow timeout of 4 minutes

az aks update -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4

Update a kubernetes cluster with authorized apiserver ip ranges.

az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24

Disable authorized apiserver ip ranges feature for a kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges ""

Restrict apiserver traffic in a kubernetes cluster to agentpool nodes.

az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 0.0.0.0/32

Update a AKS-managed AAD cluster with tenant ID or admin group object IDs.

az aks update -g MyResourceGroup -n MyManagedCluster --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>

Migrate a AKS AAD-Integrated cluster or a non-AAD cluster to a AKS-managed AAD cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>

Enable Azure Hybrid User Benefits featture for a kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-ahub

Disable Azure Hybrid User Benefits featture for a kubernetes cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --disable-ahub

Update the cluster to use system assigned managed identity in control plane.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity

Update the cluster to use user assigned managed identity in control plane.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>

Enable pod identity addon.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-pod-identity

Disable pod identity addon.

az aks update -g MyResourceGroup -n MyManagedCluster --disable-pod-identity

Update the tags of a kubernetes cluster

az aks update -g MyResourceGroup -n MyManagedCLuster --tags "foo=bar" "baz=qux"

Update Windows password of a kubernetes cluster

az aks update -g MyResourceGroup -n MyManagedCLuster --windows-admin-password "Repl@cePassw0rd12345678"

Update a managed AAD AKS cluster to use Azure RBAC

az aks update -g MyResourceGroup -n MyManagedCluster --enable-azure-rbac

Disable Azure RBAC in a managed AAD AKS cluster

az aks update -g MyResourceGroup -n MyManagedCluster --disable-azure-rbac

Enable Windows gmsa for a kubernetes cluster with setting DNS server in the vnet used by the cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa

Enable Windows gmsa for a kubernetes cluster without setting DNS server in the vnet used by the cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"

Update a existing managed cluster to a managed cluster snapshot.

az aks update -g MyResourceGroup -n MyManagedCluster --cluster-snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/managedclustersnapshots/mysnapshot1"

Update a kubernetes cluster with safeguards set to "Warning". Assumes azure policy addon is already enabled

az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning

Update a kubernetes cluster with safeguards set to "Warning" and some namespaces excluded. Assumes azure policy addon is already enabled

az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --safeguards-excluded-ns ns1,ns2

Update a kubernetes cluster to clear any namespaces excluded from safeguards. Assumes azure policy addon is already enabled

az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-excluded-ns ""

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aad-admin-group-object-ids

Comma-separated list of aad group object IDs that will be set as cluster admin.

--aad-tenant-id

The ID of an Azure Active Directory tenant.

--aks-custom-headers

Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.

--api-server-authorized-ip-ranges

Comma-separated list of authorized apiserver IP ranges. Set to "" to allow all traffic on a previously restricted cluster. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.

--apiserver-subnet-id
Preview

The ID of a subnet in an existing VNet into which to assign control plane apiserver pods(requires --enable-apiserver-vnet-integration).

--assign-identity

Specify an existing user assigned identity to manage cluster resource group.

--assign-kubelet-identity

Update cluster's kubelet identity to an existing user assigned identity. Note, this operation will recreate all agent node in the cluster.

--attach-acr

Grant the 'acrpull' role assignment to the ACR specified by name or resource ID.

--auto-upgrade-channel

Specify the upgrade channel for autoupgrade. It could be rapid, stable, patch, node-image or none, none means disable autoupgrade.

Accepted values: node-image, none, patch, rapid, stable
--azure-container-storage-nodepools

Define the comma separated nodepool list to install azure container storage.

--azure-keyvault-kms-key-id

Identifier of Azure Key Vault key.

--azure-keyvault-kms-key-vault-network-access

Network Access of Azure Key Vault.

Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used.

Accepted values: Private, Public
--azure-keyvault-kms-key-vault-resource-id

Resource ID of Azure Key Vault.

--azure-monitor-workspace-resource-id

Resource ID of the Azure Monitor Workspace.

--bootstrap-artifact-source
Preview

Configure artifact source when bootstraping the cluster.

The artifacts include the addon image. Use "Direct" to download artifacts from MCR, "Cache" to downalod artifacts from Azure Container Registry.

Accepted values: Cache, Direct
--bootstrap-container-registry-resource-id
Preview

Configure container registry resource ID. Must use "Cache" as bootstrap artifact source.

--ca-certs --custom-ca-trust-certificates
Preview

Path to a file containing up to 10 blank line separated certificates. Only valid for linux nodes.

These certificates are used by Custom CA Trust features and will be added to trust stores of nodes. Requires Custom CA Trust to be enabled on the node.

--ca-profile --cluster-autoscaler-profile

Space-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.

--cluster-service-load-balancer-health-probe-mode
Preview

Set the cluster service health probe mode.

Set the cluster service health probe mode. Default is "Servicenodeport".

Accepted values: Servicenodeport, Shared
--cluster-snapshot-id
Preview

The source cluster snapshot id is used to update existing cluster.

--defender-config

Path to JSON file containing Microsoft Defender profile configurations.

--detach-acr

Disable the 'acrpull' role assignment to the ACR specified by name or resource ID.

--disable-acns

Disable all advanced networking functionalities on a cluster.

--disable-acns-observability

Used to disable advanced networking observability features on a clusters when enabling advanced networking features with "--enable-acns".

--disable-acns-security

Used to disable advanced networking security features on a clusters when enabling advanced networking features with "--enable-acns".

--disable-addon-autoscaling
Preview

Disable addon autoscaling for cluster.

Default value: False
--disable-ahub

Disable Azure Hybrid User Benefits (AHUB) feature for cluster.

Default value: False
--disable-ai-toolchain-operator
Preview

Disable AI toolchain operator.

Default value: False
--disable-azure-container-storage

Disable azure container storage or any one of the storage pool types.

Accepted values: all, azureDisk, elasticSan, ephemeralDisk
--disable-azure-keyvault-kms

Disable Azure KeyVault Key Management Service.

Default value: False
--disable-azure-monitor-app-monitoring
Preview

Disable Azure Monitor Application Monitoring.

Default value: False
--disable-azure-monitor-metrics

Disable Azure Monitor Metrics Profile. This will delete all DCRA's associated with the cluster, any linked DCRs with the data stream = prometheus-stream and the recording rule groups created by the addon for this AKS cluster.

Default value: False
--disable-azure-rbac

Disable Azure RBAC to control authorization checks on cluster.

Default value: False
--disable-azuremonitormetrics
Deprecated

Option '--disable-azuremonitormetrics' has been deprecated and will be removed in a future release. Use '--disable-azure-monitor-metrics' instead.

Disable Azure Monitor Metrics Profile. This will delete all DCRA's associated with the cluster, any linked DCRs with the data stream = prometheus-stream and the recording rule groups created by the addon for this AKS cluster.

Default value: False
--disable-blob-driver

Disable AzureBlob CSI Driver.

--disable-cluster-autoscaler -d

Disable cluster autoscaler.

Default value: False
--disable-cost-analysis

Disable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal.

Default value: False
--disable-defender

Disable defender profile.

Default value: False
--disable-disk-driver

Disable AzureDisk CSI Driver.

Default value: False
--disable-file-driver

Disable AzureFile CSI Driver.

Default value: False
--disable-force-upgrade

Disable forceUpgrade cluster upgrade settings override.

Default value: False
--disable-image-cleaner

Disable ImageCleaner Service.

Default value: False
--disable-image-integrity
Preview

Disable ImageIntegrity Service.

Default value: False
--disable-imds-restriction
Preview

Disable IMDS restriction in the cluster. All Pods in the cluster will be able to access IMDS.

Default value: False
--disable-keda
Preview

Disable KEDA workload auto-scaler.

Default value: False
--disable-local-accounts

(Preview) If set to true, getting static credential will be disabled for this cluster.

Default value: False
--disable-pod-identity

(PREVIEW) Disable Pod Identity addon for cluster.

Default value: False
--disable-pod-security-policy
Preview

Disable pod security policy.

PodSecurityPolicy is deprecated. See https://aka.ms/aks/psp for details.

Default value: False
--disable-private-cluster
Preview

Disable private cluster for apiserver vnet integration cluster.

Default value: False
--disable-public-fqdn

Disable public fqdn feature for private cluster.

Default value: False
--disable-secret-rotation

Disable secret rotation. Use with azure-keyvault-secrets-provider addon.

Default value: False
--disable-snapshot-controller

Disable CSI Snapshot Controller.

Default value: False
--disable-static-egress-gateway
Preview

Disable Static Egress Gateway addon to the cluster.

Default value: False
--disable-vpa
Preview

Disable vertical pod autoscaler for cluster.

Default value: False
--disable-workload-identity

(PREVIEW) Disable Workload Identity addon for cluster.

Default value: False
--disk-driver-version

Specify AzureDisk CSI Driver version.

Accepted values: v1, v2
--enable-aad

Enable managed AAD feature for cluster.

Default value: False
--enable-acns

Enable advanced network functionalities on a cluster. Enabling this will incur additional costs. For non-cilium clusters, acns security will be disabled by default until further notice.

--enable-addon-autoscaling
Preview

Enable addon autoscaling for cluster.

Default value: False
--enable-ahub

Enable Azure Hybrid User Benefits (AHUB) feature for cluster.

Default value: False
--enable-ai-toolchain-operator
Preview

Enable AI toolchain operator to the cluster.

Default value: False
--enable-apiserver-vnet-integration
Preview

Enable integration of user vnet with control plane apiserver pods.

Default value: False
--enable-azure-container-storage

Enable azure container storage and define storage pool type.

Accepted values: azureDisk, elasticSan, ephemeralDisk
--enable-azure-keyvault-kms

Enable Azure KeyVault Key Management Service.

Default value: False
--enable-azure-monitor-app-monitoring
Preview

Enable Azure Monitor Application Monitoring.

Default value: False
--enable-azure-monitor-metrics

Enable Azure Monitor Metrics Profile.

Default value: False
--enable-azure-rbac

Enable Azure RBAC to control authorization checks on cluster.

Default value: False
--enable-azuremonitormetrics
Deprecated

Option '--enable-azuremonitormetrics' has been deprecated and will be removed in a future release. Use '--enable-azure-monitor-metrics' instead.

Enable Azure Monitor Metrics Profile.

Default value: False
--enable-blob-driver

Enable AzureBlob CSI Driver.

--enable-cluster-autoscaler -e

Enable cluster autoscaler.

Default value: False
--enable-cost-analysis

Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.

Default value: False
--enable-defender

Enable Microsoft Defender security profile.

Default value: False
--enable-disk-driver

Enable AzureDisk CSI Driver.

Default value: False
--enable-file-driver

Enable AzureFile CSI Driver.

Default value: False
--enable-force-upgrade

Enable forceUpgrade cluster upgrade settings override.

Default value: False
--enable-image-cleaner

Enable ImageCleaner Service.

Default value: False
--enable-image-integrity

Enable ImageIntegrity Service.

Default value: False
--enable-imds-restriction
Preview

Enable IMDS restriction in the cluster. Non-hostNetwork Pods will not be able to access IMDS.

Default value: False
--enable-keda
Preview

Enable KEDA workload auto-scaler.

Default value: False
--enable-local-accounts

(Preview) If set to true, will enable getting static credential for this cluster.

Default value: False
--enable-managed-identity

Update current cluster to managed identity to manage cluster resource group.

Default value: False
--enable-oidc-issuer

Enable OIDC issuer.

Default value: False
--enable-pod-identity

(PREVIEW) Enable Pod Identity addon for cluster.

Default value: False
--enable-pod-identity-with-kubenet

(PREVIEW) Enable pod identity addon for cluster using Kubnet network plugin.

Default value: False
--enable-pod-security-policy
Deprecated

Option '--enable-pod-security-policy' has been deprecated and will be removed in a future release.

Enable pod security policy.

--enable-pod-security-policy is deprecated. See https://aka.ms/aks/psp for details.

Default value: False
--enable-private-cluster
Preview

Enable private cluster for apiserver vnet integration cluster.

Default value: False
--enable-public-fqdn

Enable public fqdn feature for private cluster.

Default value: False
--enable-secret-rotation

Enable secret rotation. Use with azure-keyvault-secrets-provider addon.

Default value: False
--enable-snapshot-controller

Enable Snapshot Controller.

Default value: False
--enable-static-egress-gateway
Preview

Enable Static Egress Gateway addon to the cluster.

Default value: False
--enable-vpa
Preview

Enable vertical pod autoscaler for cluster.

Default value: False
--enable-windows-gmsa

Enable Windows gmsa on cluster.

Default value: False
--enable-windows-recording-rules

Enable Windows Recording Rules when enabling the Azure Monitor Metrics addon.

Default value: False
--enable-workload-identity

(PREVIEW) Enable Workload Identity addon for cluster.

Default value: False
--ephemeral-disk-nvme-perf-tier

Set ephemeral disk volume type for azure container storage.

Accepted values: Basic, Premium, Standard
--ephemeral-disk-volume-type

Set ephemeral disk volume type for azure container storage.

Accepted values: EphemeralVolumeOnly, PersistentVolumeWithAnnotation
--gmsa-dns-server

Specify DNS server for Windows gmsa on cluster.

You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.

--gmsa-root-domain-name

Specify root domain name for Windows gmsa on cluster.

You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.

--grafana-resource-id

Resource ID of the Azure Managed Grafana Workspace.

--http-proxy-config

HTTP Proxy configuration for this cluster.

--if-match

The value provided will be compared to the ETag of the managed cluster, if it matches the operation will proceed. If it does not match, the request will be rejected to prevent accidental overwrites. This must not be specified when creating a new cluster.

--if-none-match

Set to '*' to allow a new cluster to be created, but to prevent updating an existing cluster. Other values will be ignored.

--image-cleaner-interval-hours

ImageCleaner scanning interval.

--ip-families

A comma separated list of IP versions to use for cluster networking.

Each IP version should be in the format IPvN. For example, IPv4.

--k8s-support-plan

Choose from "KubernetesOfficial" or "AKSLongTermSupport", with "AKSLongTermSupport" you get 1 extra year of CVE patchs.

Accepted values: AKSLongTermSupport, KubernetesOfficial
--ksm-metric-annotations-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g.'=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--ksm-metric-labels-allow-list

Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g. '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').

--kube-proxy-config

Kube-proxy configuration for this cluster.

--load-balancer-backend-pool-type

Load balancer backend pool type.

Load balancer backend pool type, supported values are nodeIP and nodeIPConfiguration.

--load-balancer-idle-timeout

Load balancer idle timeout in minutes.

Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].

--load-balancer-managed-outbound-ip-count

Load balancer managed outbound IP count.

Desired number of managed outbound IPs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.

--load-balancer-managed-outbound-ipv6-count

Load balancer managed outbound IPv6 IP count.

Desired number of managed outbound IPv6 IPs for load balancer outbound connection. Valid for dual-stack (--ip-families IPv4,IPv6) only.

--load-balancer-outbound-ip-prefixes

Load balancer outbound IP prefix resource IDs.

Comma-separated public IP prefix resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.

--load-balancer-outbound-ips

Load balancer outbound IP resource IDs.

Comma-separated public IP resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.

--load-balancer-outbound-ports

Load balancer outbound allocated ports.

Desired static number of outbound ports per VM in the load balancer backend pool. By default, set to 0 which uses the default allocation based on the number of VMs. Please specify a value in the range of [0, 64000] that is a multiple of 8.

--max-count

Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--min-count

Minimun nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].

--nat-gateway-idle-timeout

NAT gateway idle timeout in minutes.

Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.

--nat-gateway-managed-outbound-ip-count

NAT gateway managed outbound IP count.

Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.

--network-dataplane

The network dataplane to use.

Network dataplane used in the Kubernetes cluster. Specify "azure" to use the Azure dataplane (default) or "cilium" to enable Cilium dataplane.

Accepted values: azure, cilium
--network-plugin

The Kubernetes network plugin to use.

Specify "azure" for routable pod IPs from VNET, "kubenet" for non-routable pod IPs with an overlay network, or "none" for no networking configured.

Accepted values: azure, kubenet, none
--network-plugin-mode

The network plugin mode to use.

Used to control the mode the network plugin should operate in. For example, "overlay" used with --network-plugin=azure will use an overlay network (non-VNET IPs) for pods in the cluster.

--network-policy

Update the mode of a network policy.

Specify "azure" for Azure network policy manager, "cilium" for Azure CNI Overlay powered by Cilium. Defaults to "" (network policy disabled).

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--node-init-taints --nodepool-initialization-taints
Preview

The node initialization taints for all node pools in cluster.

--node-os-upgrade-channel

Manner in which the OS on your nodes is updated. It could be NodeImage, None, SecurityPatch or Unmanaged.

Accepted values: NodeImage, None, SecurityPatch, Unmanaged
--node-provisioning-mode
Preview

Set the node provisioning mode of the cluster. Valid values are "Auto" and "Manual". For more information on "Auto" mode see aka.ms/aks/nap.

Accepted values: Auto, Manual
--nodepool-labels

The node labels for all node pool. See https://aka.ms/node-labels for syntax of labels.

--nodepool-taints

The node taints for all node pool.

--nrg-lockdown-restriction-level

Restriction level on the managed node resource.

The restriction level of permissions allowed on the cluster's managed node resource group, supported values are Unrestricted, and ReadOnly (recommended ReadOnly).

Accepted values: ReadOnly, Unrestricted
--outbound-type

How outbound traffic will be configured for a cluster.

This option will change the way how the outbound connections are managed in the AKS cluster. Available options are loadbalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting, none and block. For custom vnet, loadbalancer, userAssignedNATGateway and userDefinedRouting are supported. For aks managed vnet, loadbalancer, managedNATGateway and userDefinedRouting are supported.

Accepted values: block, loadBalancer, managedNATGateway, none, userAssignedNATGateway, userDefinedRouting
--pod-cidr

A CIDR notation IP range from which to assign pod IPs when kubenet is used.

This range must not overlap with any Subnet IP ranges. For example, 172.244.0.0/16.

--private-dns-zone
Preview

The private dns zone mode for private cluster.

--rotation-poll-interval

Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.

--safeguards-excluded-ns
Preview

Comma-separated list of Kubernetes namespaces to exclude from deployment safeguards. Use "" to clear a previously non-empty list.

--safeguards-level
Preview

The deployment safeguards Level. Accepted Values are [Off, Warning, Enforcement]. Requires azure policy addon to be enabled.

Accepted values: Enforcement, Off, Warning
--safeguards-version
Preview

The version of deployment safeguards to use. Default "v1.0.0" Use the ListSafeguardsVersions API to discover available versions.

--sku
Preview

Specify SKU name for managed clusters. '--sku base' enables a base managed cluster. '--sku automatic' enables an automatic managed cluster.

Accepted values: automatic, base
--ssh-key-value

Public key path or key contents to install on node VMs for SSH access. For example, 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'.

--storage-pool-name

Set storage pool name for azure container storage.

--storage-pool-option

Set ephemeral disk storage pool option for azure container storage.

Accepted values: NVMe, Temp, all
--storage-pool-size

Set storage pool size for azure container storage.

--storage-pool-sku

Set azure disk type storage pool sku for azure container storage.

Accepted values: PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS
--tags

The tags of the managed cluster. The managed cluster instance and all resources managed by the cloud provider will be tagged.

--tier

Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' changes a standard managed cluster to a free one.

Accepted values: free, premium, standard
--update-cluster-autoscaler -u

Update min-count or max-count for cluster autoscaler.

Default value: False
--upgrade-override-until
Preview

Until when the cluster upgradeSettings overrides are effective. It needs to be in a valid date-time format that's within the next 30 days. For example, 2023-04-01T13:00:00Z. Note that if --force-upgrade is set to true and --upgrade-override-until is not set, by default it will be set to 3 days from now.

--windows-admin-password

User account password to use on windows node VMs.

Rules for windows-admin-password: - Minimum-length: 14 characters - Max-length: 123 characters - Complexity requirements: 3 out of 4 conditions below need to be fulfilled * Has lower characters * Has upper characters * Has a digit * Has a special character (Regex match [\W_]) - Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" Reference: https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminpassword?view=azure-dotnet.

--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks update-credentials

Update credentials for a managed Kubernetes cluster, like service principal.

az aks update-credentials --name
                          --resource-group
                          [--aad-client-app-id]
                          [--aad-server-app-id]
                          [--aad-server-app-secret]
                          [--aad-tenant-id]
                          [--client-secret]
                          [--no-wait]
                          [--reset-aad]
                          [--reset-service-principal]
                          [--service-principal]

Examples

Update an existing Kubernetes cluster with new service principal.

az aks update-credentials -g MyResourceGroup -n MyManagedCluster --reset-service-principal --service-principal MyNewServicePrincipalID --client-secret MyNewServicePrincipalSecret

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aad-client-app-id
Deprecated

Option '--aad-client-app-id' has been deprecated and will be removed in a future release.

The ID of an Azure Active Directory client application. This argument is required if --reset-aad is specified.

--aad-client-app-id is deprecated. See https://aka.ms/aks/aad-legacy for details.

--aad-server-app-id
Deprecated

Option '--aad-server-app-id' has been deprecated and will be removed in a future release.

The ID of an Azure Active Directory server application. This argument is required if --reset-aad is specified.

--aad-server-app-id is deprecated. See https://aka.ms/aks/aad-legacy for details.

--aad-server-app-secret
Deprecated

Option '--aad-server-app-secret' has been deprecated and will be removed in a future release.

The secret of an Azure Active Directory server application. This argument is required if --reset-aad is specified.

--aad-server-app-secret is deprecated. See https://aka.ms/aks/aad-legacy for details.

--aad-tenant-id
Deprecated

Option '--aad-tenant-id' has been deprecated and will be removed in a future release.

Tenant ID associated with Azure Active Directory.

--client-secret

Secret associated with the service principal. This argument is required if --service-principal is specified.

--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--reset-aad
Deprecated

Option '--reset-aad' has been deprecated and will be removed in a future release.

Reset Azure Active Directory configuration for a managed cluster.

--reset-aad is deprecated. See https://aka.ms/aks/aad-legacy for details.

Default value: False
--reset-service-principal

Reset service principal for a managed cluster.

Default value: False
--service-principal

Service principal used for authentication to Azure APIs. This argument is required if --reset-service-principal is specified.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks upgrade

Upgrade a managed Kubernetes cluster to a newer version.

Kubernetes will be unavailable during cluster upgrades.

az aks upgrade --name
               --resource-group
               [--control-plane-only]
               [--disable-force-upgrade]
               [--enable-force-upgrade]
               [--k8s-support-plan {AKSLongTermSupport, KubernetesOfficial}]
               [--kubernetes-version]
               [--no-wait]
               [--node-image-only]
               [--tier {free, premium, standard}]
               [--upgrade-override-until]
               [--yes]

Examples

Upgrade a managed Kubernetes cluster to a newer version. (autogenerated)

az aks upgrade --kubernetes-version 1.12.6 --name MyManagedCluster --resource-group MyResourceGroup

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--control-plane-only

Upgrade the cluster control plane only. If not specified, both control plane AND all node pools will be upgraded.

Default value: False
--disable-force-upgrade

Disable forceUpgrade cluster upgrade settings override.

Default value: False
--enable-force-upgrade

Enable forceUpgrade cluster upgrade settings override.

Default value: False
--k8s-support-plan

Choose from "KubernetesOfficial" or "AKSLongTermSupport", with "AKSLongTermSupport" you get 1 extra year of CVE patchs.

Accepted values: AKSLongTermSupport, KubernetesOfficial
--kubernetes-version -k

Version of Kubernetes to upgrade the cluster to, such as "1.16.9".

Value from: `az aks get-upgrades`
--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--node-image-only

Only upgrade node image for agent pools.

Default value: False
--tier

Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' does not have a financially backed SLA. '--tier premium' is required for '--k8s-support-plan AKSLongTermSupport'.

Accepted values: free, premium, standard
--upgrade-override-until

Until when the cluster upgradeSettings overrides are effective.

It needs to be in a valid date-time format that's within the next 30 days. For example, 2023-04-01T13:00:00Z. Note that if --force-upgrade is set to true and --upgrade-override-until is not set, by default it will be set to 3 days from now.

--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks upgrade (aks-preview extension)

Upgrade a managed Kubernetes cluster to a newer version.

Kubernetes will be unavailable during cluster upgrades.

az aks upgrade --name
               --resource-group
               [--aks-custom-headers]
               [--cluster-snapshot-id]
               [--control-plane-only]
               [--disable-force-upgrade]
               [--enable-force-upgrade]
               [--if-match]
               [--if-none-match]
               [--kubernetes-version]
               [--no-wait]
               [--node-image-only]
               [--upgrade-override-until]
               [--yes]

Examples

Upgrade a existing managed cluster to a managed cluster snapshot.

az aks upgrade -g MyResourceGroup -n MyManagedCluster --cluster-snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/managedclustersnapshots/mysnapshot1"

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--aks-custom-headers

Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.

--cluster-snapshot-id
Preview

The source cluster snapshot id is used to upgrade existing cluster.

--control-plane-only

Upgrade the cluster control plane only. If not specified, control plane AND all node pools will be upgraded.

Default value: False
--disable-force-upgrade

Disable forceUpgrade cluster upgrade settings override.

Default value: False
--enable-force-upgrade

Enable forceUpgrade cluster upgrade settings override.

Default value: False
--if-match

The value provided will be compared to the ETag of the managed cluster, if it matches the operation will proceed. If it does not match, the request will be rejected to prevent accidental overwrites. This must not be specified when creating a new cluster.

--if-none-match

Set to '*' to allow a new cluster to be created, but to prevent updating an existing cluster. Other values will be ignored.

--kubernetes-version -k

Version of Kubernetes to upgrade the cluster to, such as "1.11.12".

Value from: `az aks get-upgrades`
--no-wait

Do not wait for the long-running operation to finish.

Default value: False
--node-image-only

Only upgrade node image for agent pools.

Default value: False
--upgrade-override-until

Until when the cluster upgradeSettings overrides are effective.

It needs to be in a valid date-time format that's within the next 30 days. For example, 2023-04-01T13:00:00Z. Note that if --force-upgrade is set to true and --upgrade-override-until is not set, by default it will be set to 3 days from now.

--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks use-dev-spaces

Deprecated

This command has been deprecated and will be removed in a future release.

Use Azure Dev Spaces with a managed Kubernetes cluster.

az aks use-dev-spaces --name
                      --resource-group
                      [--endpoint {None, Private, Public}]
                      [--space]
                      [--update]
                      [--yes]

Examples

Use Azure Dev Spaces with a managed Kubernetes cluster, interactively selecting a dev space.

az aks use-dev-spaces -g my-aks-group -n my-aks

Use Azure Dev Spaces with a managed Kubernetes cluster, updating to the latest Azure Dev Spaces client components and selecting a new or existing dev space 'my-space'.

az aks use-dev-spaces -g my-aks-group -n my-aks --update --space my-space

Use Azure Dev Spaces with a managed Kubernetes cluster, selecting a new or existing dev space 'develop/my-space' without prompting for confirmation.

az aks use-dev-spaces -g my-aks-group -n my-aks -s develop/my-space -y

Use Azure Dev Spaces with a managed Kubernetes cluster with a private endpoint.

az aks use-dev-spaces -g my-aks-group -n my-aks -e private

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--endpoint -e

The endpoint type to be used for a Azure Dev Spaces controller. See https://aka.ms/azds-networking for more information.

Accepted values: None, Private, Public
Default value: Public
--space -s

Name of the new or existing dev space to select. Defaults to an interactive selection experience.

--update

Update to the latest Azure Dev Spaces client components.

Default value: False
--yes -y

Do not prompt for confirmation. Requires --space.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks use-dev-spaces (dev-spaces extension)

Use Azure Dev Spaces with a managed Kubernetes cluster.

az aks use-dev-spaces --name
                      --resource-group
                      [--endpoint {None, Private, Public}]
                      [--space]
                      [--update]
                      [--yes]

Examples

Use Azure Dev Spaces with a managed Kubernetes cluster, interactively selecting a dev space.

az aks use-dev-spaces -g my-aks-group -n my-aks

Use Azure Dev Spaces with a managed Kubernetes cluster, updating to the latest Azure Dev Spaces client components and selecting a new or existing dev space 'my-space'.

az aks use-dev-spaces -g my-aks-group -n my-aks --update --space my-space

Use Azure Dev Spaces with a managed Kubernetes cluster, selecting a new or existing dev space 'develop/my-space' without prompting for confirmation.

az aks use-dev-spaces -g my-aks-group -n my-aks -s develop/my-space -y

Use Azure Dev Spaces with a managed Kubernetes cluster with a private endpoint.

az aks use-dev-spaces -g my-aks-group -n my-aks -e private

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--endpoint -e

The endpoint type to be used for a Azure Dev Spaces controller. See https://aka.ms/azds-networking for more information.

Accepted values: None, Private, Public
Default value: Public
--space -s

Name of the new or existing dev space to select. Defaults to an interactive selection experience.

--update

Update to the latest Azure Dev Spaces client components.

Default value: False
--yes -y

Do not prompt for confirmation. Requires --space.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks wait

Wait for a managed Kubernetes cluster to reach a desired state.

If an operation on a cluster was interrupted or was started with --no-wait, use this command to wait for it to complete.

az aks wait --name
            --resource-group
            [--created]
            [--custom]
            [--deleted]
            [--exists]
            [--interval]
            [--timeout]
            [--updated]

Examples

Wait for a cluster to be upgraded, polling every minute for up to thirty minutes.

az aks wait -g MyResourceGroup -n MyManagedCluster --updated --interval 60 --timeout 1800

Wait for a managed Kubernetes cluster to reach a desired state (autogenerated)

az aks wait --created --interval 60 --name MyManagedCluster --resource-group MyResourceGroup --timeout 1800

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--created

Wait until created with 'provisioningState' at 'Succeeded'.

Default value: False
--custom

Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].

--deleted

Wait until deleted.

Default value: False
--exists

Wait until the resource exists.

Default value: False
--interval

Polling interval in seconds.

Default value: 30
--timeout

Maximum wait in seconds.

Default value: 3600
--updated

Wait until updated with provisioningState at 'Succeeded'.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az aks wait (aks-preview extension)

Wait for a managed Kubernetes cluster to reach a desired state.

If an operation on a cluster was interrupted or was started with --no-wait, use this command to wait for it to complete.

az aks wait --name
            --resource-group
            [--created]
            [--custom]
            [--deleted]
            [--exists]
            [--interval]
            [--timeout]
            [--updated]

Examples

Wait for a cluster to be upgraded, polling every minute for up to thirty minutes.

az aks wait -g MyResourceGroup -n MyManagedCluster --updated --interval 60 --timeout 1800

Wait for a managed Kubernetes cluster to reach a desired state (autogenerated)

az aks wait --created --interval 60 --name MyManagedCluster --resource-group MyResourceGroup --timeout 1800

Required Parameters

--name -n

Name of the managed cluster.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--created

Wait until created with 'provisioningState' at 'Succeeded'.

Default value: False
--custom

Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].

--deleted

Wait until deleted.

Default value: False
--exists

Wait until the resource exists.

Default value: False
--interval

Polling interval in seconds.

Default value: 30
--timeout

Maximum wait in seconds.

Default value: 3600
--updated

Wait until updated with provisioningState at 'Succeeded'.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.