Kubernetes
Manages a Managed Kubernetes Cluster (also known as AKS / Azure Kubernetes Service)
Note: Due to the fast-moving nature of AKS, we recommend using the latest version of the Azure Provider when using AKS.
Example Usage
This example provisions a basic Managed Kubernetes Cluster.
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", {
name: "example-aks1",
location: example.location,
resourceGroupName: example.name,
dnsPrefix: "exampleaks1",
defaultNodePool: {
name: "default",
nodeCount: 1,
vmSize: "Standard_D2_v2",
},
identity: {
type: "SystemAssigned",
},
tags: {
Environment: "Production",
},
});
export const clientCertificate = exampleKubernetesCluster.kubeConfigs.apply(kubeConfigs => kubeConfigs[0].clientCertificate);
export const kubeConfig = exampleKubernetesCluster.kubeConfigRaw;import pulumi
import pulumi_azure as azure
example = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
name="example-aks1",
location=example.location,
resource_group_name=example.name,
dns_prefix="exampleaks1",
default_node_pool={
"name": "default",
"node_count": 1,
"vm_size": "Standard_D2_v2",
},
identity={
"type": "SystemAssigned",
},
tags={
"Environment": "Production",
})
pulumi.export("clientCertificate", example_kubernetes_cluster.kube_configs[0].client_certificate)
pulumi.export("kubeConfig", example_kubernetes_cluster.kube_config_raw)using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
{
Name = "example-aks1",
Location = example.Location,
ResourceGroupName = example.Name,
DnsPrefix = "exampleaks1",
DefaultNodePool = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolArgs
{
Name = "default",
NodeCount = 1,
VmSize = "Standard_D2_v2",
},
Identity = new Azure.ContainerService.Inputs.KubernetesClusterIdentityArgs
{
Type = "SystemAssigned",
},
Tags =
{
{ "Environment", "Production" },
},
});
return new Dictionary<string, object?>
{
["clientCertificate"] = exampleKubernetesCluster.KubeConfigs.Apply(kubeConfigs => kubeConfigs[0].ClientCertificate),
["kubeConfig"] = exampleKubernetesCluster.KubeConfigRaw,
};
});package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/containerservice"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleKubernetesCluster, err := containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
Name: pulumi.String("example-aks1"),
Location: example.Location,
ResourceGroupName: example.Name,
DnsPrefix: pulumi.String("exampleaks1"),
DefaultNodePool: &containerservice.KubernetesClusterDefaultNodePoolArgs{
Name: pulumi.String("default"),
NodeCount: pulumi.Int(1),
VmSize: pulumi.String("Standard_D2_v2"),
},
Identity: &containerservice.KubernetesClusterIdentityArgs{
Type: pulumi.String("SystemAssigned"),
},
Tags: pulumi.StringMap{
"Environment": pulumi.String("Production"),
},
})
if err != nil {
return err
}
ctx.Export("clientCertificate", exampleKubernetesCluster.KubeConfigs.ApplyT(func(kubeConfigs []containerservice.KubernetesClusterKubeConfig) (*string, error) {
return &kubeConfigs[0].ClientCertificate, nil
}).(pulumi.StringPtrOutput))
ctx.Export("kubeConfig", exampleKubernetesCluster.KubeConfigRaw)
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.containerservice.KubernetesCluster;
import com.pulumi.azure.containerservice.KubernetesClusterArgs;
import com.pulumi.azure.containerservice.inputs.KubernetesClusterDefaultNodePoolArgs;
import com.pulumi.azure.containerservice.inputs.KubernetesClusterIdentityArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()
.name("example-aks1")
.location(example.location())
.resourceGroupName(example.name())
.dnsPrefix("exampleaks1")
.defaultNodePool(KubernetesClusterDefaultNodePoolArgs.builder()
.name("default")
.nodeCount(1)
.vmSize("Standard_D2_v2")
.build())
.identity(KubernetesClusterIdentityArgs.builder()
.type("SystemAssigned")
.build())
.tags(Map.of("Environment", "Production"))
.build());
ctx.export("clientCertificate", exampleKubernetesCluster.kubeConfigs().applyValue(_kubeConfigs -> _kubeConfigs[0].clientCertificate()));
ctx.export("kubeConfig", exampleKubernetesCluster.kubeConfigRaw());
}
}resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-resources
location: West Europe
exampleKubernetesCluster:
type: azure:containerservice:KubernetesCluster
name: example
properties:
name: example-aks1
location: ${example.location}
resourceGroupName: ${example.name}
dnsPrefix: exampleaks1
defaultNodePool:
name: default
nodeCount: 1
vmSize: Standard_D2_v2
identity:
type: SystemAssigned
tags:
Environment: Production
outputs:
clientCertificate: ${exampleKubernetesCluster.kubeConfigs[0].clientCertificate}
kubeConfig: ${exampleKubernetesCluster.kubeConfigRaw}Import
Managed Kubernetes Clusters can be imported using the resource id, e.g.
$ pulumi import azure:containerservice/kubernetesCluster:KubernetesCluster cluster1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.ContainerService/managedClusters/cluster1Constructors
Properties
A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
An api_server_access_profile block as defined below.
The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none. !>Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.
A auto_scaler_profile block as defined below.
A azure_active_directory_role_based_access_control block as defined below.
Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
A confidential_computing block as defined below. For more details please the documentation
Should cost analysis be enabled for this Kubernetes Cluster? Defaults to false. The sku_tier must be set to Standard or Premium to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal.
Specifies configuration for "System" mode node pool. A default_node_pool block as defined below.
The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.
Should HTTP Application Routing be enabled?
A http_proxy_config block as defined below.
An identity block as defined below. One of either identity or service_principal must be specified. !>Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.
Specifies whether Image Cleaner is enabled.
Specifies the interval in hours when images should be cleaned up. Defaults to 0.
A ingress_application_gateway block as defined below.
A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
A kubelet_identity block as defined below.
Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.
A linux_profile block as defined below.
If true local accounts will be disabled. See the documentation for more information.
A maintenance_window block as defined below.
A maintenance_window_auto_upgrade block as defined below.
A maintenance_window_node_os block as defined below.
A microsoft_defender block as defined below.
Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.
A network_profile block as defined below. Changing this forces a new resource to be created.
The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None. Defaults to NodeImage.
The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.
Enable or Disable the OIDC issuer URL
A oms_agent block as defined below.
Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.
Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
Whether to enable run command for the cluster or not. Defaults to true.
A service_mesh_profile block as defined below.
A service_principal block as documented below. One of either identity or service_principal must be specified. !>Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.
A storage_profile block as defined below.
Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
A upgrade_override block as defined below.
A web_app_routing block as defined below.
A windows_profile block as defined below.
A workload_autoscaler_profile block defined below.
Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.