az aks
Note
This command group has commands that are defined in both Azure CLI and at least one extension. Install each extension to benefit from its extended capabilities. Learn more about extensions.
Manage Azure Kubernetes Services.
Commands
Name | Description | Type | Status |
---|---|---|---|
az aks addon |
Commands to manage and view single addon conditions. |
Extension | GA |
az aks addon disable |
Disable an enabled Kubernetes addon in a cluster. |
Extension | GA |
az aks addon enable |
Enable a Kubernetes addon. |
Extension | GA |
az aks addon list |
List status of all Kubernetes addons in given cluster. |
Extension | GA |
az aks addon list-available |
List available Kubernetes addons. |
Extension | GA |
az aks addon show |
Show status and configuration for an enabled Kubernetes addon in a given cluster. |
Extension | GA |
az aks addon update |
Update an already enabled Kubernetes addon. |
Extension | GA |
az aks app |
Commands to manage AKS app. |
Extension | Preview |
az aks app up |
Deploy to AKS via GitHub actions. |
Extension | Preview |
az aks approuting |
Commands to manage App Routing aadon. |
Core and Extension | GA |
az aks approuting disable |
Disable App Routing addon. |
Core | GA |
az aks approuting disable (aks-preview extension) |
Disable App Routing addon. |
Extension | GA |
az aks approuting enable |
Enable App Routing. |
Core | GA |
az aks approuting enable (aks-preview extension) |
Enable App Routing. |
Extension | GA |
az aks approuting update |
Update App Routing addon. |
Core | GA |
az aks approuting update (aks-preview extension) |
Update App Routing addon. |
Extension | GA |
az aks approuting zone |
Commands to manage App Routing DNS Zones. |
Core and Extension | GA |
az aks approuting zone add |
Add DNS Zone(s) to App Routing. |
Core | GA |
az aks approuting zone add (aks-preview extension) |
Add DNS Zone(s) to App Routing. |
Extension | GA |
az aks approuting zone delete |
Delete DNS Zone(s) from App Routing. |
Core | GA |
az aks approuting zone delete (aks-preview extension) |
Delete DNS Zone(s) from App Routing. |
Extension | GA |
az aks approuting zone list |
List DNS Zone IDs in App Routing. |
Core | GA |
az aks approuting zone list (aks-preview extension) |
List DNS Zone IDs in App Routing. |
Extension | GA |
az aks approuting zone update |
Replace DNS Zone(s) in App Routing. |
Core | GA |
az aks approuting zone update (aks-preview extension) |
Replace DNS Zone(s) in App Routing. |
Extension | GA |
az aks browse |
Show the dashboard for a Kubernetes cluster in a web browser. |
Core | GA |
az aks browse (aks-preview extension) |
Show the dashboard for a Kubernetes cluster in a web browser. |
Extension | GA |
az aks check-acr |
Validate an ACR is accessible from an AKS cluster. |
Core | GA |
az aks check-network |
Commands to troubleshoot network connectivity in managed Kubernetes cluster. |
Extension | GA |
az aks check-network outbound |
Perform outbound network connectivity check for a node in a managed Kubernetes cluster. |
Extension | GA |
az aks command |
See detail usage in 'az aks command invoke', 'az aks command result'. |
Core | GA |
az aks command invoke |
Run a shell command (with kubectl, helm) on your aks cluster, support attaching files as well. |
Core | GA |
az aks command result |
Fetch result from previously triggered 'aks command invoke'. |
Core | GA |
az aks connection |
Commands to manage aks connections. |
Core and Extension | Preview |
az aks connection create |
Create a connection between a aks and a target resource. |
Core and Extension | Preview |
az aks connection create app-insights |
Create a aks connection to app-insights. |
Core | Preview |
az aks connection create appconfig |
Create a aks connection to appconfig. |
Core | Preview |
az aks connection create cognitiveservices |
Create a aks connection to cognitiveservices. |
Core | Preview |
az aks connection create confluent-cloud |
Create a aks connection to confluent-cloud. |
Core | Preview |
az aks connection create cosmos-cassandra |
Create a aks connection to cosmos-cassandra. |
Core | Preview |
az aks connection create cosmos-gremlin |
Create a aks connection to cosmos-gremlin. |
Core | Preview |
az aks connection create cosmos-mongo |
Create a aks connection to cosmos-mongo. |
Core | Preview |
az aks connection create cosmos-sql |
Create a aks connection to cosmos-sql. |
Core | Preview |
az aks connection create cosmos-table |
Create a aks connection to cosmos-table. |
Core | Preview |
az aks connection create eventhub |
Create a aks connection to eventhub. |
Core | Preview |
az aks connection create keyvault |
Create a aks connection to keyvault. |
Core | Preview |
az aks connection create mysql |
Create a aks connection to mysql. |
Core | Preview and Deprecated |
az aks connection create mysql-flexible |
Create a aks connection to mysql-flexible. |
Core | Preview |
az aks connection create mysql-flexible (serviceconnector-passwordless extension) |
Create a aks connection to mysql-flexible. |
Extension | GA |
az aks connection create postgres |
Create a aks connection to postgres. |
Core | Preview and Deprecated |
az aks connection create postgres-flexible |
Create a aks connection to postgres-flexible. |
Core | Preview |
az aks connection create postgres-flexible (serviceconnector-passwordless extension) |
Create a aks connection to postgres-flexible. |
Extension | GA |
az aks connection create redis |
Create a aks connection to redis. |
Core | Preview |
az aks connection create redis-enterprise |
Create a aks connection to redis-enterprise. |
Core | Preview |
az aks connection create servicebus |
Create a aks connection to servicebus. |
Core | Preview |
az aks connection create signalr |
Create a aks connection to signalr. |
Core | Preview |
az aks connection create sql |
Create a aks connection to sql. |
Core | Preview |
az aks connection create sql (serviceconnector-passwordless extension) |
Create a aks connection to sql. |
Extension | GA |
az aks connection create storage-blob |
Create a aks connection to storage-blob. |
Core | Preview |
az aks connection create storage-file |
Create a aks connection to storage-file. |
Core | Preview |
az aks connection create storage-queue |
Create a aks connection to storage-queue. |
Core | Preview |
az aks connection create storage-table |
Create a aks connection to storage-table. |
Core | Preview |
az aks connection create webpubsub |
Create a aks connection to webpubsub. |
Core | Preview |
az aks connection delete |
Delete a aks connection. |
Core | Preview |
az aks connection list |
List connections of a aks. |
Core | Preview |
az aks connection list-configuration |
List source configurations of a aks connection. |
Core | Preview |
az aks connection list-support-types |
List client types and auth types supported by aks connections. |
Core | Preview |
az aks connection show |
Get the details of a aks connection. |
Core | Preview |
az aks connection update |
Update a aks connection. |
Core | Preview |
az aks connection update app-insights |
Update a aks to app-insights connection. |
Core | Preview |
az aks connection update appconfig |
Update a aks to appconfig connection. |
Core | Preview |
az aks connection update cognitiveservices |
Update a aks to cognitiveservices connection. |
Core | Preview |
az aks connection update confluent-cloud |
Update a aks to confluent-cloud connection. |
Core | Preview |
az aks connection update cosmos-cassandra |
Update a aks to cosmos-cassandra connection. |
Core | Preview |
az aks connection update cosmos-gremlin |
Update a aks to cosmos-gremlin connection. |
Core | Preview |
az aks connection update cosmos-mongo |
Update a aks to cosmos-mongo connection. |
Core | Preview |
az aks connection update cosmos-sql |
Update a aks to cosmos-sql connection. |
Core | Preview |
az aks connection update cosmos-table |
Update a aks to cosmos-table connection. |
Core | Preview |
az aks connection update eventhub |
Update a aks to eventhub connection. |
Core | Preview |
az aks connection update keyvault |
Update a aks to keyvault connection. |
Core | Preview |
az aks connection update mysql |
Update a aks to mysql connection. |
Core | Preview and Deprecated |
az aks connection update mysql-flexible |
Update a aks to mysql-flexible connection. |
Core | Preview |
az aks connection update postgres |
Update a aks to postgres connection. |
Core | Preview and Deprecated |
az aks connection update postgres-flexible |
Update a aks to postgres-flexible connection. |
Core | Preview |
az aks connection update redis |
Update a aks to redis connection. |
Core | Preview |
az aks connection update redis-enterprise |
Update a aks to redis-enterprise connection. |
Core | Preview |
az aks connection update servicebus |
Update a aks to servicebus connection. |
Core | Preview |
az aks connection update signalr |
Update a aks to signalr connection. |
Core | Preview |
az aks connection update sql |
Update a aks to sql connection. |
Core | Preview |
az aks connection update storage-blob |
Update a aks to storage-blob connection. |
Core | Preview |
az aks connection update storage-file |
Update a aks to storage-file connection. |
Core | Preview |
az aks connection update storage-queue |
Update a aks to storage-queue connection. |
Core | Preview |
az aks connection update storage-table |
Update a aks to storage-table connection. |
Core | Preview |
az aks connection update webpubsub |
Update a aks to webpubsub connection. |
Core | Preview |
az aks connection validate |
Validate a aks connection. |
Core | Preview |
az aks connection wait |
Place the CLI in a waiting state until a condition of the connection is met. |
Core | Preview |
az aks create |
Create a new managed Kubernetes cluster. |
Core | GA |
az aks create (aks-preview extension) |
Create a new managed Kubernetes cluster. |
Extension | GA |
az aks delete |
Delete a managed Kubernetes cluster. |
Core | GA |
az aks delete (aks-preview extension) |
Delete a managed Kubernetes cluster. |
Extension | GA |
az aks disable-addons |
Disable Kubernetes addons. |
Core | GA |
az aks disable-addons (aks-preview extension) |
Disable Kubernetes addons. |
Extension | GA |
az aks draft |
Commands to build deployment files in a project directory and deploy to an AKS cluster. |
Extension | GA |
az aks draft create |
Generate a Dockerfile and the minimum required Kubernetes deployment files (helm, kustomize, manifests) for your project directory. |
Extension | GA |
az aks draft generate-workflow |
Generate a GitHub workflow for automatic build and deploy to AKS. |
Extension | GA |
az aks draft setup-gh |
Set up GitHub OIDC for your application. |
Extension | GA |
az aks draft up |
Run |
Extension | GA |
az aks draft update |
Update your application to be internet accessible. |
Extension | GA |
az aks egress-endpoints |
Commands to manage egress endpoints in managed Kubernetes cluster. |
Extension | GA |
az aks egress-endpoints list |
List egress endpoints that are required or recommended to be whitelisted for a cluster. |
Extension | GA |
az aks enable-addons |
Enable Kubernetes addons. |
Core | GA |
az aks enable-addons (aks-preview extension) |
Enable Kubernetes addons. |
Extension | GA |
az aks get-credentials |
Get access credentials for a managed Kubernetes cluster. |
Core | GA |
az aks get-credentials (aks-preview extension) |
Get access credentials for a managed Kubernetes cluster. |
Extension | GA |
az aks get-upgrades |
Get the upgrade versions available for a managed Kubernetes cluster. |
Core | GA |
az aks get-upgrades (aks-preview extension) |
Get the upgrade versions available for a managed Kubernetes cluster. |
Extension | GA |
az aks get-versions |
Get the versions available for creating a managed Kubernetes cluster. |
Core | GA |
az aks get-versions (aks-preview extension) |
Get the versions available for creating a managed Kubernetes cluster. |
Extension | GA |
az aks install-cli |
Download and install kubectl, the Kubernetes command-line tool. Download and install kubelogin, a client-go credential (exec) plugin implementing azure authentication. |
Core | GA |
az aks kanalyze |
Display diagnostic results for the Kubernetes cluster after kollect is done. |
Extension | GA |
az aks kollect |
Collecting diagnostic information for the Kubernetes cluster. |
Extension | GA |
az aks list |
List managed Kubernetes clusters. |
Core | GA |
az aks list (aks-preview extension) |
List managed Kubernetes clusters. |
Extension | GA |
az aks machine |
Get information about machines in a nodepool of a managed clusters. |
Extension | GA |
az aks machine list |
Get information about IP Addresses, Hostname for all machines in an agentpool. |
Extension | GA |
az aks machine show |
Show IP Addresses, Hostname for a specific machine in an agentpool for a managedcluster. |
Extension | GA |
az aks maintenanceconfiguration |
Commands to manage maintenance configurations in managed Kubernetes cluster. |
Core and Extension | GA |
az aks maintenanceconfiguration add |
Add a maintenance configuration in managed Kubernetes cluster. |
Core | GA |
az aks maintenanceconfiguration add (aks-preview extension) |
Add a maintenance configuration in managed Kubernetes cluster. |
Extension | GA |
az aks maintenanceconfiguration delete |
Delete a maintenance configuration in managed Kubernetes cluster. |
Core | GA |
az aks maintenanceconfiguration delete (aks-preview extension) |
Delete a maintenance configuration in managed Kubernetes cluster. |
Extension | GA |
az aks maintenanceconfiguration list |
List maintenance configurations in managed Kubernetes cluster. |
Core | GA |
az aks maintenanceconfiguration list (aks-preview extension) |
List maintenance configurations in managed Kubernetes cluster. |
Extension | GA |
az aks maintenanceconfiguration show |
Show the details of a maintenance configuration in managed Kubernetes cluster. |
Core | GA |
az aks maintenanceconfiguration show (aks-preview extension) |
Show the details of a maintenance configuration in managed Kubernetes cluster. |
Extension | GA |
az aks maintenanceconfiguration update |
Update a maintenance configuration of a managed Kubernetes cluster. |
Core | GA |
az aks maintenanceconfiguration update (aks-preview extension) |
Update a maintenance configuration of a managed Kubernetes cluster. |
Extension | GA |
az aks mesh |
Commands to manage Azure Service Mesh. |
Core and Extension | GA |
az aks mesh disable |
Disable Azure Service Mesh. |
Core | GA |
az aks mesh disable (aks-preview extension) |
Disable Azure Service Mesh. |
Extension | GA |
az aks mesh disable-ingress-gateway |
Disable an Azure Service Mesh ingress gateway. |
Core | GA |
az aks mesh disable-ingress-gateway (aks-preview extension) |
Disable an Azure Service Mesh ingress gateway. |
Extension | GA |
az aks mesh enable |
Enable Azure Service Mesh. |
Core | GA |
az aks mesh enable (aks-preview extension) |
Enable Azure Service Mesh. |
Extension | GA |
az aks mesh enable-ingress-gateway |
Enable an Azure Service Mesh ingress gateway. |
Core | GA |
az aks mesh enable-ingress-gateway (aks-preview extension) |
Enable an Azure Service Mesh ingress gateway. |
Extension | GA |
az aks mesh get-revisions |
Discover available Azure Service Mesh revisions and their compatibility. |
Core | GA |
az aks mesh get-revisions (aks-preview extension) |
Discover available Azure Service Mesh revisions and their compatibility. |
Extension | GA |
az aks mesh get-upgrades |
Discover available Azure Service Mesh upgrades. |
Core | GA |
az aks mesh get-upgrades (aks-preview extension) |
Discover available Azure Service Mesh upgrades. |
Extension | GA |
az aks mesh upgrade |
Commands to manage the upgrades for Azure Service Mesh. |
Core and Extension | GA |
az aks mesh upgrade complete |
Complete Azure Service Mesh upgrade. |
Core | GA |
az aks mesh upgrade complete (aks-preview extension) |
Complete Azure Service Mesh upgrade. |
Extension | GA |
az aks mesh upgrade rollback |
Rollback Azure Service Mesh upgrade. |
Core | GA |
az aks mesh upgrade rollback (aks-preview extension) |
Rollback Azure Service Mesh upgrade. |
Extension | GA |
az aks mesh upgrade start |
Initiate Azure Service Mesh upgrade. |
Core | GA |
az aks mesh upgrade start (aks-preview extension) |
Initiate Azure Service Mesh upgrade. |
Extension | GA |
az aks nodepool |
Commands to manage node pools in Kubernetes kubernetes cluster. |
Core and Extension | GA |
az aks nodepool add |
Add a node pool to the managed Kubernetes cluster. |
Core | GA |
az aks nodepool add (aks-preview extension) |
Add a node pool to the managed Kubernetes cluster. |
Extension | GA |
az aks nodepool delete |
Delete the agent pool in the managed Kubernetes cluster. |
Core | GA |
az aks nodepool delete (aks-preview extension) |
Delete the agent pool in the managed Kubernetes cluster. |
Extension | GA |
az aks nodepool delete-machines |
Delete specific machines in an agentpool for a managed cluster. |
Core | GA |
az aks nodepool delete-machines (aks-preview extension) |
Delete specific machines in an agentpool for a managed cluster. |
Extension | GA |
az aks nodepool get-upgrades |
Get the available upgrade versions for an agent pool of the managed Kubernetes cluster. |
Core | GA |
az aks nodepool get-upgrades (aks-preview extension) |
Get the available upgrade versions for an agent pool of the managed Kubernetes cluster. |
Extension | GA |
az aks nodepool list |
List node pools in the managed Kubernetes cluster. To get list of nodes in the cluster run |
Core | GA |
az aks nodepool list (aks-preview extension) |
List node pools in the managed Kubernetes cluster. |
Extension | GA |
az aks nodepool manual-scale |
Commands to manage nodepool virtualMachineProfile.scale.manual. |
Extension | GA |
az aks nodepool manual-scale add |
Add a new manual to a VirtualMachines agentpool in the managed Kubernetes cluster. |
Extension | GA |
az aks nodepool manual-scale delete |
Delete an existing manual to a VirtualMachines agentpool in the managed Kubernetes cluster. |
Extension | GA |
az aks nodepool manual-scale update |
Update an existing manual of a VirtualMachines agentpool in the managed Kubernetes cluster. |
Extension | GA |
az aks nodepool operation-abort |
Abort last running operation on nodepool. |
Core | GA |
az aks nodepool operation-abort (aks-preview extension) |
Abort last running operation on nodepool. |
Extension | GA |
az aks nodepool scale |
Scale the node pool in a managed Kubernetes cluster. |
Core | GA |
az aks nodepool scale (aks-preview extension) |
Scale the node pool in a managed Kubernetes cluster. |
Extension | GA |
az aks nodepool show |
Show the details for a node pool in the managed Kubernetes cluster. |
Core | GA |
az aks nodepool show (aks-preview extension) |
Show the details for a node pool in the managed Kubernetes cluster. |
Extension | GA |
az aks nodepool snapshot |
Commands to manage nodepool snapshots. |
Core and Extension | GA |
az aks nodepool snapshot create |
Create a nodepool snapshot. |
Core | GA |
az aks nodepool snapshot create (aks-preview extension) |
Create a nodepool snapshot. |
Extension | GA |
az aks nodepool snapshot delete |
Delete a nodepool snapshot. |
Core | GA |
az aks nodepool snapshot delete (aks-preview extension) |
Delete a nodepool snapshot. |
Extension | GA |
az aks nodepool snapshot list |
List nodepool snapshots. |
Core | GA |
az aks nodepool snapshot list (aks-preview extension) |
List nodepool snapshots. |
Extension | GA |
az aks nodepool snapshot show |
Show the details of a nodepool snapshot. |
Core | GA |
az aks nodepool snapshot show (aks-preview extension) |
Show the details of a nodepool snapshot. |
Extension | GA |
az aks nodepool snapshot update |
Update tags on a snapshot of a nodepool. |
Core | GA |
az aks nodepool snapshot update (aks-preview extension) |
Update tags on a snapshot of a nodepool. |
Extension | GA |
az aks nodepool snapshot wait |
Wait for a nodepool snapshot to reach a desired state. |
Core | GA |
az aks nodepool start |
Start stopped agent pool in the managed Kubernetes cluster. |
Core | GA |
az aks nodepool start (aks-preview extension) |
Start stopped agent pool in the managed Kubernetes cluster. |
Extension | GA |
az aks nodepool stop |
Stop running agent pool in the managed Kubernetes cluster. |
Core | GA |
az aks nodepool stop (aks-preview extension) |
Stop running agent pool in the managed Kubernetes cluster. |
Extension | GA |
az aks nodepool update |
Update a node pool properties. |
Core | GA |
az aks nodepool update (aks-preview extension) |
Update a node pool properties. |
Extension | GA |
az aks nodepool upgrade |
Upgrade the node pool in a managed Kubernetes cluster. |
Core | GA |
az aks nodepool upgrade (aks-preview extension) |
Upgrade the node pool in a managed Kubernetes cluster. |
Extension | GA |
az aks nodepool wait |
Wait for a node pool to reach a desired state. |
Core | GA |
az aks oidc-issuer |
Oidc issuer related commands. |
Core | GA |
az aks oidc-issuer rotate-signing-keys |
Rotate oidc issuer service account signing keys. |
Core | GA |
az aks operation |
Commands to manage and view operations on managed Kubernetes cluster. |
Extension | GA |
az aks operation-abort |
Abort last running operation on managed cluster. |
Core | GA |
az aks operation-abort (aks-preview extension) |
Abort last running operation on managed cluster. |
Extension | GA |
az aks operation show |
Show the details for a specific operation on managed Kubernetes cluster. |
Extension | GA |
az aks operation show-latest |
Show the details for the latest operation on managed Kubernetes cluster. |
Extension | GA |
az aks pod-identity |
Commands to manage pod identities in managed Kubernetes cluster. |
Extension | GA |
az aks pod-identity add |
Add a pod identity to a managed Kubernetes cluster. |
Extension | GA |
az aks pod-identity delete |
Remove a pod identity from a managed Kubernetes cluster. |
Extension | GA |
az aks pod-identity exception |
Commands to manage pod identity exceptions in managed Kubernetes cluster. |
Extension | GA |
az aks pod-identity exception add |
Add a pod identity exception to a managed Kubernetes cluster. |
Extension | GA |
az aks pod-identity exception delete |
Remove a pod identity exception from a managed Kubernetes cluster. |
Extension | GA |
az aks pod-identity exception list |
List pod identity exceptions in a managed Kubernetes cluster. |
Extension | GA |
az aks pod-identity exception update |
Update a pod identity exception in a managed Kubernetes cluster. |
Extension | GA |
az aks pod-identity list |
List pod identities in a managed Kubernetes cluster. |
Extension | GA |
az aks remove-dev-spaces |
Remove Azure Dev Spaces from a managed Kubernetes cluster. |
Core | Deprecated |
az aks rotate-certs |
Rotate certificates and keys on a managed Kubernetes cluster. |
Core | GA |
az aks rotate-certs (aks-preview extension) |
Rotate certificates and keys on a managed Kubernetes cluster. |
Extension | GA |
az aks scale |
Scale the node pool in a managed Kubernetes cluster. |
Core | GA |
az aks scale (aks-preview extension) |
Scale the node pool in a managed Kubernetes cluster. |
Extension | GA |
az aks show |
Show the details for a managed Kubernetes cluster. |
Core | GA |
az aks show (aks-preview extension) |
Show the details for a managed Kubernetes cluster. |
Extension | GA |
az aks snapshot |
Commands to manage nodepool snapshots. |
Core and Extension | Deprecated |
az aks snapshot create |
Create a nodepool snapshot. |
Core | Deprecated |
az aks snapshot create (aks-preview extension) |
Create a snapshot of a cluster. |
Extension | GA |
az aks snapshot delete |
Delete a nodepool snapshot. |
Core | Deprecated |
az aks snapshot delete (aks-preview extension) |
Delete a cluster snapshot. |
Extension | GA |
az aks snapshot list |
List nodepool snapshots. |
Core | Deprecated |
az aks snapshot list (aks-preview extension) |
List cluster snapshots. |
Extension | GA |
az aks snapshot show |
Show the details of a nodepool snapshot. |
Core | Deprecated |
az aks snapshot show (aks-preview extension) |
Show the details of a cluster snapshot. |
Extension | GA |
az aks snapshot wait |
Wait for a nodepool snapshot to reach a desired state. |
Core | Deprecated |
az aks start |
Starts a previously stopped Managed Cluster. |
Core | GA |
az aks start (aks-preview extension) |
Starts a previously stopped Managed Cluster. |
Extension | GA |
az aks stop |
Stop a managed cluster. |
Core | GA |
az aks stop (aks-preview extension) |
Stop a managed cluster. |
Extension | GA |
az aks trustedaccess |
Commands to manage trusted access security features. |
Core and Extension | GA |
az aks trustedaccess role |
Commands to manage trusted access roles. |
Core and Extension | GA |
az aks trustedaccess role list |
List trusted access roles. |
Core | GA |
az aks trustedaccess role list (aks-preview extension) |
List trusted access roles. |
Extension | GA |
az aks trustedaccess rolebinding |
Commands to manage trusted access role bindings. |
Core and Extension | GA |
az aks trustedaccess rolebinding create |
Create a new trusted access role binding. |
Core | GA |
az aks trustedaccess rolebinding create (aks-preview extension) |
Create a new trusted access role binding. |
Extension | GA |
az aks trustedaccess rolebinding delete |
Delete a trusted access role binding according to name. |
Core | GA |
az aks trustedaccess rolebinding delete (aks-preview extension) |
Delete a trusted access role binding according to name. |
Extension | GA |
az aks trustedaccess rolebinding list |
List all the trusted access role bindings. |
Core | GA |
az aks trustedaccess rolebinding list (aks-preview extension) |
List all the trusted access role bindings. |
Extension | GA |
az aks trustedaccess rolebinding show |
Get the specific trusted access role binding according to binding name. |
Core | GA |
az aks trustedaccess rolebinding show (aks-preview extension) |
Get the specific trusted access role binding according to binding name. |
Extension | GA |
az aks trustedaccess rolebinding update |
Update a trusted access role binding. |
Core | GA |
az aks trustedaccess rolebinding update (aks-preview extension) |
Update a trusted access role binding. |
Extension | GA |
az aks update |
Update a managed Kubernetes cluster. When called with no optional arguments this attempts to move the cluster to its goal state without changing the current cluster configuration. This can be used to move out of a non succeeded state. |
Core | GA |
az aks update (aks-preview extension) |
Update the properties of a managed Kubernetes cluster. |
Extension | GA |
az aks update-credentials |
Update credentials for a managed Kubernetes cluster, like service principal. |
Core | GA |
az aks upgrade |
Upgrade a managed Kubernetes cluster to a newer version. |
Core | GA |
az aks upgrade (aks-preview extension) |
Upgrade a managed Kubernetes cluster to a newer version. |
Extension | GA |
az aks use-dev-spaces |
Use Azure Dev Spaces with a managed Kubernetes cluster. |
Core | Deprecated |
az aks use-dev-spaces (dev-spaces extension) |
Use Azure Dev Spaces with a managed Kubernetes cluster. |
Extension | GA |
az aks wait |
Wait for a managed Kubernetes cluster to reach a desired state. |
Core | GA |
az aks wait (aks-preview extension) |
Wait for a managed Kubernetes cluster to reach a desired state. |
Extension | GA |
az aks browse
Show the dashboard for a Kubernetes cluster in a web browser.
az aks browse --name
--resource-group
[--disable-browser]
[--listen-address]
[--listen-port]
Examples
Show the dashboard for a Kubernetes cluster in a web browser. (autogenerated)
az aks browse --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Don't launch a web browser after establishing port-forwarding.
Add this argument when launching a web browser manually, or for automated testing.
The listening address for the dashboard.
Add this argument to listen on a specific IP address.
The listening port for the dashboard.
Add this argument when the default listening port is used by another process or unavailable.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks browse (aks-preview extension)
Show the dashboard for a Kubernetes cluster in a web browser.
az aks browse --name
--resource-group
[--disable-browser]
[--listen-address]
[--listen-port]
Examples
Show the dashboard for a Kubernetes cluster in a web browser. (autogenerated)
az aks browse --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Don't launch a web browser after establishing port-forwarding.
Add this argument when launching a web browser manually, or for automated testing.
The listening address for the dashboard.
Add this argument to listen on a specific IP address.
The listening port for the dashboard.
Add this argument when the default listening port is used by another process or unavailable.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks check-acr
Validate an ACR is accessible from an AKS cluster.
az aks check-acr --acr
--name
--resource-group
[--node-name]
Examples
Validate the ACR is accessible from the AKS cluster.
az aks check-acr --name MyManagedCluster --resource-group MyResourceGroup --acr myacr.azurecr.io
Required Parameters
The FQDN of the ACR.
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
The name of a specific node to perform acr pull test checks. If not specified, it will be checked on a random node.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks create
Create a new managed Kubernetes cluster.
az aks create --name
--resource-group
[--aad-admin-group-object-ids]
[--aad-client-app-id]
[--aad-server-app-id]
[--aad-server-app-secret]
[--aad-tenant-id]
[--aci-subnet-name]
[--admin-username]
[--aks-custom-headers]
[--ampls-resource-id]
[--api-server-authorized-ip-ranges]
[--appgw-id]
[--appgw-name]
[--appgw-subnet-cidr]
[--appgw-subnet-id]
[--appgw-watch-namespace]
[--assign-identity]
[--assign-kubelet-identity]
[--attach-acr]
[--auto-upgrade-channel {node-image, none, patch, rapid, stable}]
[--azure-keyvault-kms-key-id]
[--azure-keyvault-kms-key-vault-network-access {Private, Public}]
[--azure-keyvault-kms-key-vault-resource-id]
[--azure-monitor-workspace-resource-id]
[--ca-profile]
[--client-secret]
[--crg-id]
[--data-collection-settings]
[--defender-config]
[--disable-disk-driver]
[--disable-file-driver]
[--disable-local-accounts]
[--disable-public-fqdn]
[--disable-rbac]
[--disable-snapshot-controller]
[--dns-name-prefix]
[--dns-service-ip]
[--docker-bridge-address]
[--edge-zone]
[--enable-aad]
[--enable-addons]
[--enable-ahub]
[--enable-app-routing]
[--enable-asm]
[--enable-azure-container-storage {azureDisk, elasticSan, ephemeralDisk}]
[--enable-azure-keyvault-kms]
[--enable-azure-monitor-metrics]
[--enable-azure-rbac]
[--enable-blob-driver]
[--enable-cluster-autoscaler]
[--enable-cost-analysis]
[--enable-defender]
[--enable-encryption-at-host]
[--enable-fips-image]
[--enable-high-log-scale-mode {false, true}]
[--enable-image-cleaner]
[--enable-keda]
[--enable-managed-identity]
[--enable-msi-auth-for-monitoring {false, true}]
[--enable-node-public-ip]
[--enable-oidc-issuer]
[--enable-private-cluster]
[--enable-secret-rotation]
[--enable-secure-boot]
[--enable-sgxquotehelper]
[--enable-syslog {false, true}]
[--enable-ultra-ssd]
[--enable-vpa]
[--enable-vtpm]
[--enable-windows-gmsa]
[--enable-windows-recording-rules]
[--enable-workload-identity]
[--ephemeral-disk-nvme-perf-tier {Basic, Premium, Standard}]
[--ephemeral-disk-volume-type {EphemeralVolumeOnly, PersistentVolumeWithAnnotation}]
[--fqdn-subdomain]
[--generate-ssh-keys]
[--gmsa-dns-server]
[--gmsa-root-domain-name]
[--gpu-instance-profile {MIG1g, MIG2g, MIG3g, MIG4g, MIG7g}]
[--grafana-resource-id]
[--host-group-id]
[--http-proxy-config]
[--image-cleaner-interval-hours]
[--ip-families]
[--k8s-support-plan {AKSLongTermSupport, KubernetesOfficial}]
[--ksm-metric-annotations-allow-list]
[--ksm-metric-labels-allow-list]
[--kubelet-config]
[--kubernetes-version]
[--linux-os-config]
[--load-balancer-backend-pool-type {nodeIP, nodeIPConfiguration}]
[--load-balancer-idle-timeout]
[--load-balancer-managed-outbound-ip-count]
[--load-balancer-managed-outbound-ipv6-count]
[--load-balancer-outbound-ip-prefixes]
[--load-balancer-outbound-ips]
[--load-balancer-outbound-ports]
[--load-balancer-sku {basic, standard}]
[--location]
[--max-count]
[--max-pods]
[--min-count]
[--nat-gateway-idle-timeout]
[--nat-gateway-managed-outbound-ip-count]
[--network-dataplane {azure, cilium}]
[--network-plugin {azure, kubenet, none}]
[--network-plugin-mode {overlay}]
[--network-policy]
[--no-ssh-key]
[--no-wait]
[--node-count]
[--node-os-upgrade-channel {NodeImage, None, SecurityPatch, Unmanaged}]
[--node-osdisk-diskencryptionset-id]
[--node-osdisk-size]
[--node-osdisk-type {Ephemeral, Managed}]
[--node-public-ip-prefix-id]
[--node-public-ip-tags]
[--node-resource-group]
[--node-vm-size]
[--nodepool-allowed-host-ports]
[--nodepool-asg-ids]
[--nodepool-labels]
[--nodepool-name]
[--nodepool-tags]
[--nodepool-taints]
[--os-sku {AzureLinux, CBLMariner, Mariner, Ubuntu}]
[--outbound-type {loadBalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting}]
[--pod-cidr]
[--pod-cidrs]
[--pod-subnet-id]
[--ppg]
[--private-dns-zone]
[--revision]
[--rotation-poll-interval]
[--service-cidr]
[--service-cidrs]
[--service-principal]
[--skip-subnet-role-assignment]
[--snapshot-id]
[--ssh-key-value]
[--storage-pool-name]
[--storage-pool-option {NVMe, Temp}]
[--storage-pool-size]
[--storage-pool-sku {PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS}]
[--tags]
[--tier {free, premium, standard}]
[--uptime-sla]
[--vm-set-type]
[--vnet-subnet-id]
[--windows-admin-password]
[--windows-admin-username]
[--workspace-resource-id]
[--yes]
[--zones]
Examples
Create a Kubernetes cluster with an existing SSH public key.
az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
Create a Kubernetes cluster with a specific version.
az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.16.9
Create a Kubernetes cluster with a larger node pool.
az aks create -g MyResourceGroup -n MyManagedCluster --node-count 7
Create a kubernetes cluster with default kubernetes version, default SKU load balancer (Standard) and default vm set type (VirtualMachineScaleSets).
az aks create -g MyResourceGroup -n MyManagedCluster
Create a kubernetes cluster with standard SKU load balancer and two AKS created IPs for the load balancer outbound connection usage.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2
Create a kubernetes cluster with a standard SKU load balancer, with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000
Create a kubernetes cluster with standard SKU load balancer and use the provided public IPs for the load balancer outbound connection usage.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ips <ip-resource-id-1,ip-resource-id-2>
Create a kubernetes cluster with standard SKU load balancer and use the provided public IP prefixes for the load balancer outbound connection usage.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>
Create a kubernetes cluster with a AKS managed NAT gateway, with two outbound AKS managed IPs an idle flow timeout of 4 minutes
az aks create -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4 --outbound-type managedNATGateway --generate-ssh-keys
Create a kubernetes cluster with basic SKU load balancer and AvailabilitySet vm set type.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku basic --vm-set-type AvailabilitySet
Create a kubernetes cluster with authorized apiserver IP ranges.
az aks create -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24,195.168.1.0
Create a kubernetes cluster which enables managed identity.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-managed-identity
Create a kubernetes cluster with userDefinedRouting, standard load balancer SKU and a custom subnet preconfigured with a route table
az aks create -g MyResourceGroup -n MyManagedCluster --outbound-type userDefinedRouting --load-balancer-sku standard --vnet-subnet-id customUserSubnetVnetID
Create a kubernetes cluster with supporting Windows agent pools.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$'
Create a kubernetes cluster with supporting Windows agent pools with AHUB enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-ahub
Create a kubernetes cluster with managed AAD enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>
Create a kubernetes cluster with server side encryption using your owned key.
az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-diskencryptionset-id <disk-encryption-set-resource-id>
Create a kubernetes cluster with ephemeral OS enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-type Ephemeral --node-osdisk-size 48
Create a kubernetes cluster with EncryptionAtHost enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-encryption-at-host
Create a kubernetes cluster with UltraSSD enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-ultra-ssd
Create a kubernetes cluster with Azure RBAC enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac
Create a kubernetes cluster with custom control plane identity and kubelet identity.
az aks create -g MyResourceGroup -n MyManagedCluster --assign-identity <control-plane-identity-resource-id> --assign-kubelet-identity <kubelet-identity-resource-id>
Create a kubernetes cluster in the Edge Zone.
az aks create -g MyResourceGroup -n MyManagedCluster --location <location> --kubernetes-version 1.20.7 --edge-zone <edge-zone-name>
Create a kubernetes cluster with a specific OS SKU
az aks create -g MyResourceGroup -n MyManagedCluster --os-sku Ubuntu
Create a kubernetes cluster with custom tags
az aks create -g MyResourceGroup -n MyManagedCluster --tags "foo=bar" "baz=qux"
Create a kubernetes cluster with custom headers
az aks create -g MyResourceGroup -n MyManagedCluster --aks-custom-headers WindowsContainerRuntime=containerd
Create a kubernetes cluster with FIPS-enabled OS
az aks create -g MyResourceGroup -n MyManagedCluster --enable-fips-image
Create a kubernetes cluster with enabling Windows gmsa and with setting DNS server in the vnet used by the cluster.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa
Create a kubernetes cluster with enabling Windows gmsa but without setting DNS server in the vnet used by the cluster.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"
create a kubernetes cluster with a snapshot id.
az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.20.9 --snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/snapshots/mysnapshot1"
create a kubernetes cluster with support of hostgroup id.
az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.13 --location westus2 --host-group-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/hostGroups/myHostGroup --node-vm-size VMSize --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>
Create a kubernetes cluster with no CNI installed.
az aks create -g MyResourceGroup -n MyManagedCluster --network-plugin none
Create a kubernetes cluster with KEDA workload autoscaler enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-keda
Create a kubernetes cluster with the Azure Monitor managed service for Prometheus integration enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-monitor-metrics
Create a kubernetes cluster with vertical pod autoscaler enaled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-vpa
create a kubernetes cluster with a Capacity Reservation Group(CRG) ID.
az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.9 --node-vm-size VMSize --assign-identity "subscriptions/SubID/resourceGroups/RGName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID" --enable-managed-identity --crg-id "subscriptions/SubID/resourceGroups/RGName/providers/Microsoft.ContainerService/CapacityReservationGroups/MyCRGID"
Create a kubernetes cluster with Azure Service Mesh enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-service-mesh
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Comma-separated list of aad group object IDs that will be set as cluster admin.
Option '--aad-client-app-id' has been deprecated and will be removed in a future release.
The ID of an Azure Active Directory client application of type "Native". This application is for user login via kubectl.
--aad-client-app-id is deprecated. See https://aka.ms/aks/aad-legacy for details.
Option '--aad-server-app-id' has been deprecated and will be removed in a future release.
The ID of an Azure Active Directory server application of type "Web app/API". This application represents the managed cluster's apiserver (Server application).
--aad-server-app-id is deprecated. See https://aka.ms/aks/aad-legacy for details.
Option '--aad-server-app-secret' has been deprecated and will be removed in a future release.
The secret of an Azure Active Directory server application.
--aad-server-app-secret is deprecated. See https://aka.ms/aks/aad-legacy for details.
The ID of an Azure Active Directory tenant.
The name of a subnet in an existing VNet into which to deploy the virtual nodes.
User account to create on node VMs for SSH access.
Comma-separated key-value pairs to specify custom headers.
Resource ID of Azure Monitor Private Link scope for Monitoring Addon.
Comma-separated list of authorized apiserver IP ranges. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.
Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.
Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.
Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.
Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.
Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces.
Specify an existing user assigned identity for control plane's usage in order to manage cluster resource group.
Specify an existing user assigned identity for kubelet's usage, which is typically used to pull image from ACR.
Grant the 'acrpull' role assignment to the ACR specified by name or resource ID.
Specify the upgrade channel for autoupgrade.
Identifier of Azure Key Vault key.
Network Access of Azure Key Vault.
Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used.
Resource ID of Azure Key Vault.
Resource ID of the Azure Monitor Workspace.
Comma-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.
Secret associated with the service principal. This argument is required if --service-principal
is specified.
The crg id used to associate the new cluster with the existed Capacity Reservation Group resource.
Path to JSON file containing data collection settings for Monitoring addon.
Path to JSON file containing Microsoft Defender profile configurations.
Disable AzureDisk CSI Driver.
Disable AzureFile CSI Driver.
If set to true, getting static credential will be disabled for this cluster.
Disable public fqdn feature for private cluster.
Disable Kubernetes Role-Based Access Control.
Disable CSI Snapshot Controller.
Prefix for hostnames that are created. If not specified, generate a hostname using the managed cluster and resource group names.
An IP address assigned to the Kubernetes DNS service.
This address must be within the Kubernetes service address range specified by "--service-cidr". For example, 10.0.0.10.
Option '--docker-bridge-address' has been deprecated and will be removed in a future release.
A specific IP address and netmask for the Docker bridge, using standard CIDR notation.
This address must not be in any Subnet IP ranges, or the Kubernetes service address range. For example, 172.17.0.1/16.
The name of the Edge Zone.
Enable managed AAD feature for cluster.
Enable the Kubernetes addons in a comma-separated list.
These addons are available: - http_application_routing : configure ingress with automatic public DNS name creation. - monitoring : turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. Specify "--enable-msi-auth-for-monitoring" to use Managed Identity Auth. Specify "--enable-syslog" to enable syslog data collection from nodes. Note MSI must be enabled Specify "--data-collection-settings" to configure data collection settings Specify "--ampls-resource-id" for private link. Note MSI must be enabled. Specify "--enable-high-log-scale-mode" to enable high log scale mode for container logs. Note MSI must be enabled. If monitoring addon is enabled --no-wait argument will have no effect - azure-policy : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Learn more at aka.ms/aks/policy. - virtual-node : enable AKS Virtual Node. Requires --aci-subnet-name to provide the name of an existing subnet for the Virtual Node to use. aci-subnet-name must be in the same vnet which is specified by --vnet-subnet-id (required as well). - confcom : enable confcom addon, this will enable SGX device plugin by default. - open-service-mesh : enable Open Service Mesh addon. - azure-keyvault-secrets-provider : enable Azure Keyvault Secrets Provider addon.
Enable Azure Hybrid User Benefits (AHUB) for Windows VMs.
Enable Application Routing addon.
Enable Azure Service Mesh addon.
Enable azure container storage and define storage pool type.
Enable Azure KeyVault Key Management Service.
Enable a kubernetes cluster with the Azure Monitor managed service for Prometheus integration.
Enable Azure RBAC to control authorization checks on cluster.
Enable AzureBlob CSI Driver.
Enable cluster autoscaler, default value is false.
If specified, please make sure the kubernetes version is larger than 1.10.6.
Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.
Enable Microsoft Defender security profile.
Enable EncryptionAtHost, default value is false.
Use FIPS-enabled OS on agent nodes.
Enable High Log Scale Mode for Container Logs.
Enable ImageCleaner Service.
Enable KEDA workload auto-scaler.
Using a system assigned managed identity to manage cluster resource group. You can explicitly specify "--service-principal" and "--client-secret" to disable managed identity, otherwise it will be enabled.
Enable Managed Identity Auth for Monitoring addon.
Enable VMSS node public IP.
Enable OIDC issuer.
Enable private cluster.
Enable secret rotation. Use with azure-keyvault-secrets-provider addon.
Enable Secure Boot on all node pools in the cluster. Must use VMSS agent pool type.
Enable SGX quote helper for confcom addon.
Enable syslog data collection for Monitoring addon.
Enable UltraSSD, default value is false.
Enable vertical pod autoscaler for cluster.
Enable vTPM on all node pools in the cluster. Must use VMSS agent pool type.
Enable Windows gmsa.
Enable Windows Recording Rules when enabling the Azure Monitor Metrics addon.
Enable workload identity addon.
Set ephemeral disk volume type for azure container storage.
Set ephemeral disk volume type for azure container storage.
Prefix for FQDN that is created for private cluster with custom private dns zone scenario.
Generate SSH public and private key files if missing. The keys will be stored in the ~/.ssh directory.
Specify DNS server for Windows gmsa for this cluster.
You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
Specify root domain name for Windows gmsa for this cluster.
You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
GPU instance profile to partition multi-gpu Nvidia GPUs.
Resource ID of the Azure Managed Grafana Workspace.
The fully qualified dedicated host group id used to provision agent node pool.
HTTP Proxy configuration for this cluster.
ImageCleaner scanning interval.
A comma-separated list of IP versions to use for cluster networking.
Each IP version should be in the format IPvN. For example, IPv4.
Choose from "KubernetesOfficial" or "AKSLongTermSupport", with "AKSLongTermSupport" you get 1 extra year of CVE patchs.
Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g.'=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').
Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g. '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').
Path to JSON file containing Kubelet configurations for agent nodes. https://aka.ms/aks/custom-node-config.
Version of Kubernetes to use for creating the cluster, such as "1.16.9".
Path to JSON file containing OS configurations for Linux agent nodes. https://aka.ms/aks/custom-node-config.
Load balancer backend pool type.
Define the LoadBalancer backend pool type of managed inbound backend pool. The nodeIP means the VMs will be attached to the LoadBalancer by adding its private IP address to the backend pool. The nodeIPConfiguration means the VMs will be attached to the LoadBalancer by referencing the backend pool ID in the VM's NIC.
Load balancer idle timeout in minutes.
Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].
Load balancer managed outbound IP count.
Desired number of managed outbound IPs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.
Load balancer managed outbound IPv6 IP count.
Desired number of managed outbound IPv6 IPs for load balancer outbound connection. Valid for dual-stack (--ip-families IPv4,IPv6) only.
Load balancer outbound IP prefix resource IDs.
Comma-separated public IP prefix resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.
Load balancer outbound IP resource IDs.
Comma-separated public IP resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.
Load balancer outbound allocated ports.
Desired static number of outbound ports per VM in the load balancer backend pool. By default, set to 0 which uses the default allocation based on the number of VMs.
Azure Load Balancer SKU selection for your cluster. basic or standard. Defaults to 'standard'.
Select between Basic or Standard Azure Load Balancer SKU for your AKS cluster.
Location. Values from: az account list-locations
. You can configure the default location using az configure --defaults location=<location>
.
Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].
The maximum number of pods deployable to a node.
If not specified, defaults based on network-plugin. 30 for "azure", 110 for "kubenet", or 250 for "none".
Minimum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].
NAT gateway idle timeout in minutes.
Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
NAT gateway managed outbound IP count.
Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
The network dataplane to use.
Network dataplane used in the Kubernetes cluster. Specify "azure" to use the Azure dataplane (default) or "cilium" to enable Cilium dataplane.
The Kubernetes network plugin to use.
Specify "azure" for routable pod IPs from VNET, "kubenet" for non-routable pod IPs with an overlay network, or "none" for no networking configured. Defaults to "kubenet".
The network plugin mode to use.
Used to control the mode the network plugin should operate in. For example, "overlay" used with --network-plugin=azure will use an overlay network (non-VNET IPs) for pods in the cluster.
Network Policy Engine to use.
Azure provides three Network Policy Engines for enforcing network policies that can be used together with "azure" network plugin. The following values can be specified:
- "azure" for Azure Network Policy Manager,
- "cilium" for Azure CNI Powered by Cilium,
- "calico" for open-source network and network security solution founded by Tigera,
- "none" when no Network Policy Engine is installed (default value). Defaults to "none" (network policy disabled).
Do not use or create a local SSH key.
To access nodes after creating a cluster with this option, use the Azure Portal.
Do not wait for the long-running operation to finish.
Number of nodes in the Kubernetes node pool. After creating a cluster, you can change the size of its node pool with az aks scale
.
Manner in which the OS on your nodes is updated. It could be NodeImage, None, SecurityPatch or Unmanaged.
ResourceId of the disk encryption set to use for enabling encryption at rest on agent node os disk.
Size in GiB of the OS disk for each node in the node pool. Minimum 30 GiB.
OS disk type to be used for machines in a given agent pool: Ephemeral or Managed. Defaults to 'Ephemeral' when possible in conjunction with VM size and OS disk size. May not be changed for this pool after creation.
Public IP prefix ID used to assign public IPs to VMSS nodes.
The ipTags of the node public IPs.
The node resource group is the resource group where all customer's resources will be created in, such as virtual machines.
Size of Virtual Machines to create as Kubernetes nodes.
Expose host ports on the node pool. When specified, format should be a space-separated list of ranges with protocol, eg. 80/TCP 443/TCP 4000-5000/TCP
.
The IDs of the application security groups to which the node pool's network interface should belong. When specified, format should be a space-separated list of IDs.
The node labels for all node pool. See https://aka.ms/node-labels for syntax of labels.
Node pool name, up to 12 alphanumeric characters.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
The node taints for all node pool.
The OS SKU of the agent node pool. Ubuntu or CBLMariner.
How outbound traffic will be configured for a cluster.
Select between loadBalancer, userDefinedRouting, managedNATGateway and userAssignedNATGateway. If not set, defaults to type loadBalancer. Requires --vnet-subnet-id to be provided with a preconfigured route table and --load-balancer-sku to be Standard.
A CIDR notation IP range from which to assign pod IPs when kubenet is used.
This range must not overlap with any Subnet IP ranges. For example, 172.244.0.0/16.
A comma-separated list of CIDR notation IP ranges from which to assign pod IPs when kubenet is used.
Each range must not overlap with any Subnet IP ranges. For example, "172.244.0.0/16,fd0:abcd::/64".
The ID of a subnet in an existing VNet into which to assign pods in the cluster (requires azure network-plugin).
The ID of a PPG.
Private dns zone mode for private cluster.
Allowed values are "system", "none" or custom private dns zone resource id. If not set, defaults to type system. Requires --enable-private-cluster to be used.
Azure Service Mesh revision to install.
Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.
A CIDR notation IP range from which to assign service cluster IPs.
This range must not overlap with any Subnet IP ranges. For example, 10.0.0.0/16.
A comma-separated list of CIDR notation IP ranges from which to assign service cluster IPs.
Each range must not overlap with any Subnet IP ranges. For example, "10.0.0.0/16,2001:abcd::/108".
Service principal used for authentication to Azure APIs.
Skip role assignment for subnet (advanced networking).
If specified, please make sure your service principal has the access to your subnet.
The source snapshot id used to create this cluster.
Public key path or key contents to install on node VMs for SSH access. For example, 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'.
Set storage pool name for azure container storage.
Set ephemeral disk storage pool option for azure container storage.
Set storage pool size for azure container storage.
Set azure disk type storage pool sku for azure container storage.
The tags of the managed cluster. The managed cluster instance and all resources managed by the cloud provider will be tagged.
Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' does not have a financially backed SLA.
Option '--uptime-sla' has been deprecated and will be removed in a future release.
--uptime-sla is deprecated. Please use '--tier standard' instead.
Agent pool vm set type. VirtualMachineScaleSets or AvailabilitySet. Defaults to 'VirtualMachineScaleSets'.
The ID of a subnet in an existing VNet into which to deploy the cluster.
User account password to use on windows node VMs.
Rules for windows-admin-password: - Minimum-length: 14 characters - Max-length: 123 characters - Complexity requirements: 3 out of 4 conditions below need to be fulfilled * Has lower characters * Has upper characters * Has a digit * Has a special character (Regex match [\W_]) - Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" Reference: https://docs.microsoft.com/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminpassword?view=azure-dotnet.
User account to create on windows node VMs.
Rules for windows-admin-username: - restriction: Cannot end in "." - Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". - Minimum-length: 1 character - Max-length: 20 characters Reference: https://docs.microsoft.com/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminusername?view=azure-dotnet.
The resource ID of an existing Log Analytics Workspace to use for storing monitoring data. If not specified, uses the default Log Analytics Workspace if it exists, otherwise creates one.
Do not prompt for confirmation.
Availability zones where agent nodes will be placed. Also, to install agent nodes to more than one zones you need to pass zone numbers (1,2 or 3) separated by blanks. For example - To have all 3 zones, you are expected to enter --zones 1 2 3
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks create (aks-preview extension)
Create a new managed Kubernetes cluster.
az aks create --name
--resource-group
[--aad-admin-group-object-ids]
[--aad-tenant-id]
[--aci-subnet-name]
[--admin-username]
[--aks-custom-headers]
[--ampls-resource-id]
[--api-server-authorized-ip-ranges]
[--apiserver-subnet-id]
[--app-routing-default-nginx-controller {AnnotationControlled, External, Internal, None}]
[--appgw-id]
[--appgw-name]
[--appgw-subnet-cidr]
[--appgw-subnet-id]
[--appgw-watch-namespace]
[--assign-identity]
[--assign-kubelet-identity]
[--attach-acr]
[--auto-upgrade-channel {node-image, none, patch, rapid, stable}]
[--azure-keyvault-kms-key-id]
[--azure-keyvault-kms-key-vault-network-access {Private, Public}]
[--azure-keyvault-kms-key-vault-resource-id]
[--azure-monitor-workspace-resource-id]
[--bootstrap-artifact-source {Cache, Direct}]
[--bootstrap-container-registry-resource-id]
[--ca-certs]
[--ca-profile]
[--client-secret]
[--cluster-service-load-balancer-health-probe-mode {Servicenodeport, Shared}]
[--cluster-snapshot-id]
[--crg-id]
[--data-collection-settings]
[--defender-config]
[--disable-acns-observability]
[--disable-acns-security]
[--disable-disk-driver]
[--disable-file-driver]
[--disable-local-accounts]
[--disable-public-fqdn]
[--disable-rbac]
[--disable-snapshot-controller]
[--disk-driver-version {v1, v2}]
[--dns-name-prefix]
[--dns-service-ip]
[--dns-zone-resource-id]
[--dns-zone-resource-ids]
[--docker-bridge-address]
[--edge-zone]
[--enable-aad]
[--enable-acns]
[--enable-addon-autoscaling]
[--enable-addons]
[--enable-ahub]
[--enable-ai-toolchain-operator]
[--enable-apiserver-vnet-integration]
[--enable-app-routing]
[--enable-asm]
[--enable-azure-container-storage {azureDisk, elasticSan, ephemeralDisk}]
[--enable-azure-keyvault-kms]
[--enable-azure-monitor-app-monitoring]
[--enable-azure-monitor-metrics]
[--enable-azure-rbac]
[--enable-azuremonitormetrics]
[--enable-blob-driver]
[--enable-cilium-dataplane]
[--enable-cluster-autoscaler]
[--enable-cost-analysis]
[--enable-custom-ca-trust]
[--enable-defender]
[--enable-encryption-at-host]
[--enable-fips-image]
[--enable-high-log-scale-mode {false, true}]
[--enable-image-cleaner]
[--enable-image-integrity]
[--enable-imds-restriction]
[--enable-keda]
[--enable-managed-identity]
[--enable-msi-auth-for-monitoring {false, true}]
[--enable-node-public-ip]
[--enable-oidc-issuer]
[--enable-pod-identity]
[--enable-pod-identity-with-kubenet]
[--enable-pod-security-policy]
[--enable-private-cluster]
[--enable-secret-rotation]
[--enable-secure-boot]
[--enable-sgxquotehelper]
[--enable-static-egress-gateway]
[--enable-syslog {false, true}]
[--enable-ultra-ssd]
[--enable-vpa]
[--enable-vtpm]
[--enable-windows-gmsa]
[--enable-windows-recording-rules]
[--enable-workload-identity]
[--ephemeral-disk-nvme-perf-tier {Basic, Premium, Standard}]
[--ephemeral-disk-volume-type {EphemeralVolumeOnly, PersistentVolumeWithAnnotation}]
[--fqdn-subdomain]
[--generate-ssh-keys]
[--gmsa-dns-server]
[--gmsa-root-domain-name]
[--gpu-instance-profile {MIG1g, MIG2g, MIG3g, MIG4g, MIG7g}]
[--grafana-resource-id]
[--host-group-id]
[--http-proxy-config]
[--if-match]
[--if-none-match]
[--image-cleaner-interval-hours]
[--ip-families]
[--k8s-support-plan {AKSLongTermSupport, KubernetesOfficial}]
[--ksm-metric-annotations-allow-list]
[--ksm-metric-labels-allow-list]
[--kube-proxy-config]
[--kubelet-config]
[--kubernetes-version]
[--linux-os-config]
[--load-balancer-backend-pool-type]
[--load-balancer-idle-timeout]
[--load-balancer-managed-outbound-ip-count]
[--load-balancer-managed-outbound-ipv6-count]
[--load-balancer-outbound-ip-prefixes]
[--load-balancer-outbound-ips]
[--load-balancer-outbound-ports]
[--load-balancer-sku {basic, standard}]
[--location]
[--max-count]
[--max-pods]
[--message-of-the-day]
[--min-count]
[--nat-gateway-idle-timeout]
[--nat-gateway-managed-outbound-ip-count]
[--network-dataplane {azure, cilium}]
[--network-plugin {azure, kubenet, none}]
[--network-plugin-mode {overlay}]
[--network-policy]
[--no-ssh-key]
[--no-wait]
[--node-count]
[--node-init-taints]
[--node-os-upgrade-channel {NodeImage, None, SecurityPatch, Unmanaged}]
[--node-osdisk-diskencryptionset-id]
[--node-osdisk-size]
[--node-osdisk-type {Ephemeral, Managed}]
[--node-provisioning-mode {Auto, Manual}]
[--node-public-ip-prefix-id]
[--node-public-ip-tags]
[--node-resource-group]
[--node-vm-size]
[--nodepool-allowed-host-ports]
[--nodepool-asg-ids]
[--nodepool-labels]
[--nodepool-name]
[--nodepool-tags]
[--nodepool-taints]
[--nrg-lockdown-restriction-level {ReadOnly, Unrestricted}]
[--os-sku {AzureLinux, CBLMariner, Mariner, Ubuntu}]
[--outbound-type {block, loadBalancer, managedNATGateway, none, userAssignedNATGateway, userDefinedRouting}]
[--pod-cidr]
[--pod-cidrs]
[--pod-ip-allocation-mode {DynamicIndividual, StaticBlock}]
[--pod-subnet-id]
[--ppg]
[--private-dns-zone]
[--revision]
[--rotation-poll-interval]
[--safeguards-excluded-ns]
[--safeguards-level {Enforcement, Off, Warning}]
[--safeguards-version]
[--service-cidr]
[--service-cidrs]
[--service-principal]
[--skip-subnet-role-assignment]
[--sku {automatic, base}]
[--snapshot-id]
[--ssh-access {disabled, localuser}]
[--ssh-key-value]
[--storage-pool-name]
[--storage-pool-option {NVMe, Temp}]
[--storage-pool-size]
[--storage-pool-sku {PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS}]
[--tags]
[--tier {free, premium, standard}]
[--vm-set-type]
[--vm-sizes]
[--vnet-subnet-id]
[--windows-admin-password]
[--windows-admin-username]
[--workload-runtime {KataCcIsolation, KataMshvVmIsolation, OCIContainer, WasmWasi}]
[--workspace-resource-id]
[--yes]
[--zones]
Examples
Create a Kubernetes cluster with an existing SSH public key.
az aks create -g MyResourceGroup -n MyManagedCluster --ssh-key-value /path/to/publickey
Create a Kubernetes cluster with a specific version.
az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.13.9
Create a Kubernetes cluster with a larger node pool.
az aks create -g MyResourceGroup -n MyManagedCluster --node-count 7
Create a kubernetes cluster with cluster autosclaler enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.13.9 --node-count 3 --enable-cluster-autoscaler --min-count 1 --max-count 5
Create a kubernetes cluster with k8s 1.13.9 but use vmas.
az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.13.9 --vm-set-type AvailabilitySet
Create a kubernetes cluster with default kubernetes vesrion, default SKU load balancer(standard) and default vm set type(VirtualMachineScaleSets).
az aks create -g MyResourceGroup -n MyManagedCluster
Create a kubernetes cluster with standard SKU load balancer and two AKS created IPs for the load balancer outbound connection usage.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2
Create a kubernetes cluster with standard SKU load balancer and use the provided public IPs for the load balancer outbound connection usage.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ips <ip-resource-id-1,ip-resource-id-2>
Create a kubernetes cluster with standard SKU load balancer and use the provided public IP prefixes for the load balancer outbound connection usage.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>
Create a kubernetes cluster with a standard SKU load balancer, with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000
Create a kubernetes cluster with a AKS managed NAT gateway, with two outbound AKS managed IPs an idle flow timeout of 4 minutes
az aks create -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4
Create a kubernetes cluster with basic SKU load balancer and AvailabilitySet vm set type.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku basic --vm-set-type AvailabilitySet
Create a kubernetes cluster with authorized apiserver IP ranges.
az aks create -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24,195.168.1.0
Create a kubernetes cluster with server side encryption using your owned key.
az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-diskencryptionset-id <disk-encryption-set-resource-id>
Create a kubernetes cluster with userDefinedRouting, standard load balancer SKU and a custom subnet preconfigured with a route table
az aks create -g MyResourceGroup -n MyManagedCluster --outbound-type userDefinedRouting --load-balancer-sku standard --vnet-subnet-id customUserSubnetVnetID
Create a kubernetes cluster with supporting Windows agent pools with AHUB enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-ahub
Create a kubernetes cluster with managed AAD enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>
Create a kubernetes cluster with ephemeral os enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --node-osdisk-type Ephemeral --node-osdisk-size 48
Create a kubernetes cluster with custom tags
az aks create -g MyResourceGroup -n MyManagedCluster --tags "foo=bar" "baz=qux"
Create a kubernetes cluster with EncryptionAtHost enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-encryption-at-host
Create a kubernetes cluster with UltraSSD enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-ultra-ssd
Create a kubernetes cluster with custom control plane identity and kubelet identity.
az aks create -g MyResourceGroup -n MyManagedCluster --assign-identity <control-plane-identity-resource-id> --assign-kubelet-identity <kubelet-identity-resource-id>
Create a kubernetes cluster with Azure RBAC enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac
Create a kubernetes cluster with a specific os-sku
az aks create -g MyResourceGroup -n MyManagedCluster --os-sku Ubuntu
Create a kubernetes cluster with enabling Windows gmsa and with setting DNS server in the vnet used by the cluster.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa
Create a kubernetes cluster with enabling Windows gmsa but without setting DNS server in the vnet used by the cluster.
az aks create -g MyResourceGroup -n MyManagedCluster --load-balancer-sku Standard --network-plugin azure --windows-admin-username azure --windows-admin-password 'replacePassword1234$' --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"
create a kubernetes cluster with a nodepool snapshot id.
az aks create -g MyResourceGroup -n MyManagedCluster --kubernetes-version 1.20.9 --snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/snapshots/mysnapshot1"
create a kubernetes cluster with a cluster snapshot id.
az aks create -g MyResourceGroup -n MyManagedCluster --cluster-snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/managedclustersnapshots/mysnapshot1"
create a kubernetes cluster with a Capacity Reservation Group(CRG) ID.
az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.9 --node-vm-size VMSize --assign-identity CRG-RG-ID --enable-managed-identity --crg-id "subscriptions/SubID/resourceGroups/RGName/providers/Microsoft.ContainerService/CapacityReservationGroups/MyCRGID"
create a kubernetes cluster with support of hostgroup id.
az aks create -g MyResourceGroup -n MyMC --kubernetes-version 1.20.13 --location westus2 --host-group-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/hostGroups/myHostGroup --node-vm-size VMSize --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>
Create a kubernetes cluster with no CNI installed.
az aks create -g MyResourceGroup -n MyManagedCluster --network-plugin none
Create a kubernetes cluster with Custom CA Trust enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-custom-ca-trust
Create a kubernetes cluster with safeguards set to "Warning"
az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --enable-addons azure-policy
Create a kubernetes cluster with safeguards set to "Warning" and some namespaces excluded
az aks create -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --safeguards-excluded-ns ns1,ns2 --enable-addons azure-policy
Create a kubernetes cluster with Azure Service Mesh enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-service-mesh
Create a kubernetes cluster with Azure Monitor Metrics enabled.
az aks create -g MyResourceGroup -n MyManagedCluster --enable-azuremonitormetrics
Create a kubernetes cluster with Azure Monitor App Monitoring enabled
az aks create -g MyResourceGroup -n MyManagedCluster --enable-azure-monitor-app-monitoring
Create a kubernetes cluster with a nodepool having ip allocation mode set to "StaticBlock"
az aks create -g MyResourceGroup -n MyManagedCluster --os-sku Ubuntu --max-pods MaxPodsPerNode --network-plugin azure --vnet-subnet-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVnet/subnets/NodeSubnet --pod-subnet-id /subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.Network/virtualNetworks/MyVnet/subnets/PodSubnet --pod-ip-allocation-mode StaticBlock
Create a kubernetes cluster with a VirtualMachines nodepool
az aks create -g MyResourceGroup -n MyManagedCluster --vm-set-type VirtualMachines --vm-sizes "VMSize1,VMSize2" --node-count 3
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Comma-separated list of aad group object IDs that will be set as cluster admin.
The ID of an Azure Active Directory tenant.
The name of a subnet in an existing VNet into which to deploy the virtual nodes.
User account to create on node VMs for SSH access.
Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.
Resource ID of Azure Monitor Private Link scope for Monitoring Addon.
Comma-separated list of authorized apiserver IP ranges. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.
The ID of a subnet in an existing VNet into which to assign control plane apiserver pods(requires --enable-apiserver-vnet-integration).
Configure default nginx ingress controller type. Valid values are annotationControlled (default behavior), external, internal, or none.
Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.
Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.
Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.
Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.
Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces.
Specify an existing user assigned identity to manage cluster resource group.
Specify an existing user assigned identity for kubelet's usage, which is typically used to pull image from ACR.
Grant the 'acrpull' role assignment to the ACR specified by name or resource ID.
Specify the upgrade channel for autoupgrade. It could be rapid, stable, patch, node-image or none, none means disable autoupgrade.
Identifier of Azure Key Vault key.
Network Access of Azure Key Vault.
Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used.
Resource ID of Azure Key Vault.
Resource ID of the Azure Monitor Workspace.
Configure artifact source when bootstraping the cluster.
The artifacts include the addon image. Use "Direct" to download artifacts from MCR, "Cache" to downalod artifacts from Azure Container Registry.
Configure container registry resource ID. Must use "Cache" as bootstrap artifact source.
Path to a file containing up to 10 blank line separated certificates. Only valid for linux nodes.
These certificates are used by Custom CA Trust features and will be added to trust stores of nodes. Requires Custom CA Trust to be enabled on the node.
Space-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.
Secret associated with the service principal. This argument is required if --service-principal
is specified.
Set the cluster service health probe mode.
Set the cluster service health probe mode. Default is "Servicenodeport".
The source cluster snapshot id is used to create new cluster.
The crg-id used to associate the new cluster with the existed Capacity Reservation Group resource.
Path to JSON file containing data collection settings for Monitoring addon.
Path to JSON file containing Microsoft Defender profile configurations.
Used to disable advanced networking observability features on a clusters when enabling advanced networking features with "--enable-acns".
Used to disable advanced networking security features on a clusters when enabling advanced networking features with "--enable-acns".
Disable AzureDisk CSI Driver.
Disable AzureFile CSI Driver.
(Preview) If set to true, getting static credential will be disabled for this cluster.
Disable public fqdn feature for private cluster.
Disable Kubernetes Role-Based Access Control.
Disable CSI Snapshot Controller.
Specify AzureDisk CSI Driver version.
Prefix for hostnames that are created. If not specified, generate a hostname using the managed cluster and resource group names.
An IP address assigned to the Kubernetes DNS service.
This address must be within the Kubernetes service address range specified by "--service-cidr". For example, 10.0.0.10.
Option '--dns-zone-resource-id' has been deprecated and will be removed in a future release. Use '--dns-zone-resource-ids' instead.
The resource ID of the DNS zone resource to use with the web_application_routing addon.
A comma separated list of resource IDs of the DNS zone resource to use with the web_application_routing addon.
Option '--docker-bridge-address' has been deprecated and will be removed in a future release.
A specific IP address and netmask for the Docker bridge, using standard CIDR notation.
This address must not be in any Subnet IP ranges, or the Kubernetes service address range. For example, 172.17.0.1/16.
The name of edge zone.
Enable managed AAD feature for cluster.
Enable advanced network functionalities on a cluster. Enabling this will incur additional costs. For non-cilium clusters, acns security will be disabled by default until further notice.
Enable addon autoscaling for cluster.
Enable the Kubernetes addons in a comma-separated list.
These addons are available:
- http_application_routing : configure ingress with automatic public DNS name creation.
- monitoring : turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. If monitoring addon is enabled --no-wait argument will have no effect
- virtual-node : enable AKS Virtual Node. Requires --aci-subnet-name to provide the name of an existing subnet for the Virtual Node to use. aci-subnet-name must be in the same vnet which is specified by --vnet-subnet-id (required as well).
- azure-policy : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Required if enabling deployment safeguards. Learn more at aka.ms/aks/policy.
- ingress-appgw : enable Application Gateway Ingress Controller addon (PREVIEW).
- confcom : enable confcom addon, this will enable SGX device plugin by default(PREVIEW).
- open-service-mesh : enable Open Service Mesh addon (PREVIEW).
- gitops : enable GitOps (PREVIEW).
- azure-keyvault-secrets-provider : enable Azure Keyvault Secrets Provider addon.
- web_application_routing : enable Web Application Routing addon (PREVIEW). Specify "--dns-zone-resource-id" to configure DNS.
Enable Azure Hybrid User Benefits (AHUB) for Windows VMs.
Enable AI toolchain operator to the cluster.
Enable integration of user vnet with control plane apiserver pods.
Enable Application Routing addon.
Enable Azure Service Mesh.
Enable azure container storage and define storage pool type.
Enable Azure KeyVault Key Management Service.
Enable Azure Monitor Application Monitoring.
Enable Azure Monitor Metrics Profile.
Enable Azure RBAC to control authorization checks on cluster.
Option '--enable-azuremonitormetrics' has been deprecated and will be removed in a future release. Use '--enable-azure-monitor-metrics' instead.
Enable Azure Monitor Metrics Profile.
Enable AzureBlob CSI Driver.
Option '--enable-cilium-dataplane' has been deprecated and will be removed in a future release. Use '--network-dataplane' instead.
Use Cilium as the networking dataplane for the Kubernetes cluster.
Used together with the "azure" network plugin. Requires either --pod-subnet-id or --network-plugin-mode=overlay. This flag is deprecated in favor of --network-dataplane=cilium.
Enable cluster autoscaler, default value is false.
If specified, please make sure the kubernetes version is larger than 1.10.6.
Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.
Enable Custom CA Trust on agent node pool.
Enable Microsoft Defender security profile.
Enable EncryptionAtHost on agent node pool.
Use FIPS-enabled OS on agent nodes.
Enable High Log Scale Mode for Container Logs.
Enable ImageCleaner Service.
Enable ImageIntegrity Service.
Enable IMDS restriction in the cluster. Non-hostNetwork Pods will not be able to access IMDS.
Enable KEDA workload auto-scaler.
Using managed identity to manage cluster resource group. You can explicitly specify "--service-principal" and "--client-secret" to disable managed identity, otherwise it will be enabled.
Send monitoring data to Log Analytics using the cluster's assigned identity (instead of the Log Analytics Workspace's shared key).
Enable VMSS node public IP.
Enable OIDC issuer.
(PREVIEW) Enable pod identity addon.
(PREVIEW) Enable pod identity addon for cluster using Kubnet network plugin.
Option '--enable-pod-security-policy' has been deprecated and will be removed in a future release.
Enable pod security policy.
--enable-pod-security-policy is deprecated. See https://aka.ms/aks/psp for details.
Enable private cluster.
Enable secret rotation. Use with azure-keyvault-secrets-provider addon.
Enable Secure Boot on all node pools in the cluster. Must use VMSS agent pool type.
Enable SGX quote helper for confcom addon.
Enable Static Egress Gateway addon to the cluster.
Enable syslog data collection for Monitoring addon.
Enable UltraSSD on agent node pool.
Enable vertical pod autoscaler for cluster.
Enable vTPM on all node pools in the cluster. Must use VMSS agent pool type.
Enable Windows gmsa.
Enable Windows Recording Rules when enabling the Azure Monitor Metrics addon.
(PREVIEW) Enable workload identity addon.
Set ephemeral disk volume type for azure container storage.
Set ephemeral disk volume type for azure container storage.
Prefix for FQDN that is created for private cluster with custom private dns zone scenario.
Generate SSH public and private key files if missing.
Specify DNS server for Windows gmsa for this cluster.
You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
Specify root domain name for Windows gmsa for this cluster.
You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
GPU instance profile to partition multi-gpu Nvidia GPUs.
Resource ID of the Azure Managed Grafana Workspace.
(PREVIEW) The fully qualified dedicated host group id used to provision agent node pool.
Http Proxy configuration for this cluster.
The value provided will be compared to the ETag of the managed cluster, if it matches the operation will proceed. If it does not match, the request will be rejected to prevent accidental overwrites. This must not be specified when creating a new cluster.
Set to '*' to allow a new cluster to be created, but to prevent updating an existing cluster. Other values will be ignored.
ImageCleaner scanning interval.
A comma separated list of IP versions to use for cluster networking.
Each IP version should be in the format IPvN. For example, IPv4.
Choose from "KubernetesOfficial" or "AKSLongTermSupport", with "AKSLongTermSupport" you get 1 extra year of CVE patchs.
Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g.'=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').
Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g. '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').
Kube-proxy configuration for this cluster.
Kubelet configurations for agent nodes.
Version of Kubernetes to use for creating the cluster, such as "1.7.12" or "1.8.7".
OS configurations for Linux agent nodes.
Load balancer backend pool type.
Load balancer backend pool type, supported values are nodeIP and nodeIPConfiguration.
Load balancer idle timeout in minutes.
Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].
Load balancer managed outbound IP count.
Desired number of managed outbound IPs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.
Load balancer managed outbound IPv6 IP count.
Desired number of managed outbound IPv6 IPs for load balancer outbound connection. Valid for dual-stack (--ip-families IPv4,IPv6) only.
Load balancer outbound IP prefix resource IDs.
Comma-separated public IP prefix resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.
Load balancer outbound IP resource IDs.
Comma-separated public IP resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.
Load balancer outbound allocated ports.
Desired static number of outbound ports per VM in the load balancer backend pool. By default, set to 0 which uses the default allocation based on the number of VMs. Please specify a value in the range of [0, 64000] that is a multiple of 8.
Azure Load Balancer SKU selection for your cluster. basic or standard.
Select between Basic or Standard Azure Load Balancer SKU for your AKS cluster.
Location. Values from: az account list-locations
. You can configure the default location using az configure --defaults location=<location>
.
Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].
The maximum number of pods deployable to a node.
If not specified, defaults based on network-plugin. 30 for "azure", 110 for "kubenet", or 250 for "none".
Path to a file containing the desired message of the day. Only valid for linux nodes. Will be written to /etc/motd.
Minimun nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].
NAT gateway idle timeout in minutes.
Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
NAT gateway managed outbound IP count.
Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
The network dataplane to use.
Network dataplane used in the Kubernetes cluster. Specify "azure" to use the Azure dataplane (default) or "cilium" to enable Cilium dataplane.
The Kubernetes network plugin to use.
Specify "azure" for routable pod IPs from VNET, "kubenet" for non-routable pod IPs with an overlay network, or "none" for no networking configured.
The network plugin mode to use.
Used to control the mode the network plugin should operate in. For example, "overlay" used with --network-plugin=azure will use an overlay network (non-VNET IPs) for pods in the cluster.
(PREVIEW) The Kubernetes network policy to use.
Using together with "azure" network plugin. Specify "azure" for Azure network policy manager, "calico" for calico network policy controller, "cilium" for Azure CNI Overlay powered by Cilium. Defaults to "" (network policy disabled).
Do not use or create a local SSH key.
To access nodes after creating a cluster with this option, use the Azure Portal.
Do not wait for the long-running operation to finish.
Number of nodes in the Kubernetes node pool. It is required when --enable-cluster-autoscaler specified. After creating a cluster, you can change the size of its node pool with az aks scale
.
The node initialization taints for node pools created with aks create operation.
Manner in which the OS on your nodes is updated. It could be NodeImage, None, SecurityPatch or Unmanaged.
ResourceId of the disk encryption set to use for enabling encryption at rest on agent node os disk.
Size in GiB of the OS disk for each node in the node pool. Minimum 30 GiB.
OS disk type to be used for machines in a given agent pool. Defaults to 'Ephemeral' when possible in conjunction with VM size and OS disk size. May not be changed for this pool after creation. ('Ephemeral' or 'Managed').
Set the node provisioning mode of the cluster. Valid values are "Auto" and "Manual". For more information on "Auto" mode see aka.ms/aks/nap.
Public IP prefix ID used to assign public IPs to VMSS nodes.
The ipTags of the node public IPs.
The node resource group is the resource group where all customer's resources will be created in, such as virtual machines.
Size of Virtual Machines to create as Kubernetes nodes.
Expose host ports on the node pool. When specified, format should be a comma-separated list of ranges with protocol, eg. 80/TCP,443/TCP,4000-5000/TCP.
The IDs of the application security groups to which the node pool's network interface should belong. When specified, format should be a comma-separated list of IDs.
The node labels for all node pools in this cluster. See https://aka.ms/node-labels for syntax of labels.
Node pool name, upto 12 alphanumeric characters.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
The node taints for all node pools in this cluster.
Restriction level on the managed node resource group.
The restriction level of permissions allowed on the cluster's managed node resource group, supported values are Unrestricted, and ReadOnly (recommended ReadOnly).
The os-sku of the agent node pool. Ubuntu or CBLMariner.
How outbound traffic will be configured for a cluster.
Select between loadBalancer, userDefinedRouting, managedNATGateway, userAssignedNATGateway, none and block. If not set, defaults to type loadBalancer. Requires --vnet-subnet-id to be provided with a preconfigured route table and --load-balancer-sku to be Standard.
A CIDR notation IP range from which to assign pod IPs when kubenet is used.
This range must not overlap with any Subnet IP ranges. For example, 172.244.0.0/16.
A comma separated list of CIDR notation IP ranges from which to assign pod IPs when kubenet is used.
Each range must not overlap with any Subnet IP ranges. For example, 172.244.0.0/16.
Set the ip allocation mode for how Pod IPs from the Azure Pod Subnet are allocated to the nodes in the AKS cluster. The choice is between dynamic batches of individual IPs or static allocation of a set of CIDR blocks. Accepted Values are "DynamicIndividual" or "StaticBlock".
Used together with the "azure" network plugin. Requires --pod-subnet-id.
The ID of a subnet in an existing VNet into which to assign pods in the cluster (requires azure network-plugin).
The ID of a PPG.
Private dns zone mode for private cluster. "none" mode is in preview.
Allowed values are "system", "none" (Preview) or your custom private dns zone resource id. If not set, defaults to type system. Requires --enable-private-cluster to be used.
Azure Service Mesh revision to install.
Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.
Comma-separated list of Kubernetes namespaces to exclude from deployment safeguards.
The deployment safeguards Level. Accepted Values are [Off, Warning, Enforcement]. Requires azure policy addon to be enabled.
The version of deployment safeguards to use. Default "v1.0.0" Use the ListSafeguardsVersions API to discover available versions.
A CIDR notation IP range from which to assign service cluster IPs.
This range must not overlap with any Subnet IP ranges. For example, 10.0.0.0/16.
A comma separated list of CIDR notation IP ranges from which to assign service cluster IPs.
Each range must not overlap with any Subnet IP ranges. For example, 10.0.0.0/16.
Service principal used for authentication to Azure APIs.
If not specified, a new service principal is created and cached at $HOME.azure\aksServicePrincipal.json to be used by subsequent az aks
commands.
Skip role assignment for subnet (advanced networking).
If specified, please make sure your service principal has the access to your subnet.
Specify SKU name for managed clusters. '--sku base' enables a base managed cluster. '--sku automatic' enables an automatic managed cluster.
The source nodepool snapshot id used to create this cluster.
Configure SSH setting for the first system pool in this cluster. Use "disabled" to disable SSH access, "localuser" to enable SSH access using private key. Note, this configuration will not take effect for later created new node pools, please use option az aks nodepool add --ssh-access
to configure SSH access for new node pools.
Public key path or key contents to install on node VMs for SSH access. For example, 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'.
Set storage pool name for azure container storage.
Set ephemeral disk storage pool option for azure container storage.
Set storage pool size for azure container storage.
Set azure disk type storage pool sku for azure container storage.
The tags of the managed cluster. The managed cluster instance and all resources managed by the cloud provider will be tagged.
Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' does not have a financially backed SLA.
Agent pool vm set type. VirtualMachineScaleSets, AvailabilitySet or VirtualMachines(Preview).
Comma-separated list of sizes. Must use VirtualMachines agent pool type.
The ID of a subnet in an existing VNet into which to deploy the cluster.
User account password to use on windows node VMs.
Rules for windows-admin-password: - Minimum-length: 14 characters - Max-length: 123 characters - Complexity requirements: 3 out of 4 conditions below need to be fulfilled * Has lower characters * Has upper characters * Has a digit * Has a special character (Regex match [\W_]) - Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" Reference: https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminpassword?view=azure-dotnet.
User account to create on windows node VMs.
Rules for windows-admin-username: - restriction: Cannot end in "." - Disallowed values: "administrator", "admin", "user", "user1", "test", "user2", "test1", "user3", "admin1", "1", "123", "a", "actuser", "adm", "admin2", "aspnet", "backup", "console", "david", "guest", "john", "owner", "root", "server", "sql", "support", "support_388945a0", "sys", "test2", "test3", "user4", "user5". - Minimum-length: 1 character - Max-length: 20 characters Reference: https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminusername?view=azure-dotnet.
Determines the type of workload a node can run. Defaults to OCIContainer.
The resource ID of an existing Log Analytics Workspace to use for storing monitoring data. If not specified, uses the default Log Analytics Workspace if it exists, otherwise creates one.
Do not prompt for confirmation.
Space-separated list of availability zones where agent nodes will be placed.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks delete
Delete a managed Kubernetes cluster.
az aks delete --name
--resource-group
[--no-wait]
[--yes]
Examples
Delete a managed Kubernetes cluster. (autogenerated)
az aks delete --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not wait for the long-running operation to finish.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks delete (aks-preview extension)
Delete a managed Kubernetes cluster.
az aks delete --name
--resource-group
[--if-match]
[--ignore-pod-disruption-budget]
[--no-wait]
[--yes]
Examples
Delete a managed Kubernetes cluster. (autogenerated)
az aks delete --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
The request should only proceed if an entity matches this string. Default value is None.
Ignore-pod-disruption-budget=true to delete those pods on a node without considering Pod Disruption Budget. Default value is None.
Do not wait for the long-running operation to finish.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks disable-addons
Disable Kubernetes addons.
az aks disable-addons --addons
--name
--resource-group
[--no-wait]
Examples
Disable Kubernetes addons. (autogenerated)
az aks disable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Disable the Kubernetes addons in a comma-separated list.
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not wait for the long-running operation to finish.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks disable-addons (aks-preview extension)
Disable Kubernetes addons.
az aks disable-addons --addons
--name
--resource-group
[--no-wait]
Examples
Disable Kubernetes addons. (autogenerated)
az aks disable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Disable the Kubernetes addons in a comma-separated list.
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not wait for the long-running operation to finish.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks enable-addons
Enable Kubernetes addons.
These addons are available:
- http_application_routing : configure ingress with automatic public DNS name creation.
- monitoring : turn on Log Analytics monitoring. Requires "--workspace-resource-id". Requires "--enable-msi-auth-for-monitoring" for managed identity auth. Requires "--enable-syslog" to enable syslog data collection from nodes. Note MSI must be enabled. Requires "--ampls-resource-id" for private link. Note MSI must be enabled. Requires "--enable-high-log-scale-mode" to enable high log scale mode for container logs. Note MSI must be enabled. If monitoring addon is enabled --no-wait argument will have no effect
- virtual-node : enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use.
- azure-policy : enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Learn more at aka.ms/aks/policy.
- ingress-appgw : enable Application Gateway Ingress Controller addon.
- open-service-mesh : enable Open Service Mesh addon.
- azure-keyvault-secrets-provider : enable Azure Keyvault Secrets Provider addon.
az aks enable-addons --addons
--name
--resource-group
[--ampls-resource-id]
[--appgw-id]
[--appgw-name]
[--appgw-subnet-cidr]
[--appgw-subnet-id]
[--appgw-watch-namespace]
[--data-collection-settings]
[--enable-high-log-scale-mode {false, true}]
[--enable-msi-auth-for-monitoring {false, true}]
[--enable-secret-rotation]
[--enable-sgxquotehelper]
[--enable-syslog {false, true}]
[--no-wait]
[--rotation-poll-interval]
[--subnet-name]
[--workspace-resource-id]
Examples
Enable Kubernetes addons. (autogenerated)
az aks enable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup --subnet MySubnetName
Enable ingress-appgw addon with subnet prefix.
az aks enable-addons --name MyManagedCluster --resource-group MyResourceGroup --addons ingress-appgw --appgw-subnet-cidr 10.225.0.0/16 --appgw-name gateway
Enable open-service-mesh addon.
az aks enable-addons --name MyManagedCluster --resource-group MyResourceGroup --addons open-service-mesh
Required Parameters
Enable the Kubernetes addons in a comma-separated list.
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Resource ID of Azure Monitor Private Link scope for Monitoring Addon.
Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.
Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.
Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.
Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.
Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces.
Path to JSON file containing data collection settings for Monitoring addon.
Enable High Log Scale Mode for Container Logs.
Enable Managed Identity Auth for Monitoring addon.
Enable secret rotation. Use with azure-keyvault-secrets-provider addon.
Enable SGX quote helper for confcom addon.
Enable syslog data collection for Monitoring addon.
Do not wait for the long-running operation to finish.
Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.
Name of an existing subnet to use with the virtual-node add-on.
The resource ID of an existing Log Analytics Workspace to use for storing monitoring data.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks enable-addons (aks-preview extension)
Enable Kubernetes addons.
These addons are available: http_application_routing - configure ingress with automatic public DNS name creation. monitoring - turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one. Specify "--workspace-resource-id" to use an existing workspace. If monitoring addon is enabled --no-wait argument will have no effect virtual-node - enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use. azure-policy - enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. Learn more at aka.ms/aks/policy. ingress-appgw - enable Application Gateway Ingress Controller addon (PREVIEW). open-service-mesh - enable Open Service Mesh addon (PREVIEW). gitops - enable GitOps (PREVIEW). azure-keyvault-secrets-provider - enable Azure Keyvault Secrets Provider addon. web_application_routing - enable Web Application Routing addon (PREVIEW). Specify "--dns-zone-resource-id" to configure DNS.
az aks enable-addons --addons
--name
--resource-group
[--aks-custom-headers]
[--ampls-resource-id]
[--appgw-id]
[--appgw-name]
[--appgw-subnet-cidr]
[--appgw-subnet-id]
[--appgw-subnet-prefix]
[--appgw-watch-namespace]
[--data-collection-settings]
[--dns-zone-resource-id]
[--dns-zone-resource-ids]
[--enable-high-log-scale-mode {false, true}]
[--enable-msi-auth-for-monitoring {false, true}]
[--enable-secret-rotation]
[--enable-sgxquotehelper]
[--enable-syslog {false, true}]
[--no-wait]
[--rotation-poll-interval]
[--subnet-name]
[--workspace-resource-id]
Examples
Enable Kubernetes addons. (autogenerated)
az aks enable-addons --addons virtual-node --name MyManagedCluster --resource-group MyResourceGroup --subnet-name VirtualNodeSubnet
Enable ingress-appgw addon with subnet prefix.
az aks enable-addons --name MyManagedCluster --resource-group MyResourceGroup --addons ingress-appgw --appgw-subnet-cidr 10.2.0.0/16 --appgw-name gateway
Enable open-service-mesh addon.
az aks enable-addons --name MyManagedCluster --resource-group MyResourceGroup --addons open-service-mesh
Required Parameters
Enable the Kubernetes addons in a comma-separated list.
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.
Resource ID of Azure Monitor Private Link scope for Monitoring Addon.
Resource Id of an existing Application Gateway to use with AGIC. Use with ingress-azure addon.
Name of the application gateway to create/use in the node resource group. Use with ingress-azure addon.
Subnet CIDR to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.
Resource Id of an existing Subnet used to deploy the Application Gateway. Use with ingress-azure addon.
Argument 'appgw_subnet_prefix' has been deprecated and will be removed in a future release. Use '--appgw-subnet-cidr' instead.
Subnet Prefix to use for a new subnet created to deploy the Application Gateway. Use with ingress-azure addon.
Specify the namespace, which AGIC should watch. This could be a single string value, or a comma-separated list of namespaces. Use with ingress-azure addon.
Path to JSON file containing data collection settings for Monitoring addon.
Option '--dns-zone-resource-id' has been deprecated and will be removed in a future release. Use '--dns-zone-resource-ids' instead.
The resource ID of the DNS zone resource to use with the web_application_routing addon.
A comma separated list of resource IDs of the DNS zone resource to use with the web_application_routing addon.
Enable High Log Scale Mode for Container Logs.
Send monitoring data to Log Analytics using the cluster's assigned identity (instead of the Log Analytics Workspace's shared key).
Enable secret rotation. Use with azure-keyvault-secrets-provider addon.
Enable SGX quote helper for confcom addon.
Enable syslog data collection for Monitoring addon.
Do not wait for the long-running operation to finish.
Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.
The subnet name for the virtual node to use.
The resource ID of an existing Log Analytics Workspace to use for storing monitoring data.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks get-credentials
Get access credentials for a managed Kubernetes cluster.
By default, the credentials are merged into the .kube/config file so kubectl can use them. See -f parameter for details.
az aks get-credentials --name
--resource-group
[--admin]
[--context]
[--file]
[--format]
[--overwrite-existing]
[--public-fqdn]
Examples
Get access credentials for a managed Kubernetes cluster. (autogenerated)
az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Get cluster administrator credentials. Default: cluster user credentials.
On clusters with Azure Active Directory integration, this bypasses normal Azure AD authentication and can be used if you're permanently blocked by not having access to a valid Azure AD group with access to your cluster. Requires 'Azure Kubernetes Service Cluster Admin' role.
If specified, overwrite the default context name. The --admin
parameter takes precedence over --context
.
Kubernetes configuration file to update. Use "-" to print YAML to stdout instead.
Specify the format of the returned credential. Available values are ["exec", "azure"]. Only take effect when requesting clusterUser credential of AAD clusters.
Overwrite any existing cluster entry with the same name.
Get private cluster credential with server address to be public fqdn.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks get-credentials (aks-preview extension)
Get access credentials for a managed Kubernetes cluster.
az aks get-credentials --name
--resource-group
[--admin]
[--aks-custom-headers]
[--context]
[--file]
[--format {azure, exec}]
[--overwrite-existing]
[--public-fqdn]
[--user]
Examples
Get access credentials for a managed Kubernetes cluster. (autogenerated)
az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Get cluster administrator credentials. Default: cluster user credentials.
Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.
If specified, overwrite the default context name.
Kubernetes configuration file to update. Use "-" to print YAML to stdout instead.
Specify the format of the returned credential. Available values are ["exec", "azure"]. Only take effect when requesting clusterUser credential of AAD clusters.
Overwrite any existing cluster entry with the same name.
Get private cluster credential with server address to be public fqdn.
Get credentials for the user. Only valid when --admin is False. Default: cluster user credentials.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks get-upgrades
Get the upgrade versions available for a managed Kubernetes cluster.
az aks get-upgrades --name
--resource-group
Examples
Get the upgrade versions available for a managed Kubernetes cluster
az aks get-upgrades --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks get-upgrades (aks-preview extension)
Get the upgrade versions available for a managed Kubernetes cluster.
az aks get-upgrades --name
--resource-group
Examples
Get the upgrade versions available for a managed Kubernetes cluster
az aks get-upgrades --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks get-versions
Get the versions available for creating a managed Kubernetes cluster.
az aks get-versions --location
Examples
Get the versions available for creating a managed Kubernetes cluster
az aks get-versions --location westus2
Required Parameters
Location. Values from: az account list-locations
. You can configure the default location using az configure --defaults location=<location>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks get-versions (aks-preview extension)
Get the versions available for creating a managed Kubernetes cluster.
az aks get-versions --location
Examples
Get the versions available for creating a managed Kubernetes cluster
az aks get-versions --location westus2
Required Parameters
Location. Values from: az account list-locations
. You can configure the default location using az configure --defaults location=<location>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks install-cli
Download and install kubectl, the Kubernetes command-line tool. Download and install kubelogin, a client-go credential (exec) plugin implementing azure authentication.
az aks install-cli [--base-src-url]
[--client-version]
[--install-location]
[--kubelogin-base-src-url]
[--kubelogin-install-location]
[--kubelogin-version]
Optional Parameters
Base download source URL for kubectl releases.
Version of kubectl to install.
Path at which to install kubectl. Note: the path should contain the binary filename.
Base download source URL for kubelogin releases.
Path at which to install kubelogin. Note: the path should contain the binary filename.
Version of kubelogin to install.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks kanalyze
Display diagnostic results for the Kubernetes cluster after kollect is done.
az aks kanalyze --name
--resource-group
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks kollect
Collecting diagnostic information for the Kubernetes cluster.
Collect diagnostic information for the Kubernetes cluster and store it in the specified storage account. You can provide the storage account in three ways: storage account name and a shared access signature with write permission. resource Id to a storage account you own. the storagea account in diagnostics settings for your managed cluster.
az aks kollect --name
--resource-group
[--container-logs]
[--kube-objects]
[--node-logs]
[--node-logs-windows]
[--sas-token]
[--storage-account]
Examples
using storage account name and a shared access signature token with write permission
az aks kollect -g MyResourceGroup -n MyManagedCluster --storage-account MyStorageAccount --sas-token "MySasToken"
using the resource id of a storagea account resource you own.
az aks kollect -g MyResourceGroup -n MyManagedCluster --storage-account "MyStoreageAccountResourceId"
using the storagea account in diagnostics settings for your managed cluster.
az aks kollect -g MyResourceGroup -n MyManagedCluster
customize the container logs to collect.
az aks kollect -g MyResourceGroup -n MyManagedCluster --container-logs "mynamespace1/mypod1 myns2"
customize the kubernetes objects to collect.
az aks kollect -g MyResourceGroup -n MyManagedCluster --kube-objects "mynamespace1/service myns2/deployment/deployment1"
customize the node log files to collect.
az aks kollect -g MyResourceGroup -n MyManagedCluster --node-logs "/var/log/azure-vnet.log /var/log/azure-vnet-ipam.log"
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
The list of container logs to collect.
The list of container logs to collect. Its value can be either all containers in a namespace, for example, kube-system, or a specific container in a namespace, for example, kube-system/tunnelfront.
The list of kubernetes objects to describe.
The list of kubernetes objects to describe. Its value can be either all objects of a type in a namespace, for example, kube-system/pod, or a specific object of a type in a namespace, for example, kube-system/deployment/tunnelfront.
The list of node logs to collect for Linux nodes. For example, /var/log/cloud-init.log.
The list of node logs to collect for Windows nodes. For example, C:\AzureData\CustomDataSetupScript.log.
The SAS token with writable permission for the storage account.
Name or ID of the storage account to save the diagnostic information.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks list
List managed Kubernetes clusters.
az aks list [--resource-group]
Optional Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks list (aks-preview extension)
List managed Kubernetes clusters.
az aks list [--resource-group]
Optional Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks operation-abort
Abort last running operation on managed cluster.
az aks operation-abort --name
--resource-group
[--no-wait]
Examples
Abort operation on managed cluster
az aks operation-abort -g myResourceGroup -n myAKSCluster
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not wait for the long-running operation to finish.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks operation-abort (aks-preview extension)
Abort last running operation on managed cluster.
az aks operation-abort --name
--resource-group
[--aks-custom-headers]
[--no-wait]
Examples
Abort operation on managed cluster
az aks operation-abort -g myResourceGroup -n myAKSCluster
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.
Do not wait for the long-running operation to finish.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks remove-dev-spaces
This command has been deprecated and will be removed in a future release.
Remove Azure Dev Spaces from a managed Kubernetes cluster.
az aks remove-dev-spaces --name
--resource-group
[--yes]
Examples
Remove Azure Dev Spaces from a managed Kubernetes cluster.
az aks remove-dev-spaces -g my-aks-group -n my-aks
Remove Azure Dev Spaces from a managed Kubernetes cluster without prompting.
az aks remove-dev-spaces -g my-aks-group -n my-aks --yes
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks rotate-certs
Rotate certificates and keys on a managed Kubernetes cluster.
Kubernetes will be unavailable during cluster certificate rotation.
az aks rotate-certs --name
--resource-group
[--no-wait]
[--yes]
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not wait for the long-running operation to finish.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks rotate-certs (aks-preview extension)
Rotate certificates and keys on a managed Kubernetes cluster.
Kubernetes will be unavailable during cluster certificate rotation.
az aks rotate-certs --name
--resource-group
[--no-wait]
[--yes]
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not wait for the long-running operation to finish.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks scale
Scale the node pool in a managed Kubernetes cluster.
az aks scale --name
--node-count
--resource-group
[--no-wait]
[--nodepool-name]
Examples
Scale the node pool in a managed Kubernetes cluster. (autogenerated)
az aks scale --name MyManagedCluster --node-count 3 --resource-group MyResourceGroup
Required Parameters
Name of the managed cluster.
Number of nodes in the Kubernetes node pool.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not wait for the long-running operation to finish.
Node pool name, up to 12 alphanumeric characters.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks scale (aks-preview extension)
Scale the node pool in a managed Kubernetes cluster.
az aks scale --name
--node-count
--resource-group
[--aks-custom-headers]
[--no-wait]
[--nodepool-name]
Required Parameters
Name of the managed cluster.
Number of nodes in the Kubernetes node pool.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.
Do not wait for the long-running operation to finish.
Node pool name, upto 12 alphanumeric characters.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks show
Show the details for a managed Kubernetes cluster.
az aks show --name
--resource-group
Examples
Show the details for a managed Kubernetes cluster
az aks show --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks show (aks-preview extension)
Show the details for a managed Kubernetes cluster.
az aks show --name
--resource-group
[--aks-custom-headers]
Examples
Show the details for a managed Kubernetes cluster
az aks show -g MyResourceGroup -n MyManagedCluster
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks start
Starts a previously stopped Managed Cluster.
See starting a cluster <https://docs.microsoft.com/azure/aks/start-stop-cluster>
_ for more details about starting a cluster.
az aks start --name
--resource-group
[--no-wait]
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not wait for the long-running operation to finish.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks start (aks-preview extension)
Starts a previously stopped Managed Cluster.
See starting a cluster <https://docs.microsoft.com/azure/aks/start-stop-cluster>
_ for more details about starting a cluster.
az aks start --name
--resource-group
[--no-wait]
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not wait for the long-running operation to finish.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks stop
Stop a managed cluster.
This can only be performed on Azure Virtual Machine Scale set backed clusters. Stopping a cluster stops the control plane and agent nodes entirely, while maintaining all object and cluster state. A cluster does not accrue charges while it is stopped. See stopping a cluster <https://docs.microsoft.com/azure/aks/start-stop-cluster>
_ for more details about stopping a cluster.
az aks stop --name
--resource-group
[--no-wait]
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not wait for the long-running operation to finish.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks stop (aks-preview extension)
Stop a managed cluster.
This can only be performed on Azure Virtual Machine Scale set backed clusters. Stopping a cluster stops the control plane and agent nodes entirely, while maintaining all object and cluster state. A cluster does not accrue charges while it is stopped. See stopping a cluster <https://docs.microsoft.com/azure/aks/start-stop-cluster>
_ for more details about stopping a cluster.
az aks stop --name
--resource-group
[--no-wait]
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Do not wait for the long-running operation to finish.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks update
Update a managed Kubernetes cluster. When called with no optional arguments this attempts to move the cluster to its goal state without changing the current cluster configuration. This can be used to move out of a non succeeded state.
az aks update --name
--resource-group
[--aad-admin-group-object-ids]
[--aad-tenant-id]
[--aks-custom-headers]
[--api-server-authorized-ip-ranges]
[--assign-identity]
[--assign-kubelet-identity]
[--attach-acr]
[--auto-upgrade-channel {node-image, none, patch, rapid, stable}]
[--azure-container-storage-nodepools]
[--azure-keyvault-kms-key-id]
[--azure-keyvault-kms-key-vault-network-access {Private, Public}]
[--azure-keyvault-kms-key-vault-resource-id]
[--azure-monitor-workspace-resource-id]
[--ca-profile]
[--defender-config]
[--detach-acr]
[--disable-ahub]
[--disable-azure-container-storage {all, azureDisk, elasticSan, ephemeralDisk}]
[--disable-azure-keyvault-kms]
[--disable-azure-monitor-metrics]
[--disable-azure-rbac]
[--disable-blob-driver]
[--disable-cluster-autoscaler]
[--disable-cost-analysis]
[--disable-defender]
[--disable-disk-driver]
[--disable-file-driver]
[--disable-force-upgrade]
[--disable-image-cleaner]
[--disable-keda]
[--disable-local-accounts]
[--disable-public-fqdn]
[--disable-secret-rotation]
[--disable-snapshot-controller]
[--disable-vpa]
[--disable-windows-gmsa]
[--disable-workload-identity]
[--enable-aad]
[--enable-ahub]
[--enable-azure-container-storage {azureDisk, elasticSan, ephemeralDisk}]
[--enable-azure-keyvault-kms]
[--enable-azure-monitor-metrics]
[--enable-azure-rbac]
[--enable-blob-driver]
[--enable-cluster-autoscaler]
[--enable-cost-analysis]
[--enable-defender]
[--enable-disk-driver]
[--enable-file-driver]
[--enable-force-upgrade]
[--enable-image-cleaner]
[--enable-keda]
[--enable-local-accounts]
[--enable-managed-identity]
[--enable-oidc-issuer]
[--enable-public-fqdn]
[--enable-secret-rotation]
[--enable-snapshot-controller]
[--enable-vpa]
[--enable-windows-gmsa]
[--enable-windows-recording-rules]
[--enable-workload-identity]
[--ephemeral-disk-nvme-perf-tier {Basic, Premium, Standard}]
[--ephemeral-disk-volume-type {EphemeralVolumeOnly, PersistentVolumeWithAnnotation}]
[--gmsa-dns-server]
[--gmsa-root-domain-name]
[--grafana-resource-id]
[--http-proxy-config]
[--image-cleaner-interval-hours]
[--k8s-support-plan {AKSLongTermSupport, KubernetesOfficial}]
[--ksm-metric-annotations-allow-list]
[--ksm-metric-labels-allow-list]
[--load-balancer-backend-pool-type {nodeIP, nodeIPConfiguration}]
[--load-balancer-idle-timeout]
[--load-balancer-managed-outbound-ip-count]
[--load-balancer-managed-outbound-ipv6-count]
[--load-balancer-outbound-ip-prefixes]
[--load-balancer-outbound-ips]
[--load-balancer-outbound-ports]
[--max-count]
[--min-count]
[--nat-gateway-idle-timeout]
[--nat-gateway-managed-outbound-ip-count]
[--network-dataplane {azure, cilium}]
[--network-plugin {azure, kubenet, none}]
[--network-plugin-mode]
[--network-policy {azure, calico, cilium, none}]
[--no-uptime-sla]
[--no-wait]
[--node-os-upgrade-channel]
[--nodepool-labels]
[--nodepool-taints]
[--outbound-type {loadBalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting}]
[--pod-cidr]
[--private-dns-zone]
[--rotation-poll-interval]
[--storage-pool-name]
[--storage-pool-option {NVMe, Temp, all}]
[--storage-pool-size]
[--storage-pool-sku {PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS}]
[--tags]
[--tier {free, premium, standard}]
[--update-cluster-autoscaler]
[--upgrade-override-until]
[--uptime-sla]
[--windows-admin-password]
[--yes]
Examples
Reconcile the cluster back to its current state.
az aks update -g MyResourceGroup -n MyManagedCluster
Update a kubernetes cluster with standard SKU load balancer to use two AKS created IPs for the load balancer outbound connection usage.
az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2
Update a kubernetes cluster with standard SKU load balancer to use the provided public IPs for the load balancer outbound connection usage.
az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ips <ip-resource-id-1,ip-resource-id-2>
Update a kubernetes cluster with a standard SKU load balancer, with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine
az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000
Update a kubernetes cluster with standard SKU load balancer to use the provided public IP prefixes for the load balancer outbound connection usage.
az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>
Update a kubernetes cluster of managedNATGateway outbound type with two outbound AKS managed IPs an idle flow timeout of 4 minutes
az aks update -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4
Attach AKS cluster to ACR by name "acrName"
az aks update -g MyResourceGroup -n MyManagedCluster --attach-acr acrName
Update a kubernetes cluster with authorized apiserver ip ranges.
az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24
Disable authorized apiserver ip ranges feature for a kubernetes cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges ""
Restrict apiserver traffic in a kubernetes cluster to agentpool nodes.
az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 0.0.0.0/32
Update a AKS-managed AAD cluster with tenant ID or admin group object IDs.
az aks update -g MyResourceGroup -n MyManagedCluster --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>
Migrate a AKS AAD-Integrated cluster or a non-AAD cluster to a AKS-managed AAD cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>
Enable Azure Hybrid User Benefits featture for a kubernetes cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-ahub
Disable Azure Hybrid User Benefits featture for a kubernetes cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --disable-ahub
Update Windows password of a kubernetes cluster
az aks update -g MyResourceGroup -n MyManagedCLuster --windows-admin-password "Repl@cePassw0rd12345678"
Update the cluster to use system assigned managed identity in control plane.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity
Update the cluster to use user assigned managed identity in control plane.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>
Update a non managed AAD AKS cluster to use Azure RBAC
az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad --enable-azure-rbac
Update a managed AAD AKS cluster to use Azure RBAC
az aks update -g MyResourceGroup -n MyManagedCluster --enable-azure-rbac
Disable Azure RBAC in a managed AAD AKS cluster
az aks update -g MyResourceGroup -n MyManagedCluster --disable-azure-rbac
Update the tags of a kubernetes cluster
az aks update -g MyResourceGroup -n MyManagedCLuster --tags "foo=bar" "baz=qux"
Update a kubernetes cluster with custom headers
az aks update -g MyResourceGroup -n MyManagedCluster --aks-custom-headers WindowsContainerRuntime=containerd,AKSHTTPCustomFeatures=Microsoft.ContainerService/CustomNodeConfigPreview
Enable Windows gmsa for a kubernetes cluster with setting DNS server in the vnet used by the cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa
Enable Windows gmsa for a kubernetes cluster without setting DNS server in the vnet used by the cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"
Disable Windows gmsa for a kubernetes cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --disable-windows-gmsa
Enable KEDA workload autoscaler for an existing kubernetes cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-keda
Disable KEDA workload autoscaler for an existing kubernetes cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --disable-keda
Enable VPA(Vertical Pod Autoscaler) for an existing kubernetes cluster.
az aks update -g MyResourceGroup -n MyManagedCLuster --enable-vpa
Disable VPA(Vertical Pod Autoscaler) for an existing kubernetes cluster.
az aks update -g MyResourceGroup -n MyManagedCLuster --disable-vpa
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Comma-separated list of aad group object IDs that will be set as cluster admin.
The ID of an Azure Active Directory tenant.
Comma-separated key-value pairs to specify custom headers.
Comma-separated list of authorized apiserver IP ranges. Set to "" to allow all traffic on a previously restricted cluster. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.
Specify an existing user assigned identity to manage cluster resource group.
Update cluster's kubelet identity to an existing user assigned identity. Please note this operation will recreate all agent nodes in the cluster.
Grant the 'acrpull' role assignment to the ACR specified by name or resource ID.
Specify the upgrade channel for autoupgrade.
Define the comma separated nodepool list to install azure container storage.
Identifier of Azure Key Vault key.
Network Access of Azure Key Vault.
Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used.
Resource ID of Azure Key Vault.
Resource ID of the Azure Monitor Workspace.
Comma-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.
Path to JSON file containing Microsoft Defender profile configurations.
Disable the 'acrpull' role assignment to the ACR specified by name or resource ID.
Disable Azure Hybrid User Benefits (AHUB) feature for cluster.
Disable azure container storage or any one of the storage pool types.
Disable Azure KeyVault Key Management Service.
Disable Azure Monitor Metrics Profile. This will delete all DCRA's associated with the cluster, any linked DCRs with the data stream = prometheus-stream and the recording rule groups created by the addon for this AKS cluster.
Disable Azure RBAC to control authorization checks on cluster.
Disable AzureBlob CSI Driver.
Disable cluster autoscaler.
Disable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal.
Disable defender profile.
Disable AzureDisk CSI Driver.
Disable AzureFile CSI Driver.
Disable forceUpgrade cluster upgrade settings override.
Disable ImageCleaner Service.
Disable KEDA workload auto-scaler.
If set to true, getting static credential will be disabled for this cluster.
Disable public fqdn feature for private cluster.
Disable secret rotation. Use with azure-keyvault-secrets-provider addon.
Disable CSI Snapshot Controller.
Disable vertical pod autoscaler for cluster.
Disable Windows gmsa on cluster.
Disable workload identity addon.
Enable managed AAD feature for cluster.
Enable Azure Hybrid User Benefits (AHUB) feature for cluster.
Enable azure container storage and define storage pool type.
Enable Azure KeyVault Key Management Service.
Enable a kubernetes cluster with the Azure Monitor managed service for Prometheus integration.
Enable Azure RBAC to control authorization checks on cluster.
Enable AzureBlob CSI Driver.
Enable cluster autoscaler.
Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.
Enable Microsoft Defender security profile.
Enable AzureDisk CSI Driver.
Enable AzureFile CSI Driver.
Enable forceUpgrade cluster upgrade settings override.
Enable ImageCleaner Service.
Enable KEDA workload auto-scaler.
If set to true, will enable getting static credential for this cluster.
Update current cluster to use managed identity to manage cluster resource group.
Enable OIDC issuer.
Enable public fqdn feature for private cluster.
Enable secret rotation. Use with azure-keyvault-secrets-provider addon.
Enable Snapshot Controller.
Enable vertical pod autoscaler for cluster.
Enable Windows gmsa on cluster.
Enable Windows Recording Rules when enabling the Azure Monitor Metrics addon.
Enable workload identity addon.
Set ephemeral disk volume type for azure container storage.
Set ephemeral disk volume type for azure container storage.
Specify DNS server for Windows gmsa on cluster.
You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
Specify root domain name for Windows gmsa on cluster.
You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
Resource ID of the Azure Managed Grafana Workspace.
HTTP Proxy configuration for this cluster.
ImageCleaner scanning interval.
Choose from "KubernetesOfficial" or "AKSLongTermSupport", with "AKSLongTermSupport" you get 1 extra year of CVE patchs.
Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g.'=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').
Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g. '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').
Load balancer backend pool type.
Define the LoadBalancer backend pool type of managed inbound backend pool. The nodeIP means the VMs will be attached to the LoadBalancer by adding its private IP address to the backend pool. The nodeIPConfiguration means the VMs will be attached to the LoadBalancer by referencing the backend pool ID in the VM's NIC.
Load balancer idle timeout in minutes.
Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].
Load balancer managed outbound IP count.
Desired number of managed outbound IPs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only. If the new value is greater than the original value, new additional outbound IPs will be created. If the value is less than the original value, existing outbound IPs will be deleted and outbound connections may fail due to configuration update.
Load balancer managed outbound IPv6 IP count.
Desired number of managed outbound IPv6 IPs for load balancer outbound connection. Valid for dual-stack (--ip-families IPv4,IPv6) only.
Load balancer outbound IP prefix resource IDs.
Comma-separated public IP prefix resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.
Load balancer outbound IP resource IDs.
Comma-separated public IP resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.
Load balancer outbound allocated ports.
Desired static number of outbound ports per VM in the load balancer backend pool. By default, set to 0 which uses the default allocation based on the number of VMs.
Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].
Minimum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].
NAT gateway idle timeout in minutes.
Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
NAT gateway managed outbound IP count.
Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
The network dataplane to use.
Network dataplane used in the Kubernetes cluster. Specify "azure" to use the Azure dataplane (default) or "cilium" to enable Cilium dataplane.
The Kubernetes network plugin to use.
Specify "azure" along with --network-plugin-mode=overlay to update a cluster to use Azure CNI Overlay. For more information see https://aka.ms/aks/azure-cni-overlay.
Update the mode of a network plugin to migrate to a different pod networking setup.
Update Network Policy Engine.
Azure provides three Network Policy Engines for enforcing network policies. The following values can be specified:
- "azure" for Azure Network Policy Manager,
- "cilium" for Azure CNI Powered by Cilium,
- "calico" for open-source network and network security solution founded by Tigera,
- "none" to uninstall Network Policy Engine (Azure Network Policy Manager or Calico). Defaults to "none" (network policy disabled).
Option '--no-uptime-sla' has been deprecated and will be removed in a future release.
Change a standard managed cluster to a free one. --no-uptime-sla is deprecated. Please use '--tier free' instead.
Do not wait for the long-running operation to finish.
Manner in which the OS on your nodes is updated. It could be NodeImage, None, SecurityPatch or Unmanaged.
The node labels for all node pool. See https://aka.ms/node-labels for syntax of labels.
The node taints for all node pool.
How outbound traffic will be configured for a cluster.
This option will change the way how the outbound connections are managed in the AKS cluster. Available options are loadbalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting. For custom vnet, loadbalancer, userAssignedNATGateway and userDefinedRouting are supported. For aks managed vnet, loadbalancer, managedNATGateway and userDefinedRouting are supported.
Update the pod CIDR for a cluster. Used when updating a cluster from Azure CNI to Azure CNI Overlay.
The private dns zone mode for private cluster.
Only allow changing private dns zone from byo/system mode to none for private cluster. Others are denied.
Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.
Set storage pool name for azure container storage.
Set ephemeral disk storage pool option for azure container storage.
Set storage pool size for azure container storage.
Set azure disk type storage pool sku for azure container storage.
The tags of the managed cluster. The managed cluster instance and all resources managed by the cloud provider will be tagged.
Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' changes a standard managed cluster to a free one.
Update min-count or max-count for cluster autoscaler.
Until when the cluster upgradeSettings overrides are effective. It needs to be in a valid date-time format that's within the next 30 days. For example, 2023-04-01T13:00:00Z. Note that if --force-upgrade is set to true and --upgrade-override-until is not set, by default it will be set to 3 days from now.
Option '--uptime-sla' has been deprecated and will be removed in a future release.
Enable a standard managed cluster service with a financially backed SLA. --uptime-sla is deprecated. Please use '--tier standard' instead.
User account password to use on windows node VMs.
Rules for windows-admin-password: - Minimum-length: 14 characters - Max-length: 123 characters - Complexity requirements: 3 out of 4 conditions below need to be fulfilled * Has lower characters * Has upper characters * Has a digit * Has a special character (Regex match [\W_]) - Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" Reference: https://docs.microsoft.com/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminpassword?view=azure-dotnet.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks update (aks-preview extension)
Update the properties of a managed Kubernetes cluster.
Update the properties of a managed Kubernetes cluster. Can be used for example to enable/disable cluster-autoscaler. When called with no optional arguments this attempts to move the cluster to its goal state without changing the current cluster configuration. This can be used to move out of a non succeeded state.
az aks update --name
--resource-group
[--aad-admin-group-object-ids]
[--aad-tenant-id]
[--aks-custom-headers]
[--api-server-authorized-ip-ranges]
[--apiserver-subnet-id]
[--assign-identity]
[--assign-kubelet-identity]
[--attach-acr]
[--auto-upgrade-channel {node-image, none, patch, rapid, stable}]
[--azure-container-storage-nodepools]
[--azure-keyvault-kms-key-id]
[--azure-keyvault-kms-key-vault-network-access {Private, Public}]
[--azure-keyvault-kms-key-vault-resource-id]
[--azure-monitor-workspace-resource-id]
[--bootstrap-artifact-source {Cache, Direct}]
[--bootstrap-container-registry-resource-id]
[--ca-certs]
[--ca-profile]
[--cluster-service-load-balancer-health-probe-mode {Servicenodeport, Shared}]
[--cluster-snapshot-id]
[--defender-config]
[--detach-acr]
[--disable-acns]
[--disable-acns-observability]
[--disable-acns-security]
[--disable-addon-autoscaling]
[--disable-ahub]
[--disable-ai-toolchain-operator]
[--disable-azure-container-storage {all, azureDisk, elasticSan, ephemeralDisk}]
[--disable-azure-keyvault-kms]
[--disable-azure-monitor-app-monitoring]
[--disable-azure-monitor-metrics]
[--disable-azure-rbac]
[--disable-azuremonitormetrics]
[--disable-blob-driver]
[--disable-cluster-autoscaler]
[--disable-cost-analysis]
[--disable-defender]
[--disable-disk-driver]
[--disable-file-driver]
[--disable-force-upgrade]
[--disable-image-cleaner]
[--disable-image-integrity]
[--disable-imds-restriction]
[--disable-keda]
[--disable-local-accounts]
[--disable-pod-identity]
[--disable-pod-security-policy]
[--disable-private-cluster]
[--disable-public-fqdn]
[--disable-secret-rotation]
[--disable-snapshot-controller]
[--disable-static-egress-gateway]
[--disable-vpa]
[--disable-workload-identity]
[--disk-driver-version {v1, v2}]
[--enable-aad]
[--enable-acns]
[--enable-addon-autoscaling]
[--enable-ahub]
[--enable-ai-toolchain-operator]
[--enable-apiserver-vnet-integration]
[--enable-azure-container-storage {azureDisk, elasticSan, ephemeralDisk}]
[--enable-azure-keyvault-kms]
[--enable-azure-monitor-app-monitoring]
[--enable-azure-monitor-metrics]
[--enable-azure-rbac]
[--enable-azuremonitormetrics]
[--enable-blob-driver]
[--enable-cluster-autoscaler]
[--enable-cost-analysis]
[--enable-defender]
[--enable-disk-driver]
[--enable-file-driver]
[--enable-force-upgrade]
[--enable-image-cleaner]
[--enable-image-integrity]
[--enable-imds-restriction]
[--enable-keda]
[--enable-local-accounts]
[--enable-managed-identity]
[--enable-oidc-issuer]
[--enable-pod-identity]
[--enable-pod-identity-with-kubenet]
[--enable-pod-security-policy]
[--enable-private-cluster]
[--enable-public-fqdn]
[--enable-secret-rotation]
[--enable-snapshot-controller]
[--enable-static-egress-gateway]
[--enable-vpa]
[--enable-windows-gmsa]
[--enable-windows-recording-rules]
[--enable-workload-identity]
[--ephemeral-disk-nvme-perf-tier {Basic, Premium, Standard}]
[--ephemeral-disk-volume-type {EphemeralVolumeOnly, PersistentVolumeWithAnnotation}]
[--gmsa-dns-server]
[--gmsa-root-domain-name]
[--grafana-resource-id]
[--http-proxy-config]
[--if-match]
[--if-none-match]
[--image-cleaner-interval-hours]
[--ip-families]
[--k8s-support-plan {AKSLongTermSupport, KubernetesOfficial}]
[--ksm-metric-annotations-allow-list]
[--ksm-metric-labels-allow-list]
[--kube-proxy-config]
[--load-balancer-backend-pool-type]
[--load-balancer-idle-timeout]
[--load-balancer-managed-outbound-ip-count]
[--load-balancer-managed-outbound-ipv6-count]
[--load-balancer-outbound-ip-prefixes]
[--load-balancer-outbound-ips]
[--load-balancer-outbound-ports]
[--max-count]
[--min-count]
[--nat-gateway-idle-timeout]
[--nat-gateway-managed-outbound-ip-count]
[--network-dataplane {azure, cilium}]
[--network-plugin {azure, kubenet, none}]
[--network-plugin-mode]
[--network-policy]
[--no-wait]
[--node-init-taints]
[--node-os-upgrade-channel {NodeImage, None, SecurityPatch, Unmanaged}]
[--node-provisioning-mode {Auto, Manual}]
[--nodepool-labels]
[--nodepool-taints]
[--nrg-lockdown-restriction-level {ReadOnly, Unrestricted}]
[--outbound-type {block, loadBalancer, managedNATGateway, none, userAssignedNATGateway, userDefinedRouting}]
[--pod-cidr]
[--private-dns-zone]
[--rotation-poll-interval]
[--safeguards-excluded-ns]
[--safeguards-level {Enforcement, Off, Warning}]
[--safeguards-version]
[--sku {automatic, base}]
[--ssh-key-value]
[--storage-pool-name]
[--storage-pool-option {NVMe, Temp, all}]
[--storage-pool-size]
[--storage-pool-sku {PremiumV2_LRS, Premium_LRS, Premium_ZRS, StandardSSD_LRS, StandardSSD_ZRS, Standard_LRS, UltraSSD_LRS}]
[--tags]
[--tier {free, premium, standard}]
[--update-cluster-autoscaler]
[--upgrade-override-until]
[--windows-admin-password]
[--yes]
Examples
Reconcile the cluster back to its current state.
az aks update -g MyResourceGroup -n MyManagedCluster
Enable cluster-autoscaler within node count range [1,5]
az aks update --enable-cluster-autoscaler --min-count 1 --max-count 5 -g MyResourceGroup -n MyManagedCluster
Disable cluster-autoscaler for an existing cluster
az aks update --disable-cluster-autoscaler -g MyResourceGroup -n MyManagedCluster
Update min-count or max-count for cluster autoscaler.
az aks update --update-cluster-autoscaler --min-count 1 --max-count 10 -g MyResourceGroup -n MyManagedCluster
Disable pod security policy.
az aks update --disable-pod-security-policy -g MyResourceGroup -n MyManagedCluster
Update a kubernetes cluster with standard SKU load balancer to use two AKS created IPs for the load balancer outbound connection usage.
az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2
Update a kubernetes cluster with standard SKU load balancer to use the provided public IPs for the load balancer outbound connection usage.
az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ips <ip-resource-id-1,ip-resource-id-2>
Update a kubernetes cluster with standard SKU load balancer to use the provided public IP prefixes for the load balancer outbound connection usage.
az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-outbound-ip-prefixes <ip-prefix-resource-id-1,ip-prefix-resource-id-2>
Update a kubernetes cluster with new outbound type
az aks update -g MyResourceGroup -n MyManagedCluster --outbound-type managedNATGateway
Update a kubernetes cluster with two outbound AKS managed IPs an idle flow timeout of 5 minutes and 8000 allocated ports per machine
az aks update -g MyResourceGroup -n MyManagedCluster --load-balancer-managed-outbound-ip-count 2 --load-balancer-idle-timeout 5 --load-balancer-outbound-ports 8000
Update a kubernetes cluster of managedNATGateway outbound type with two outbound AKS managed IPs an idle flow timeout of 4 minutes
az aks update -g MyResourceGroup -n MyManagedCluster --nat-gateway-managed-outbound-ip-count 2 --nat-gateway-idle-timeout 4
Update a kubernetes cluster with authorized apiserver ip ranges.
az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 193.168.1.0/24,194.168.1.0/24
Disable authorized apiserver ip ranges feature for a kubernetes cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges ""
Restrict apiserver traffic in a kubernetes cluster to agentpool nodes.
az aks update -g MyResourceGroup -n MyManagedCluster --api-server-authorized-ip-ranges 0.0.0.0/32
Update a AKS-managed AAD cluster with tenant ID or admin group object IDs.
az aks update -g MyResourceGroup -n MyManagedCluster --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>
Migrate a AKS AAD-Integrated cluster or a non-AAD cluster to a AKS-managed AAD cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1,id-2> --aad-tenant-id <id>
Enable Azure Hybrid User Benefits featture for a kubernetes cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-ahub
Disable Azure Hybrid User Benefits featture for a kubernetes cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --disable-ahub
Update the cluster to use system assigned managed identity in control plane.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity
Update the cluster to use user assigned managed identity in control plane.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-managed-identity --assign-identity <user_assigned_identity_resource_id>
Enable pod identity addon.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-pod-identity
Disable pod identity addon.
az aks update -g MyResourceGroup -n MyManagedCluster --disable-pod-identity
Update the tags of a kubernetes cluster
az aks update -g MyResourceGroup -n MyManagedCLuster --tags "foo=bar" "baz=qux"
Update Windows password of a kubernetes cluster
az aks update -g MyResourceGroup -n MyManagedCLuster --windows-admin-password "Repl@cePassw0rd12345678"
Update a managed AAD AKS cluster to use Azure RBAC
az aks update -g MyResourceGroup -n MyManagedCluster --enable-azure-rbac
Disable Azure RBAC in a managed AAD AKS cluster
az aks update -g MyResourceGroup -n MyManagedCluster --disable-azure-rbac
Enable Windows gmsa for a kubernetes cluster with setting DNS server in the vnet used by the cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa
Enable Windows gmsa for a kubernetes cluster without setting DNS server in the vnet used by the cluster.
az aks update -g MyResourceGroup -n MyManagedCluster --enable-windows-gmsa --gmsa-dns-server "10.240.0.4" --gmsa-root-domain-name "contoso.com"
Update a existing managed cluster to a managed cluster snapshot.
az aks update -g MyResourceGroup -n MyManagedCluster --cluster-snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/managedclustersnapshots/mysnapshot1"
Update a kubernetes cluster with safeguards set to "Warning". Assumes azure policy addon is already enabled
az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning
Update a kubernetes cluster with safeguards set to "Warning" and some namespaces excluded. Assumes azure policy addon is already enabled
az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-level Warning --safeguards-excluded-ns ns1,ns2
Update a kubernetes cluster to clear any namespaces excluded from safeguards. Assumes azure policy addon is already enabled
az aks update -g MyResourceGroup -n MyManagedCluster --safeguards-excluded-ns ""
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Comma-separated list of aad group object IDs that will be set as cluster admin.
The ID of an Azure Active Directory tenant.
Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.
Comma-separated list of authorized apiserver IP ranges. Set to "" to allow all traffic on a previously restricted cluster. Set to 0.0.0.0/32 to restrict apiserver traffic to node pools.
The ID of a subnet in an existing VNet into which to assign control plane apiserver pods(requires --enable-apiserver-vnet-integration).
Specify an existing user assigned identity to manage cluster resource group.
Update cluster's kubelet identity to an existing user assigned identity. Note, this operation will recreate all agent node in the cluster.
Grant the 'acrpull' role assignment to the ACR specified by name or resource ID.
Specify the upgrade channel for autoupgrade. It could be rapid, stable, patch, node-image or none, none means disable autoupgrade.
Define the comma separated nodepool list to install azure container storage.
Identifier of Azure Key Vault key.
Network Access of Azure Key Vault.
Allowed values are "Public", "Private". If not set, defaults to type "Public". Requires --azure-keyvault-kms-key-id to be used.
Resource ID of Azure Key Vault.
Resource ID of the Azure Monitor Workspace.
Configure artifact source when bootstraping the cluster.
The artifacts include the addon image. Use "Direct" to download artifacts from MCR, "Cache" to downalod artifacts from Azure Container Registry.
Configure container registry resource ID. Must use "Cache" as bootstrap artifact source.
Path to a file containing up to 10 blank line separated certificates. Only valid for linux nodes.
These certificates are used by Custom CA Trust features and will be added to trust stores of nodes. Requires Custom CA Trust to be enabled on the node.
Space-separated list of key=value pairs for configuring cluster autoscaler. Pass an empty string to clear the profile.
Set the cluster service health probe mode.
Set the cluster service health probe mode. Default is "Servicenodeport".
The source cluster snapshot id is used to update existing cluster.
Path to JSON file containing Microsoft Defender profile configurations.
Disable the 'acrpull' role assignment to the ACR specified by name or resource ID.
Disable all advanced networking functionalities on a cluster.
Used to disable advanced networking observability features on a clusters when enabling advanced networking features with "--enable-acns".
Used to disable advanced networking security features on a clusters when enabling advanced networking features with "--enable-acns".
Disable addon autoscaling for cluster.
Disable Azure Hybrid User Benefits (AHUB) feature for cluster.
Disable AI toolchain operator.
Disable azure container storage or any one of the storage pool types.
Disable Azure KeyVault Key Management Service.
Disable Azure Monitor Application Monitoring.
Disable Azure Monitor Metrics Profile. This will delete all DCRA's associated with the cluster, any linked DCRs with the data stream = prometheus-stream and the recording rule groups created by the addon for this AKS cluster.
Disable Azure RBAC to control authorization checks on cluster.
Option '--disable-azuremonitormetrics' has been deprecated and will be removed in a future release. Use '--disable-azure-monitor-metrics' instead.
Disable Azure Monitor Metrics Profile. This will delete all DCRA's associated with the cluster, any linked DCRs with the data stream = prometheus-stream and the recording rule groups created by the addon for this AKS cluster.
Disable AzureBlob CSI Driver.
Disable cluster autoscaler.
Disable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal.
Disable defender profile.
Disable AzureDisk CSI Driver.
Disable AzureFile CSI Driver.
Disable forceUpgrade cluster upgrade settings override.
Disable ImageCleaner Service.
Disable ImageIntegrity Service.
Disable IMDS restriction in the cluster. All Pods in the cluster will be able to access IMDS.
Disable KEDA workload auto-scaler.
(Preview) If set to true, getting static credential will be disabled for this cluster.
(PREVIEW) Disable Pod Identity addon for cluster.
Disable pod security policy.
PodSecurityPolicy is deprecated. See https://aka.ms/aks/psp for details.
Disable private cluster for apiserver vnet integration cluster.
Disable public fqdn feature for private cluster.
Disable secret rotation. Use with azure-keyvault-secrets-provider addon.
Disable CSI Snapshot Controller.
Disable Static Egress Gateway addon to the cluster.
Disable vertical pod autoscaler for cluster.
(PREVIEW) Disable Workload Identity addon for cluster.
Specify AzureDisk CSI Driver version.
Enable managed AAD feature for cluster.
Enable advanced network functionalities on a cluster. Enabling this will incur additional costs. For non-cilium clusters, acns security will be disabled by default until further notice.
Enable addon autoscaling for cluster.
Enable Azure Hybrid User Benefits (AHUB) feature for cluster.
Enable AI toolchain operator to the cluster.
Enable integration of user vnet with control plane apiserver pods.
Enable azure container storage and define storage pool type.
Enable Azure KeyVault Key Management Service.
Enable Azure Monitor Application Monitoring.
Enable Azure Monitor Metrics Profile.
Enable Azure RBAC to control authorization checks on cluster.
Option '--enable-azuremonitormetrics' has been deprecated and will be removed in a future release. Use '--enable-azure-monitor-metrics' instead.
Enable Azure Monitor Metrics Profile.
Enable AzureBlob CSI Driver.
Enable cluster autoscaler.
Enable exporting Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. For more information see aka.ms/aks/docs/cost-analysis.
Enable Microsoft Defender security profile.
Enable AzureDisk CSI Driver.
Enable AzureFile CSI Driver.
Enable forceUpgrade cluster upgrade settings override.
Enable ImageCleaner Service.
Enable ImageIntegrity Service.
Enable IMDS restriction in the cluster. Non-hostNetwork Pods will not be able to access IMDS.
Enable KEDA workload auto-scaler.
(Preview) If set to true, will enable getting static credential for this cluster.
Update current cluster to managed identity to manage cluster resource group.
Enable OIDC issuer.
(PREVIEW) Enable Pod Identity addon for cluster.
(PREVIEW) Enable pod identity addon for cluster using Kubnet network plugin.
Option '--enable-pod-security-policy' has been deprecated and will be removed in a future release.
Enable pod security policy.
--enable-pod-security-policy is deprecated. See https://aka.ms/aks/psp for details.
Enable private cluster for apiserver vnet integration cluster.
Enable public fqdn feature for private cluster.
Enable secret rotation. Use with azure-keyvault-secrets-provider addon.
Enable Snapshot Controller.
Enable Static Egress Gateway addon to the cluster.
Enable vertical pod autoscaler for cluster.
Enable Windows gmsa on cluster.
Enable Windows Recording Rules when enabling the Azure Monitor Metrics addon.
(PREVIEW) Enable Workload Identity addon for cluster.
Set ephemeral disk volume type for azure container storage.
Set ephemeral disk volume type for azure container storage.
Specify DNS server for Windows gmsa on cluster.
You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
Specify root domain name for Windows gmsa on cluster.
You do not need to set this if you have set DNS server in the VNET used by the cluster. You must set or not set --gmsa-dns-server and --gmsa-root-domain-name at the same time when setting --enable-windows-gmsa.
Resource ID of the Azure Managed Grafana Workspace.
HTTP Proxy configuration for this cluster.
The value provided will be compared to the ETag of the managed cluster, if it matches the operation will proceed. If it does not match, the request will be rejected to prevent accidental overwrites. This must not be specified when creating a new cluster.
Set to '*' to allow a new cluster to be created, but to prevent updating an existing cluster. Other values will be ignored.
ImageCleaner scanning interval.
A comma separated list of IP versions to use for cluster networking.
Each IP version should be in the format IPvN. For example, IPv4.
Choose from "KubernetesOfficial" or "AKSLongTermSupport", with "AKSLongTermSupport" you get 1 extra year of CVE patchs.
Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g.'=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').
Comma-separated list of additional Kubernetes label keys that will be used in the resource' labels metric. By default the metric contains only name and namespace labels. To include additional labels provide a list of resource names in their plural form and Kubernetes label keys you would like to allow for them (e.g. '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. A single '' can be provided per resource instead to allow any labels, but that has severe performance implications (e.g. '=pods=[]').
Kube-proxy configuration for this cluster.
Load balancer backend pool type.
Load balancer backend pool type, supported values are nodeIP and nodeIPConfiguration.
Load balancer idle timeout in minutes.
Desired idle timeout for load balancer outbound flows, default is 30 minutes. Please specify a value in the range of [4, 100].
Load balancer managed outbound IP count.
Desired number of managed outbound IPs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.
Load balancer managed outbound IPv6 IP count.
Desired number of managed outbound IPv6 IPs for load balancer outbound connection. Valid for dual-stack (--ip-families IPv4,IPv6) only.
Load balancer outbound IP prefix resource IDs.
Comma-separated public IP prefix resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.
Load balancer outbound IP resource IDs.
Comma-separated public IP resource IDs for load balancer outbound connection. Valid for Standard SKU load balancer cluster only.
Load balancer outbound allocated ports.
Desired static number of outbound ports per VM in the load balancer backend pool. By default, set to 0 which uses the default allocation based on the number of VMs. Please specify a value in the range of [0, 64000] that is a multiple of 8.
Maximum nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].
Minimun nodes count used for autoscaler, when "--enable-cluster-autoscaler" specified. Please specify the value in the range of [1, 1000].
NAT gateway idle timeout in minutes.
Desired idle timeout for NAT gateway outbound flows, default is 4 minutes. Please specify a value in the range of [4, 120]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
NAT gateway managed outbound IP count.
Desired number of managed outbound IPs for NAT gateway outbound connection. Please specify a value in the range of [1, 16]. Valid for Standard SKU load balancer cluster with managedNATGateway outbound type only.
The network dataplane to use.
Network dataplane used in the Kubernetes cluster. Specify "azure" to use the Azure dataplane (default) or "cilium" to enable Cilium dataplane.
The Kubernetes network plugin to use.
Specify "azure" for routable pod IPs from VNET, "kubenet" for non-routable pod IPs with an overlay network, or "none" for no networking configured.
The network plugin mode to use.
Used to control the mode the network plugin should operate in. For example, "overlay" used with --network-plugin=azure will use an overlay network (non-VNET IPs) for pods in the cluster.
Update the mode of a network policy.
Specify "azure" for Azure network policy manager, "cilium" for Azure CNI Overlay powered by Cilium. Defaults to "" (network policy disabled).
Do not wait for the long-running operation to finish.
The node initialization taints for all node pools in cluster.
Manner in which the OS on your nodes is updated. It could be NodeImage, None, SecurityPatch or Unmanaged.
Set the node provisioning mode of the cluster. Valid values are "Auto" and "Manual". For more information on "Auto" mode see aka.ms/aks/nap.
The node labels for all node pool. See https://aka.ms/node-labels for syntax of labels.
The node taints for all node pool.
Restriction level on the managed node resource.
The restriction level of permissions allowed on the cluster's managed node resource group, supported values are Unrestricted, and ReadOnly (recommended ReadOnly).
How outbound traffic will be configured for a cluster.
This option will change the way how the outbound connections are managed in the AKS cluster. Available options are loadbalancer, managedNATGateway, userAssignedNATGateway, userDefinedRouting, none and block. For custom vnet, loadbalancer, userAssignedNATGateway and userDefinedRouting are supported. For aks managed vnet, loadbalancer, managedNATGateway and userDefinedRouting are supported.
A CIDR notation IP range from which to assign pod IPs when kubenet is used.
This range must not overlap with any Subnet IP ranges. For example, 172.244.0.0/16.
The private dns zone mode for private cluster.
Set interval of rotation poll. Use with azure-keyvault-secrets-provider addon.
Comma-separated list of Kubernetes namespaces to exclude from deployment safeguards. Use "" to clear a previously non-empty list.
The deployment safeguards Level. Accepted Values are [Off, Warning, Enforcement]. Requires azure policy addon to be enabled.
The version of deployment safeguards to use. Default "v1.0.0" Use the ListSafeguardsVersions API to discover available versions.
Specify SKU name for managed clusters. '--sku base' enables a base managed cluster. '--sku automatic' enables an automatic managed cluster.
Public key path or key contents to install on node VMs for SSH access. For example, 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'.
Set storage pool name for azure container storage.
Set ephemeral disk storage pool option for azure container storage.
Set storage pool size for azure container storage.
Set azure disk type storage pool sku for azure container storage.
The tags of the managed cluster. The managed cluster instance and all resources managed by the cloud provider will be tagged.
Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' changes a standard managed cluster to a free one.
Update min-count or max-count for cluster autoscaler.
Until when the cluster upgradeSettings overrides are effective. It needs to be in a valid date-time format that's within the next 30 days. For example, 2023-04-01T13:00:00Z. Note that if --force-upgrade is set to true and --upgrade-override-until is not set, by default it will be set to 3 days from now.
User account password to use on windows node VMs.
Rules for windows-admin-password: - Minimum-length: 14 characters - Max-length: 123 characters - Complexity requirements: 3 out of 4 conditions below need to be fulfilled * Has lower characters * Has upper characters * Has a digit * Has a special character (Regex match [\W_]) - Disallowed values: "abc@123", "P@$$w0rd", "P@ssw0rd", "P@ssword123", "Pa$$word", "pass@word1", "Password!", "Password1", "Password22", "iloveyou!" Reference: https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.compute.models.virtualmachinescalesetosprofile.adminpassword?view=azure-dotnet.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks update-credentials
Update credentials for a managed Kubernetes cluster, like service principal.
az aks update-credentials --name
--resource-group
[--aad-client-app-id]
[--aad-server-app-id]
[--aad-server-app-secret]
[--aad-tenant-id]
[--client-secret]
[--no-wait]
[--reset-aad]
[--reset-service-principal]
[--service-principal]
Examples
Update an existing Kubernetes cluster with new service principal.
az aks update-credentials -g MyResourceGroup -n MyManagedCluster --reset-service-principal --service-principal MyNewServicePrincipalID --client-secret MyNewServicePrincipalSecret
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Option '--aad-client-app-id' has been deprecated and will be removed in a future release.
The ID of an Azure Active Directory client application. This argument is required if --reset-aad
is specified.
--aad-client-app-id is deprecated. See https://aka.ms/aks/aad-legacy for details.
Option '--aad-server-app-id' has been deprecated and will be removed in a future release.
The ID of an Azure Active Directory server application. This argument is required if --reset-aad
is specified.
--aad-server-app-id is deprecated. See https://aka.ms/aks/aad-legacy for details.
Option '--aad-server-app-secret' has been deprecated and will be removed in a future release.
The secret of an Azure Active Directory server application. This argument is required if --reset-aad
is specified.
--aad-server-app-secret is deprecated. See https://aka.ms/aks/aad-legacy for details.
Option '--aad-tenant-id' has been deprecated and will be removed in a future release.
Tenant ID associated with Azure Active Directory.
Secret associated with the service principal. This argument is required if --service-principal
is specified.
Do not wait for the long-running operation to finish.
Option '--reset-aad' has been deprecated and will be removed in a future release.
Reset Azure Active Directory configuration for a managed cluster.
--reset-aad is deprecated. See https://aka.ms/aks/aad-legacy for details.
Reset service principal for a managed cluster.
Service principal used for authentication to Azure APIs. This argument is required if --reset-service-principal
is specified.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks upgrade
Upgrade a managed Kubernetes cluster to a newer version.
Kubernetes will be unavailable during cluster upgrades.
az aks upgrade --name
--resource-group
[--control-plane-only]
[--disable-force-upgrade]
[--enable-force-upgrade]
[--k8s-support-plan {AKSLongTermSupport, KubernetesOfficial}]
[--kubernetes-version]
[--no-wait]
[--node-image-only]
[--tier {free, premium, standard}]
[--upgrade-override-until]
[--yes]
Examples
Upgrade a managed Kubernetes cluster to a newer version. (autogenerated)
az aks upgrade --kubernetes-version 1.12.6 --name MyManagedCluster --resource-group MyResourceGroup
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Upgrade the cluster control plane only. If not specified, both control plane AND all node pools will be upgraded.
Disable forceUpgrade cluster upgrade settings override.
Enable forceUpgrade cluster upgrade settings override.
Choose from "KubernetesOfficial" or "AKSLongTermSupport", with "AKSLongTermSupport" you get 1 extra year of CVE patchs.
Version of Kubernetes to upgrade the cluster to, such as "1.16.9".
Do not wait for the long-running operation to finish.
Only upgrade node image for agent pools.
Specify SKU tier for managed clusters. '--tier standard' enables a standard managed cluster service with a financially backed SLA. '--tier free' does not have a financially backed SLA. '--tier premium' is required for '--k8s-support-plan AKSLongTermSupport'.
Until when the cluster upgradeSettings overrides are effective.
It needs to be in a valid date-time format that's within the next 30 days. For example, 2023-04-01T13:00:00Z. Note that if --force-upgrade is set to true and --upgrade-override-until is not set, by default it will be set to 3 days from now.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks upgrade (aks-preview extension)
Upgrade a managed Kubernetes cluster to a newer version.
Kubernetes will be unavailable during cluster upgrades.
az aks upgrade --name
--resource-group
[--aks-custom-headers]
[--cluster-snapshot-id]
[--control-plane-only]
[--disable-force-upgrade]
[--enable-force-upgrade]
[--if-match]
[--if-none-match]
[--kubernetes-version]
[--no-wait]
[--node-image-only]
[--upgrade-override-until]
[--yes]
Examples
Upgrade a existing managed cluster to a managed cluster snapshot.
az aks upgrade -g MyResourceGroup -n MyManagedCluster --cluster-snapshot-id "/subscriptions/00000/resourceGroups/AnotherResourceGroup/providers/Microsoft.ContainerService/managedclustersnapshots/mysnapshot1"
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Send custom headers. When specified, format should be Key1=Value1,Key2=Value2.
The source cluster snapshot id is used to upgrade existing cluster.
Upgrade the cluster control plane only. If not specified, control plane AND all node pools will be upgraded.
Disable forceUpgrade cluster upgrade settings override.
Enable forceUpgrade cluster upgrade settings override.
The value provided will be compared to the ETag of the managed cluster, if it matches the operation will proceed. If it does not match, the request will be rejected to prevent accidental overwrites. This must not be specified when creating a new cluster.
Set to '*' to allow a new cluster to be created, but to prevent updating an existing cluster. Other values will be ignored.
Version of Kubernetes to upgrade the cluster to, such as "1.11.12".
Do not wait for the long-running operation to finish.
Only upgrade node image for agent pools.
Until when the cluster upgradeSettings overrides are effective.
It needs to be in a valid date-time format that's within the next 30 days. For example, 2023-04-01T13:00:00Z. Note that if --force-upgrade is set to true and --upgrade-override-until is not set, by default it will be set to 3 days from now.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks use-dev-spaces
This command has been deprecated and will be removed in a future release.
Use Azure Dev Spaces with a managed Kubernetes cluster.
az aks use-dev-spaces --name
--resource-group
[--endpoint {None, Private, Public}]
[--space]
[--update]
[--yes]
Examples
Use Azure Dev Spaces with a managed Kubernetes cluster, interactively selecting a dev space.
az aks use-dev-spaces -g my-aks-group -n my-aks
Use Azure Dev Spaces with a managed Kubernetes cluster, updating to the latest Azure Dev Spaces client components and selecting a new or existing dev space 'my-space'.
az aks use-dev-spaces -g my-aks-group -n my-aks --update --space my-space
Use Azure Dev Spaces with a managed Kubernetes cluster, selecting a new or existing dev space 'develop/my-space' without prompting for confirmation.
az aks use-dev-spaces -g my-aks-group -n my-aks -s develop/my-space -y
Use Azure Dev Spaces with a managed Kubernetes cluster with a private endpoint.
az aks use-dev-spaces -g my-aks-group -n my-aks -e private
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
The endpoint type to be used for a Azure Dev Spaces controller. See https://aka.ms/azds-networking for more information.
Name of the new or existing dev space to select. Defaults to an interactive selection experience.
Update to the latest Azure Dev Spaces client components.
Do not prompt for confirmation. Requires --space.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks use-dev-spaces (dev-spaces extension)
Use Azure Dev Spaces with a managed Kubernetes cluster.
az aks use-dev-spaces --name
--resource-group
[--endpoint {None, Private, Public}]
[--space]
[--update]
[--yes]
Examples
Use Azure Dev Spaces with a managed Kubernetes cluster, interactively selecting a dev space.
az aks use-dev-spaces -g my-aks-group -n my-aks
Use Azure Dev Spaces with a managed Kubernetes cluster, updating to the latest Azure Dev Spaces client components and selecting a new or existing dev space 'my-space'.
az aks use-dev-spaces -g my-aks-group -n my-aks --update --space my-space
Use Azure Dev Spaces with a managed Kubernetes cluster, selecting a new or existing dev space 'develop/my-space' without prompting for confirmation.
az aks use-dev-spaces -g my-aks-group -n my-aks -s develop/my-space -y
Use Azure Dev Spaces with a managed Kubernetes cluster with a private endpoint.
az aks use-dev-spaces -g my-aks-group -n my-aks -e private
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
The endpoint type to be used for a Azure Dev Spaces controller. See https://aka.ms/azds-networking for more information.
Name of the new or existing dev space to select. Defaults to an interactive selection experience.
Update to the latest Azure Dev Spaces client components.
Do not prompt for confirmation. Requires --space.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks wait
Wait for a managed Kubernetes cluster to reach a desired state.
If an operation on a cluster was interrupted or was started with --no-wait
, use this command to wait for it to complete.
az aks wait --name
--resource-group
[--created]
[--custom]
[--deleted]
[--exists]
[--interval]
[--timeout]
[--updated]
Examples
Wait for a cluster to be upgraded, polling every minute for up to thirty minutes.
az aks wait -g MyResourceGroup -n MyManagedCluster --updated --interval 60 --timeout 1800
Wait for a managed Kubernetes cluster to reach a desired state (autogenerated)
az aks wait --created --interval 60 --name MyManagedCluster --resource-group MyResourceGroup --timeout 1800
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Wait until created with 'provisioningState' at 'Succeeded'.
Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].
Wait until deleted.
Wait until the resource exists.
Polling interval in seconds.
Maximum wait in seconds.
Wait until updated with provisioningState at 'Succeeded'.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
az aks wait (aks-preview extension)
Wait for a managed Kubernetes cluster to reach a desired state.
If an operation on a cluster was interrupted or was started with --no-wait
, use this command to wait for it to complete.
az aks wait --name
--resource-group
[--created]
[--custom]
[--deleted]
[--exists]
[--interval]
[--timeout]
[--updated]
Examples
Wait for a cluster to be upgraded, polling every minute for up to thirty minutes.
az aks wait -g MyResourceGroup -n MyManagedCluster --updated --interval 60 --timeout 1800
Wait for a managed Kubernetes cluster to reach a desired state (autogenerated)
az aks wait --created --interval 60 --name MyManagedCluster --resource-group MyResourceGroup --timeout 1800
Required Parameters
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>
.
Optional Parameters
Wait until created with 'provisioningState' at 'Succeeded'.
Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].
Wait until deleted.
Wait until the resource exists.
Polling interval in seconds.
Maximum wait in seconds.
Wait until updated with provisioningState at 'Succeeded'.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.