{ "description": "Generator information:\n- Generated from: /containerservice/resource-manager/Microsoft.ContainerService/aks/preview/2024-04-02-preview/managedClusters.json\n- ARM URI: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedClusters/{resourceName}", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "properties": { "aadProfile": { "description": "AadProfile: The Azure Active Directory configuration.", "properties": { "adminGroupObjectIDs": { "description": "AdminGroupObjectIDs: The list of AAD group object IDs that will have admin role of the cluster.", "items": { "type": "string" }, "type": "array" }, "clientAppID": { "description": "ClientAppID: (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.", "type": "string" }, "enableAzureRBAC": { "description": "EnableAzureRBAC: Whether to enable Azure RBAC for Kubernetes authorization.", "type": "boolean" }, "managed": { "description": "Managed: Whether to enable managed AAD.", "type": "boolean" }, "serverAppID": { "description": "ServerAppID: (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.", "type": "string" }, "serverAppSecret": { "description": "ServerAppSecret: (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy.", "type": "string" }, "tenantID": { "description": "TenantID: The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment\nsubscription.", "type": "string" } }, "type": "object", "additionalProperties": false }, "addonProfiles": { "additionalProperties": { "description": "A Kubernetes add-on profile for a managed cluster.", "properties": { "config": { "additionalProperties": { "type": "string" }, "description": "Config: Key-value pairs for configuring an add-on.", "type": "object" }, "enabled": { "description": "Enabled: Whether the add-on is enabled or not.", "type": "boolean" } }, "required": [ "enabled" ], "type": "object", "additionalProperties": false }, "description": "AddonProfiles: The profile of managed cluster add-on.", "type": "object" }, "agentPoolProfiles": { "description": "AgentPoolProfiles: The agent pool properties.", "items": { "description": "Profile for the container service agent pool.", "properties": { "artifactStreamingProfile": { "description": "ArtifactStreamingProfile: Configuration for using artifact streaming on AKS.", "properties": { "enabled": { "description": "Enabled: Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use\nthis feature, container images must also enable artifact streaming on ACR. If not specified, the default is false.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "availabilityZones": { "description": "AvailabilityZones: The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType\nproperty is 'VirtualMachineScaleSets'.", "items": { "type": "string" }, "type": "array" }, "capacityReservationGroupReference": { "description": "CapacityReservationGroupReference: AKS will associate the specified agent pool with the Capacity Reservation Group.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "count": { "description": "Count: Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive)\nfor user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1.", "type": "integer" }, "creationData": { "description": "CreationData: CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using\na snapshot.", "properties": { "sourceResourceReference": { "description": "SourceResourceReference: This is the ARM ID of the source object to be used to create the target object.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "enableAutoScaling": { "description": "EnableAutoScaling: Whether to enable auto-scaler", "type": "boolean" }, "enableCustomCATrust": { "description": "EnableCustomCATrust: When set to true, AKS adds a label to the node indicating that the feature is enabled and deploys a\ndaemonset along with host services to sync custom certificate authorities from user-provided list of base64 encoded\ncertificates into node trust stores. Defaults to false.", "type": "boolean" }, "enableEncryptionAtHost": { "description": "EnableEncryptionAtHost: This is only supported on certain VM sizes and in certain Azure regions. For more information,\nsee: https://docs.microsoft.com/azure/aks/enable-host-encryption", "type": "boolean" }, "enableFIPS": { "description": "EnableFIPS: See [Add a FIPS-enabled node\npool](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more\ndetails.", "type": "boolean" }, "enableNodePublicIP": { "description": "EnableNodePublicIP: Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses.\nA common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine\nto minimize hops. For more information see [assigning a public IP per\nnode](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). The\ndefault is false.", "type": "boolean" }, "enableUltraSSD": { "description": "EnableUltraSSD: Whether to enable UltraSSD", "type": "boolean" }, "gatewayProfile": { "description": "GatewayProfile: Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is\nnot Gateway.", "properties": { "publicIPPrefixSize": { "description": "PublicIPPrefixSize: The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide\npublic egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with\none IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure\npublic IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8\nnodes/IPs, /28 = 16 nodes/IPs). The default value is 31.", "maximum": 31, "minimum": 28, "type": "integer" } }, "type": "object", "additionalProperties": false }, "gpuInstanceProfile": { "description": "GpuInstanceProfile: GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.", "enum": [ "MIG1g", "MIG2g", "MIG3g", "MIG4g", "MIG7g" ], "type": "string" }, "gpuProfile": { "description": "GpuProfile: The GPU settings of an agent pool.", "properties": { "installGPUDriver": { "description": "InstallGPUDriver: The default value is true when the vmSize of the agent pool contains a GPU, false otherwise. GPU\nDriver Installation can only be set true when VM has an associated GPU resource. Setting this field to false prevents\nautomatic GPU driver installation. In that case, in order for the GPU to be usable, the user must perform GPU driver\ninstallation themselves.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "hostGroupReference": { "description": "HostGroupReference: This is of the form:\n/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}.\nFor more information see [Azure dedicated hosts](https://docs.microsoft.com/azure/virtual-machines/dedicated-hosts).", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "kubeletConfig": { "description": "KubeletConfig: The Kubelet configuration on the agent pool nodes.", "properties": { "allowedUnsafeSysctls": { "description": "AllowedUnsafeSysctls: Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in `*`).", "items": { "type": "string" }, "type": "array" }, "containerLogMaxFiles": { "description": "ContainerLogMaxFiles: The maximum number of container log files that can be present for a container. The number must be\n\u2265 2.", "minimum": 2, "type": "integer" }, "containerLogMaxSizeMB": { "description": "ContainerLogMaxSizeMB: The maximum size (e.g. 10Mi) of container log file before it is rotated.", "type": "integer" }, "cpuCfsQuota": { "description": "CpuCfsQuota: The default is true.", "type": "boolean" }, "cpuCfsQuotaPeriod": { "description": "CpuCfsQuotaPeriod: The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and\na unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'.", "type": "string" }, "cpuManagerPolicy": { "description": "CpuManagerPolicy: The default is 'none'. See [Kubernetes CPU management\npolicies](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#cpu-management-policies) for more\ninformation. Allowed values are 'none' and 'static'.", "type": "string" }, "failSwapOn": { "description": "FailSwapOn: If set to true it will make the Kubelet fail to start if swap is enabled on the node.", "type": "boolean" }, "imageGcHighThreshold": { "description": "ImageGcHighThreshold: To disable image garbage collection, set to 100. The default is 85%", "type": "integer" }, "imageGcLowThreshold": { "description": "ImageGcLowThreshold: This cannot be set higher than imageGcHighThreshold. The default is 80%", "type": "integer" }, "podMaxPids": { "description": "PodMaxPids: The maximum number of processes per pod.", "type": "integer" }, "topologyManagerPolicy": { "description": "TopologyManagerPolicy: For more information see [Kubernetes Topology\nManager](https://kubernetes.io/docs/tasks/administer-cluster/topology-manager). The default is 'none'. Allowed values\nare 'none', 'best-effort', 'restricted', and 'single-numa-node'.", "type": "string" } }, "type": "object", "additionalProperties": false }, "kubeletDiskType": { "description": "KubeletDiskType: Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral\nstorage.", "enum": [ "OS", "Temporary" ], "type": "string" }, "linuxOSConfig": { "description": "LinuxOSConfig: The OS configuration of Linux agent nodes.", "properties": { "swapFileSizeMB": { "description": "SwapFileSizeMB: The size in MB of a swap file that will be created on each node.", "type": "integer" }, "sysctls": { "description": "Sysctls: Sysctl settings for Linux agent nodes.", "properties": { "fsAioMaxNr": { "description": "FsAioMaxNr: Sysctl setting fs.aio-max-nr.", "type": "integer" }, "fsFileMax": { "description": "FsFileMax: Sysctl setting fs.file-max.", "type": "integer" }, "fsInotifyMaxUserWatches": { "description": "FsInotifyMaxUserWatches: Sysctl setting fs.inotify.max_user_watches.", "type": "integer" }, "fsNrOpen": { "description": "FsNrOpen: Sysctl setting fs.nr_open.", "type": "integer" }, "kernelThreadsMax": { "description": "KernelThreadsMax: Sysctl setting kernel.threads-max.", "type": "integer" }, "netCoreNetdevMaxBacklog": { "description": "NetCoreNetdevMaxBacklog: Sysctl setting net.core.netdev_max_backlog.", "type": "integer" }, "netCoreOptmemMax": { "description": "NetCoreOptmemMax: Sysctl setting net.core.optmem_max.", "type": "integer" }, "netCoreRmemDefault": { "description": "NetCoreRmemDefault: Sysctl setting net.core.rmem_default.", "type": "integer" }, "netCoreRmemMax": { "description": "NetCoreRmemMax: Sysctl setting net.core.rmem_max.", "type": "integer" }, "netCoreSomaxconn": { "description": "NetCoreSomaxconn: Sysctl setting net.core.somaxconn.", "type": "integer" }, "netCoreWmemDefault": { "description": "NetCoreWmemDefault: Sysctl setting net.core.wmem_default.", "type": "integer" }, "netCoreWmemMax": { "description": "NetCoreWmemMax: Sysctl setting net.core.wmem_max.", "type": "integer" }, "netIpv4IpLocalPortRange": { "description": "NetIpv4IpLocalPortRange: Sysctl setting net.ipv4.ip_local_port_range.", "type": "string" }, "netIpv4NeighDefaultGcThresh1": { "description": "NetIpv4NeighDefaultGcThresh1: Sysctl setting net.ipv4.neigh.default.gc_thresh1.", "type": "integer" }, "netIpv4NeighDefaultGcThresh2": { "description": "NetIpv4NeighDefaultGcThresh2: Sysctl setting net.ipv4.neigh.default.gc_thresh2.", "type": "integer" }, "netIpv4NeighDefaultGcThresh3": { "description": "NetIpv4NeighDefaultGcThresh3: Sysctl setting net.ipv4.neigh.default.gc_thresh3.", "type": "integer" }, "netIpv4TcpFinTimeout": { "description": "NetIpv4TcpFinTimeout: Sysctl setting net.ipv4.tcp_fin_timeout.", "type": "integer" }, "netIpv4TcpKeepaliveProbes": { "description": "NetIpv4TcpKeepaliveProbes: Sysctl setting net.ipv4.tcp_keepalive_probes.", "type": "integer" }, "netIpv4TcpKeepaliveTime": { "description": "NetIpv4TcpKeepaliveTime: Sysctl setting net.ipv4.tcp_keepalive_time.", "type": "integer" }, "netIpv4TcpMaxSynBacklog": { "description": "NetIpv4TcpMaxSynBacklog: Sysctl setting net.ipv4.tcp_max_syn_backlog.", "type": "integer" }, "netIpv4TcpMaxTwBuckets": { "description": "NetIpv4TcpMaxTwBuckets: Sysctl setting net.ipv4.tcp_max_tw_buckets.", "type": "integer" }, "netIpv4TcpTwReuse": { "description": "NetIpv4TcpTwReuse: Sysctl setting net.ipv4.tcp_tw_reuse.", "type": "boolean" }, "netIpv4TcpkeepaliveIntvl": { "description": "NetIpv4TcpkeepaliveIntvl: Sysctl setting net.ipv4.tcp_keepalive_intvl.", "maximum": 90, "minimum": 10, "type": "integer" }, "netNetfilterNfConntrackBuckets": { "description": "NetNetfilterNfConntrackBuckets: Sysctl setting net.netfilter.nf_conntrack_buckets.", "maximum": 524288, "minimum": 65536, "type": "integer" }, "netNetfilterNfConntrackMax": { "description": "NetNetfilterNfConntrackMax: Sysctl setting net.netfilter.nf_conntrack_max.", "maximum": 2097152, "minimum": 131072, "type": "integer" }, "vmMaxMapCount": { "description": "VmMaxMapCount: Sysctl setting vm.max_map_count.", "type": "integer" }, "vmSwappiness": { "description": "VmSwappiness: Sysctl setting vm.swappiness.", "type": "integer" }, "vmVfsCachePressure": { "description": "VmVfsCachePressure: Sysctl setting vm.vfs_cache_pressure.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "transparentHugePageDefrag": { "description": "TransparentHugePageDefrag: Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is\n'madvise'. For more information see [Transparent\nHugepages](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html#admin-guide-transhuge).", "type": "string" }, "transparentHugePageEnabled": { "description": "TransparentHugePageEnabled: Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more\ninformation see [Transparent\nHugepages](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html#admin-guide-transhuge).", "type": "string" } }, "type": "object", "additionalProperties": false }, "maxCount": { "description": "MaxCount: The maximum number of nodes for auto-scaling", "type": "integer" }, "maxPods": { "description": "MaxPods: The maximum number of pods that can run on a node.", "type": "integer" }, "messageOfTheDay": { "description": "MessageOfTheDay: A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of\nthe message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e.,\nwill be printed raw and not be executed as a script).", "type": "string" }, "minCount": { "description": "MinCount: The minimum number of nodes for auto-scaling", "type": "integer" }, "mode": { "description": "Mode: A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool\nrestrictions and best practices, see: https://docs.microsoft.com/azure/aks/use-system-pools", "enum": [ "Gateway", "System", "User" ], "type": "string" }, "name": { "description": "Name: Windows agent pool names must be 6 characters or less.", "pattern": "^[a-z][a-z0-9]{0,11}$", "type": "string" }, "networkProfile": { "description": "NetworkProfile: Network-related settings of an agent pool.", "properties": { "allowedHostPorts": { "description": "AllowedHostPorts: The port ranges that are allowed to access. The specified ranges are allowed to overlap.", "items": { "description": "The port range.", "properties": { "portEnd": { "description": "PortEnd: The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or\nequal to portStart.", "maximum": 65535, "minimum": 1, "type": "integer" }, "portStart": { "description": "PortStart: The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or\nequal to portEnd.", "maximum": 65535, "minimum": 1, "type": "integer" }, "protocol": { "description": "Protocol: The network protocol of the port.", "enum": [ "TCP", "UDP" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "applicationSecurityGroupsReferences": { "description": "ApplicationSecurityGroupsReferences: The IDs of the application security groups which agent pool will associate when\ncreated.", "items": { "description": "ResourceReference represents a resource reference, either to a Kubernetes resource or directly to an Azure resource via ARMID", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "nodePublicIPTags": { "description": "NodePublicIPTags: IPTags of instance-level public IPs.", "items": { "description": "Contains the IPTag associated with the object.", "properties": { "ipTagType": { "description": "IpTagType: The IP tag type. Example: RoutingPreference.", "type": "string" }, "tag": { "description": "Tag: The value of the IP tag associated with the public IP. Example: Internet.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "nodeInitializationTaints": { "description": "NodeInitializationTaints: These taints will not be reconciled by AKS and can be removed with a kubectl call. This field\ncan be modified after node pool is created, but nodes will not be recreated with new taints until another operation that\nrequires recreation (e.g. node image upgrade) happens. These taints allow for required configuration to run before the\nnode is ready to accept workloads, for example 'key1=value1:NoSchedule' that then can be removed with `kubectl taint\nnodes node1 key1=value1:NoSchedule-`", "items": { "type": "string" }, "type": "array" }, "nodeLabels": { "additionalProperties": { "type": "string" }, "description": "NodeLabels: The node labels to be persisted across all nodes in agent pool.", "type": "object" }, "nodePublicIPPrefixReference": { "description": "NodePublicIPPrefixReference: This is of the form:\n/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName}", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "nodeTaints": { "description": "NodeTaints: The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule.", "items": { "type": "string" }, "type": "array" }, "orchestratorVersion": { "description": "OrchestratorVersion: Both patch version and are supported. When is\nspecified, the latest supported patch version is chosen automatically. Updating the agent pool with the same\n once it has been created will not trigger an upgrade, even if a newer patch version is available. As a\nbest practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version\nmust have the same major version as the control plane. The node pool minor version must be within two minor versions of\nthe control plane version. The node pool version cannot be greater than the control plane version. For more information\nsee [upgrading a node pool](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#upgrade-a-node-pool).", "type": "string" }, "osDiskSizeGB": { "maximum": 2048, "minimum": 0, "type": "integer" }, "osDiskType": { "description": "OsDiskType: The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested\nOSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see [Ephemeral\nOS](https://docs.microsoft.com/azure/aks/cluster-configuration#ephemeral-os).", "enum": [ "Ephemeral", "Managed" ], "type": "string" }, "osSKU": { "description": "OsSKU: Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or\nWindows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is\ndeprecated.", "enum": [ "AzureLinux", "CBLMariner", "Mariner", "Ubuntu", "Windows2019", "Windows2022", "WindowsAnnual" ], "type": "string" }, "osType": { "description": "OsType: The operating system type. The default is Linux.", "enum": [ "Linux", "Windows" ], "type": "string" }, "podIPAllocationMode": { "description": "PodIPAllocationMode: The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is\n'DynamicIndividual'.", "enum": [ "DynamicIndividual", "StaticBlock" ], "type": "string" }, "podSubnetReference": { "description": "PodSubnetReference: If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details).\nThis is of the form:\n/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "powerState": { "description": "PowerState: When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this\nfield to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only\nbe stopped if it is Running and provisioning state is Succeeded", "properties": { "code": { "description": "Code: Tells whether the cluster is Running or Stopped", "enum": [ "Running", "Stopped" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "proximityPlacementGroupReference": { "description": "ProximityPlacementGroupReference: The ID for Proximity Placement Group.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "scaleDownMode": { "description": "ScaleDownMode: This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete.", "enum": [ "Deallocate", "Delete" ], "type": "string" }, "scaleSetEvictionPolicy": { "description": "ScaleSetEvictionPolicy: This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is\n'Delete'.", "enum": [ "Deallocate", "Delete" ], "type": "string" }, "scaleSetPriority": { "description": "ScaleSetPriority: The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'.", "enum": [ "Regular", "Spot" ], "type": "string" }, "securityProfile": { "description": "SecurityProfile: The security settings of an agent pool.", "properties": { "enableSecureBoot": { "description": "EnableSecureBoot: Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and\ndrivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.", "type": "boolean" }, "enableVTPM": { "description": "EnableVTPM: vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held\nlocally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.", "type": "boolean" }, "sshAccess": { "description": "SshAccess: SSH access method of an agent pool.", "enum": [ "Disabled", "LocalUser" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "spotMaxPrice": { "description": "SpotMaxPrice: Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any\non-demand price. For more details on spot pricing, see [spot VMs\npricing](https://docs.microsoft.com/azure/virtual-machines/spot-vms#pricing)", "type": "number" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags: The tags to be persisted on the agent pool virtual machine scale set.", "type": "object" }, "type": { "description": "Type: The type of Agent Pool.", "enum": [ "AvailabilitySet", "VirtualMachineScaleSets", "VirtualMachines" ], "type": "string" }, "upgradeSettings": { "description": "UpgradeSettings: Settings for upgrading the agentpool", "properties": { "drainTimeoutInMinutes": { "description": "DrainTimeoutInMinutes: The amount of time (in minutes) to wait on eviction of pods and graceful termination per node.\nThis eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not\nspecified, the default is 30 minutes.", "maximum": 1440, "minimum": 1, "type": "integer" }, "maxSurge": { "description": "MaxSurge: This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it\nis the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded\nup. If not specified, the default is 1. For more information, including best practices, see:\nhttps://docs.microsoft.com/azure/aks/upgrade-cluster#customize-node-surge-upgrade", "type": "string" }, "nodeSoakDurationInMinutes": { "description": "NodeSoakDurationInMinutes: The amount of time (in minutes) to wait after draining a node and before reimaging it and\nmoving on to next node. If not specified, the default is 0 minutes.", "maximum": 30, "minimum": 0, "type": "integer" }, "undrainableNodeBehavior": { "description": "UndrainableNodeBehavior: Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable\nnodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the\nremaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes.", "enum": [ "Cordon", "Schedule" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "virtualMachineNodesStatus": { "items": { "description": "Current status on a group of nodes of the same vm size.", "properties": { "count": { "description": "Count: Number of nodes.", "type": "integer" }, "size": { "description": "Size: The VM size of the agents used to host this group of nodes.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "virtualMachinesProfile": { "description": "VirtualMachinesProfile: Specifications on VirtualMachines agent pool.", "properties": { "scale": { "description": "Scale: Specifications on how to scale a VirtualMachines agent pool.", "properties": { "autoscale": { "description": "Autoscale: Specifications on how to auto-scale the VirtualMachines agent pool within a predefined size range. Currently,\nat most one AutoScaleProfile is allowed.", "items": { "description": "Specifications on auto-scaling.", "properties": { "maxCount": { "description": "MaxCount: The maximum number of nodes of the specified sizes.", "type": "integer" }, "minCount": { "description": "MinCount: The minimum number of nodes of the specified sizes.", "type": "integer" }, "sizes": { "description": "Sizes: The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the\nfirst available one when auto scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS\nwill use the next size.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "manual": { "description": "Manual: Specifications on how to scale the VirtualMachines agent pool to a fixed size.", "items": { "description": "Specifications on number of machines.", "properties": { "count": { "description": "Count: Number of nodes.", "type": "integer" }, "sizes": { "description": "Sizes: The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the\nfirst available one when scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will\nuse the next size.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "vmSize": { "description": "VmSize: VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods\nmight fail to run correctly. For more details on restricted VM sizes, see:\nhttps://docs.microsoft.com/azure/aks/quotas-skus-regions", "type": "string" }, "vnetSubnetReference": { "description": "VnetSubnetReference: If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is\nspecified, this applies to nodes and pods, otherwise it applies to just nodes. This is of the form:\n/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "windowsProfile": { "description": "WindowsProfile: The Windows agent pool's specific profile.", "properties": { "disableOutboundNat": { "description": "DisableOutboundNat: The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT\nGateway and the Windows agent pool does not have node public IP enabled.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "workloadRuntime": { "description": "WorkloadRuntime: Determines the type of workload a node can run.", "enum": [ "KataMshvVmIsolation", "OCIContainer", "WasmWasi" ], "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "aiToolchainOperatorProfile": { "description": "AiToolchainOperatorProfile: AI toolchain operator settings that apply to the whole cluster.", "properties": { "enabled": { "description": "Enabled: Indicates if AI toolchain operator enabled or not.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "apiServerAccessProfile": { "description": "ApiServerAccessProfile: The access profile for managed cluster API server.", "properties": { "authorizedIPRanges": { "description": "AuthorizedIPRanges: IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with\nclusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see [API\nserver authorized IP ranges](https://docs.microsoft.com/azure/aks/api-server-authorized-ip-ranges).", "items": { "type": "string" }, "type": "array" }, "disableRunCommand": { "description": "DisableRunCommand: Whether to disable run command for the cluster or not.", "type": "boolean" }, "enablePrivateCluster": { "description": "EnablePrivateCluster: For more details, see [Creating a private AKS\ncluster](https://docs.microsoft.com/azure/aks/private-clusters).", "type": "boolean" }, "enablePrivateClusterPublicFQDN": { "description": "EnablePrivateClusterPublicFQDN: Whether to create additional public FQDN for private cluster or not.", "type": "boolean" }, "enableVnetIntegration": { "description": "EnableVnetIntegration: Whether to enable apiserver vnet integration for the cluster or not.", "type": "boolean" }, "privateDNSZone": { "description": "PrivateDNSZone: The default is System. For more details see [configure private DNS\nzone](https://docs.microsoft.com/azure/aks/private-clusters#configure-private-dns-zone). Allowed values are 'system' and\n'none'.", "type": "string" }, "subnetId": { "description": "SubnetId: It is required when: 1. creating a new cluster with BYO Vnet; 2. updating an existing cluster to enable\napiserver vnet integration.", "type": "string" } }, "type": "object", "additionalProperties": false }, "autoScalerProfile": { "description": "AutoScalerProfile: Parameters to be applied to the cluster-autoscaler when enabled", "properties": { "balance-similar-node-groups": { "description": "BalanceSimilarNodeGroups: Valid values are 'true' and 'false'", "type": "string" }, "daemonset-eviction-for-empty-nodes": { "description": "DaemonsetEvictionForEmptyNodes: If set to true, all daemonset pods on empty nodes will be evicted before deletion of the\nnode. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be\ndeleted without ensuring that daemonset pods are deleted or evicted.", "type": "boolean" }, "daemonset-eviction-for-occupied-nodes": { "description": "DaemonsetEvictionForOccupiedNodes: If set to true, all daemonset pods on occupied nodes will be evicted before deletion\nof the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node\nwill be deleted without ensuring that daemonset pods are deleted or evicted.", "type": "boolean" }, "expander": { "description": "Expander: Available values are: 'least-waste', 'most-pods', 'priority', 'random'.", "enum": [ "least-waste", "most-pods", "priority", "random" ], "type": "string" }, "ignore-daemonsets-utilization": { "description": "IgnoreDaemonsetsUtilization: If set to true, the resources used by daemonset will be taken into account when making\nscaling down decisions.", "type": "boolean" }, "max-empty-bulk-delete": { "description": "MaxEmptyBulkDelete: The default is 10.", "type": "string" }, "max-graceful-termination-sec": { "description": "MaxGracefulTerminationSec: The default is 600.", "type": "string" }, "max-node-provision-time": { "description": "MaxNodeProvisionTime: The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than\nminutes (m) is supported.", "type": "string" }, "max-total-unready-percentage": { "description": "MaxTotalUnreadyPercentage: The default is 45. The maximum is 100 and the minimum is 0.", "type": "string" }, "new-pod-scale-up-delay": { "description": "NewPodScaleUpDelay: For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler\ncould schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is\n'0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc).", "type": "string" }, "ok-total-unready-count": { "description": "OkTotalUnreadyCount: This must be an integer. The default is 3.", "type": "string" }, "scale-down-delay-after-add": { "description": "ScaleDownDelayAfterAdd: The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than\nminutes (m) is supported.", "type": "string" }, "scale-down-delay-after-delete": { "description": "ScaleDownDelayAfterDelete: The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of\ntime other than minutes (m) is supported.", "type": "string" }, "scale-down-delay-after-failure": { "description": "ScaleDownDelayAfterFailure: The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other\nthan minutes (m) is supported.", "type": "string" }, "scale-down-unneeded-time": { "description": "ScaleDownUnneededTime: The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than\nminutes (m) is supported.", "type": "string" }, "scale-down-unready-time": { "description": "ScaleDownUnreadyTime: The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than\nminutes (m) is supported.", "type": "string" }, "scale-down-utilization-threshold": { "description": "ScaleDownUtilizationThreshold: The default is '0.5'.", "type": "string" }, "scan-interval": { "description": "ScanInterval: The default is '10'. Values must be an integer number of seconds.", "type": "string" }, "skip-nodes-with-local-storage": { "description": "SkipNodesWithLocalStorage: The default is true.", "type": "string" }, "skip-nodes-with-system-pods": { "description": "SkipNodesWithSystemPods: The default is true.", "type": "string" } }, "type": "object", "additionalProperties": false }, "autoUpgradeProfile": { "description": "AutoUpgradeProfile: The auto upgrade configuration.", "properties": { "nodeOSUpgradeChannel": { "description": "NodeOSUpgradeChannel: The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA.", "enum": [ "NodeImage", "None", "SecurityPatch", "Unmanaged" ], "type": "string" }, "upgradeChannel": { "description": "UpgradeChannel: For more information see [setting the AKS cluster auto-upgrade\nchannel](https://docs.microsoft.com/azure/aks/upgrade-cluster#set-auto-upgrade-channel).", "enum": [ "node-image", "none", "patch", "rapid", "stable" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "azureMonitorProfile": { "description": "AzureMonitorProfile: Prometheus addon profile for the container service cluster", "properties": { "appMonitoring": { "description": "AppMonitoring: Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics\nand traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See\naka.ms/AzureMonitorApplicationMonitoring for an overview.", "properties": { "autoInstrumentation": { "description": "AutoInstrumentation: Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook\nto auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the\napplication. See aka.ms/AzureMonitorApplicationMonitoring for an overview.", "properties": { "enabled": { "description": "Enabled: Indicates if Application Monitoring Auto Instrumentation is enabled or not.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "openTelemetryLogs": { "description": "OpenTelemetryLogs: Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and\nTraces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See\naka.ms/AzureMonitorApplicationMonitoring for an overview.", "properties": { "enabled": { "description": "Enabled: Indicates if Application Monitoring Open Telemetry Logs and traces is enabled or not.", "type": "boolean" }, "port": { "description": "Port: The Open Telemetry host port for Open Telemetry logs and traces. If not specified, the default port is 28331.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "openTelemetryMetrics": { "description": "OpenTelemetryMetrics: Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container\nMetrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See\naka.ms/AzureMonitorApplicationMonitoring for an overview.", "properties": { "enabled": { "description": "Enabled: Indicates if Application Monitoring Open Telemetry Metrics is enabled or not.", "type": "boolean" }, "port": { "description": "Port: The Open Telemetry host port for Open Telemetry metrics. If not specified, the default port is 28333.", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "containerInsights": { "description": "ContainerInsights: Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout &\nstderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview.", "properties": { "disableCustomMetrics": { "description": "DisableCustomMetrics: Indicates whether custom metrics collection has to be disabled or not. If not specified the\ndefault is false. No custom metrics will be emitted if this field is false but the container insights enabled field is\nfalse", "type": "boolean" }, "disablePrometheusMetricsScraping": { "description": "DisablePrometheusMetricsScraping: Indicates whether prometheus metrics scraping is disabled or not. If not specified the\ndefault is false. No prometheus metrics will be emitted if this field is false but the container insights enabled field\nis false", "type": "boolean" }, "enabled": { "description": "Enabled: Indicates if Azure Monitor Container Insights Logs Addon is enabled or not.", "type": "boolean" }, "logAnalyticsWorkspaceResourceReference": { "description": "LogAnalyticsWorkspaceResourceReference: Fully Qualified ARM Resource Id of Azure Log Analytics Workspace for storing\nAzure Monitor Container Insights Logs.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "syslogPort": { "description": "SyslogPort: The syslog host port. If not specified, the default port is 28330.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "metrics": { "description": "Metrics: Metrics profile for the prometheus service addon", "properties": { "enabled": { "description": "Enabled: Whether to enable the Prometheus collector", "type": "boolean" }, "kubeStateMetrics": { "description": "KubeStateMetrics: Kube State Metrics for prometheus addon profile for the container service cluster", "properties": { "metricAnnotationsAllowList": { "description": "MetricAnnotationsAllowList: Comma-separated list of additional Kubernetes label keys that will be used in the resource's\nlabels metric.", "type": "string" }, "metricLabelsAllowlist": { "description": "MetricLabelsAllowlist: Comma-separated list of Kubernetes annotations keys that will be used in the resource's labels\nmetric.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "enabled" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "azureName": { "description": "AzureName: The name of the resource in Azure. This is often the same as the name of the resource in Kubernetes but it\ndoesn't have to be.", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z0-9]$|^[a-zA-Z0-9][-_a-zA-Z0-9]{0,61}[a-zA-Z0-9]$", "type": "string" }, "bootstrapProfile": { "description": "BootstrapProfile: Profile of the cluster bootstrap configuration.", "properties": { "artifactSource": { "description": "ArtifactSource: The source where the artifacts are downloaded from.", "enum": [ "Cache", "Direct" ], "type": "string" }, "containerRegistryReference": { "description": "ContainerRegistryReference: The resource Id of Azure Container Registry. The registry must have private network access,\npremium SKU and zone redundancy.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "creationData": { "description": "CreationData: CreationData to be used to specify the source Snapshot ID if the cluster will be created/upgraded using a\nsnapshot.", "properties": { "sourceResourceReference": { "description": "SourceResourceReference: This is the ARM ID of the source object to be used to create the target object.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "disableLocalAccounts": { "description": "DisableLocalAccounts: If set to true, getting static credentials will be disabled for this cluster. This must only be\nused on Managed Clusters that are AAD enabled. For more details see [disable local\naccounts](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts-preview).", "type": "boolean" }, "diskEncryptionSetReference": { "description": "DiskEncryptionSetReference: This is of the form:\n'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}'", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "dnsPrefix": { "description": "DnsPrefix: This cannot be updated once the Managed Cluster has been created.", "type": "string" }, "enableNamespaceResources": { "description": "EnableNamespaceResources: The default value is false. It can be enabled/disabled on creation and updating of the managed\ncluster. See [https://aka.ms/NamespaceARMResource](https://aka.ms/NamespaceARMResource) for more details on Namespace as\na ARM Resource.", "type": "boolean" }, "enablePodSecurityPolicy": { "description": "EnablePodSecurityPolicy: (DEPRECATED) Whether to enable Kubernetes pod security policy (preview). PodSecurityPolicy was\ndeprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Learn more at https://aka.ms/k8s/psp and\nhttps://aka.ms/aks/psp.", "type": "boolean" }, "enableRBAC": { "description": "EnableRBAC: Whether to enable Kubernetes Role-Based Access Control.", "type": "boolean" }, "extendedLocation": { "description": "ExtendedLocation: The extended location of the Virtual Machine.", "properties": { "name": { "description": "Name: The name of the extended location.", "type": "string" }, "type": { "description": "Type: The type of the extended location.", "enum": [ "EdgeZone" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "fqdnSubdomain": { "description": "FqdnSubdomain: This cannot be updated once the Managed Cluster has been created.", "type": "string" }, "httpProxyConfig": { "description": "HttpProxyConfig: Configurations for provisioning the cluster with HTTP proxy servers.", "properties": { "httpProxy": { "description": "HttpProxy: The HTTP proxy server endpoint to use.", "type": "string" }, "httpsProxy": { "description": "HttpsProxy: The HTTPS proxy server endpoint to use.", "type": "string" }, "noProxy": { "description": "NoProxy: The endpoints that should not go through proxy.", "items": { "type": "string" }, "type": "array" }, "trustedCa": { "description": "TrustedCa: Alternative CA cert to use for connecting to proxy servers.", "type": "string" } }, "type": "object", "additionalProperties": false }, "identity": { "description": "Identity: The identity of the managed cluster, if configured.", "properties": { "delegatedResources": { "additionalProperties": { "description": "Delegated resource properties - internal use only.", "properties": { "location": { "description": "Location: The source resource location - internal use only.", "type": "string" }, "referralResource": { "description": "ReferralResource: The delegation id of the referral delegation (optional) - internal use only.", "type": "string" }, "resourceReference": { "description": "ResourceReference: The ARM resource id of the delegated resource - internal use only.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "tenantId": { "description": "TenantId: The tenant id of the delegated resource - internal use only.", "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$", "type": "string" } }, "type": "object", "additionalProperties": false }, "description": "DelegatedResources: The delegated identity resources assigned to this managed cluster. This can only be set by another\nAzure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only.", "type": "object" }, "type": { "description": "Type: For more information see [use managed identities in\nAKS](https://docs.microsoft.com/azure/aks/use-managed-identity).", "enum": [ "None", "SystemAssigned", "UserAssigned" ], "type": "string" }, "userAssignedIdentities": { "description": "UserAssignedIdentities: The keys must be ARM resource IDs in the form:\n'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.", "items": { "description": "Information about the user assigned identity for the resource", "properties": { "reference": { "description": "ResourceReference represents a resource reference, either to a Kubernetes resource or directly to an Azure resource via ARMID", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "identityProfile": { "additionalProperties": { "description": "Details about a user assigned identity.", "properties": { "clientId": { "description": "ClientId: The client ID of the user assigned identity.", "type": "string" }, "objectId": { "description": "ObjectId: The object ID of the user assigned identity.", "type": "string" }, "resourceReference": { "description": "ResourceReference: The resource ID of the user assigned identity.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "description": "IdentityProfile: Identities associated with the cluster.", "type": "object" }, "ingressProfile": { "description": "IngressProfile: Ingress profile for the managed cluster.", "properties": { "webAppRouting": { "description": "WebAppRouting: Web App Routing settings for the ingress profile.", "properties": { "dnsZoneResourceReferences": { "description": "DnsZoneResourceReferences: Resource IDs of the DNS zones to be associated with the Web App Routing add-on. Used only\nwhen Web App Routing is enabled. Public and private DNS zones can be in different resource groups, but all public DNS\nzones must be in the same resource group and all private DNS zones must be in the same resource group.", "items": { "description": "ResourceReference represents a resource reference, either to a Kubernetes resource or directly to an Azure resource via ARMID", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "enabled": { "description": "Enabled: Whether to enable Web App Routing.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "kind": { "description": "Kind: This is primarily used to expose different UI experiences in the portal for different kinds", "type": "string" }, "kubernetesVersion": { "description": "KubernetesVersion: When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades\nmust be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x ->\n1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See [upgrading an AKS\ncluster](https://docs.microsoft.com/azure/aks/upgrade-cluster) for more details.", "type": "string" }, "linuxProfile": { "description": "LinuxProfile: The profile for Linux VMs in the Managed Cluster.", "properties": { "adminUsername": { "description": "AdminUsername: The administrator username to use for Linux VMs.", "pattern": "^[A-Za-z][-A-Za-z0-9_]*$", "type": "string" }, "ssh": { "description": "Ssh: The SSH configuration for Linux-based VMs running on Azure.", "properties": { "publicKeys": { "description": "PublicKeys: The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified.", "items": { "description": "Contains information about SSH certificate public key data.", "properties": { "keyData": { "description": "KeyData: Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or\nwithout headers.", "type": "string" } }, "required": [ "keyData" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "publicKeys" ], "type": "object", "additionalProperties": false } }, "required": [ "adminUsername", "ssh" ], "type": "object", "additionalProperties": false }, "location": { "description": "Location: The geo-location where the resource lives", "type": "string" }, "metricsProfile": { "description": "MetricsProfile: Optional cluster metrics configuration.", "properties": { "costAnalysis": { "description": "CostAnalysis: The cost analysis configuration for the cluster", "properties": { "enabled": { "description": "Enabled: The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will\nadd Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the\ndefault is false. For more information see aka.ms/aks/docs/cost-analysis.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "networkProfile": { "description": "NetworkProfile: The network configuration profile.", "properties": { "advancedNetworking": { "description": "AdvancedNetworking: Advanced Networking profile for enabling observability on a cluster. Note that enabling advanced\nnetworking features may incur additional costs. For more information see aka.ms/aksadvancednetworking.", "properties": { "observability": { "description": "Observability: Observability profile to enable advanced network metrics and flow logs with historical contexts.", "properties": { "enabled": { "description": "Enabled: Indicates the enablement of Advanced Networking observability functionalities on clusters.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "dnsServiceIP": { "description": "DnsServiceIP: An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address\nrange specified in serviceCidr.", "pattern": "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", "type": "string" }, "ipFamilies": { "description": "IpFamilies: IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value\nis IPv4. For dual-stack, the expected values are IPv4 and IPv6.", "items": { "description": "To determine if address belongs IPv4 or IPv6 family.", "enum": [ "IPv4", "IPv6" ], "type": "string" }, "type": "array" }, "kubeProxyConfig": { "description": "KubeProxyConfig: Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy\ndefaulting behavior. See https://v.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/\nwhere is represented by a - string. Kubernetes version 1.23 would be '1-23'.", "properties": { "enabled": { "description": "Enabled: Whether to enable on kube-proxy on the cluster (if no 'kubeProxyConfig' exists, kube-proxy is enabled in AKS by\ndefault without these customizations).", "type": "boolean" }, "ipvsConfig": { "description": "IpvsConfig: Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'.", "properties": { "scheduler": { "description": "Scheduler: IPVS scheduler, for more information please see http://www.linuxvirtualserver.org/docs/scheduling.html.", "enum": [ "LeastConnection", "RoundRobin" ], "type": "string" }, "tcpFinTimeoutSeconds": { "description": "TcpFinTimeoutSeconds: The timeout value used for IPVS TCP sessions after receiving a FIN in seconds. Must be a positive\ninteger value.", "type": "integer" }, "tcpTimeoutSeconds": { "description": "TcpTimeoutSeconds: The timeout value used for idle IPVS TCP sessions in seconds. Must be a positive integer value.", "type": "integer" }, "udpTimeoutSeconds": { "description": "UdpTimeoutSeconds: The timeout value used for IPVS UDP packets in seconds. Must be a positive integer value.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "mode": { "description": "Mode: Specify which proxy mode to use ('IPTABLES' or 'IPVS')", "enum": [ "IPTABLES", "IPVS" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "loadBalancerProfile": { "description": "LoadBalancerProfile: Profile of the cluster load balancer.", "properties": { "allocatedOutboundPorts": { "description": "AllocatedOutboundPorts: The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000\n(inclusive). The default value is 0 which results in Azure dynamically allocating ports.", "maximum": 64000, "minimum": 0, "type": "integer" }, "backendPoolType": { "description": "BackendPoolType: The type of the managed inbound Load Balancer BackendPool.", "enum": [ "NodeIP", "NodeIPConfiguration" ], "type": "string" }, "clusterServiceLoadBalancerHealthProbeMode": { "description": "ClusterServiceLoadBalancerHealthProbeMode: The health probing behavior for External Traffic Policy Cluster services.", "enum": [ "ServiceNodePort", "Shared" ], "type": "string" }, "effectiveOutboundIPs": { "description": "EffectiveOutboundIPs: The effective outbound IP resources of the cluster load balancer.", "items": { "description": "A reference to an Azure resource.", "properties": { "reference": { "description": "Reference: The fully qualified Azure resource id.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "enableMultipleStandardLoadBalancers": { "description": "EnableMultipleStandardLoadBalancers: Enable multiple standard load balancers per AKS cluster or not.", "type": "boolean" }, "idleTimeoutInMinutes": { "description": "IdleTimeoutInMinutes: Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120\n(inclusive). The default value is 30 minutes.", "maximum": 120, "minimum": 4, "type": "integer" }, "managedOutboundIPs": { "description": "ManagedOutboundIPs: Desired managed outbound IPs for the cluster load balancer.", "properties": { "count": { "description": "Count: The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values\nmust be in the range of 1 to 100 (inclusive). The default value is 1.", "maximum": 100, "minimum": 1, "type": "integer" }, "countIPv6": { "description": "CountIPv6: The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed\nvalues must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.", "maximum": 100, "minimum": 0, "type": "integer" } }, "type": "object", "additionalProperties": false }, "outboundIPPrefixes": { "description": "OutboundIPPrefixes: Desired outbound IP Prefix resources for the cluster load balancer.", "properties": { "publicIPPrefixes": { "description": "PublicIPPrefixes: A list of public IP prefix resources.", "items": { "description": "A reference to an Azure resource.", "properties": { "reference": { "description": "Reference: The fully qualified Azure resource id.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "outboundIPs": { "description": "OutboundIPs: Desired outbound IP resources for the cluster load balancer.", "properties": { "publicIPs": { "description": "PublicIPs: A list of public IP resources.", "items": { "description": "A reference to an Azure resource.", "properties": { "reference": { "description": "Reference: The fully qualified Azure resource id.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "loadBalancerSku": { "description": "LoadBalancerSku: The default is 'standard'. See [Azure Load Balancer\nSKUs](https://docs.microsoft.com/azure/load-balancer/skus) for more information about the differences between load\nbalancer SKUs.", "enum": [ "basic", "standard" ], "type": "string" }, "natGatewayProfile": { "description": "NatGatewayProfile: Profile of the cluster NAT gateway.", "properties": { "effectiveOutboundIPs": { "description": "EffectiveOutboundIPs: The effective outbound IP resources of the cluster NAT gateway.", "items": { "description": "A reference to an Azure resource.", "properties": { "reference": { "description": "Reference: The fully qualified Azure resource id.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "idleTimeoutInMinutes": { "description": "IdleTimeoutInMinutes: Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120\n(inclusive). The default value is 4 minutes.", "maximum": 120, "minimum": 4, "type": "integer" }, "managedOutboundIPProfile": { "description": "ManagedOutboundIPProfile: Profile of the managed outbound IP resources of the cluster NAT gateway.", "properties": { "count": { "description": "Count: The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16\n(inclusive). The default value is 1.", "maximum": 16, "minimum": 1, "type": "integer" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "networkDataplane": { "description": "NetworkDataplane: Network dataplane used in the Kubernetes cluster.", "enum": [ "azure", "cilium" ], "type": "string" }, "networkMode": { "description": "NetworkMode: This cannot be specified if networkPlugin is anything other than 'azure'.", "enum": [ "bridge", "transparent" ], "type": "string" }, "networkPlugin": { "description": "NetworkPlugin: Network plugin used for building the Kubernetes network.", "enum": [ "azure", "kubenet", "none" ], "type": "string" }, "networkPluginMode": { "description": "NetworkPluginMode: Network plugin mode used for building the Kubernetes network.", "enum": [ "overlay" ], "type": "string" }, "networkPolicy": { "description": "NetworkPolicy: Network policy used for building the Kubernetes network.", "enum": [ "azure", "calico", "cilium", "none" ], "type": "string" }, "outboundType": { "description": "OutboundType: This can only be set at cluster creation time and cannot be changed later. For more information see\n[egress outbound type](https://docs.microsoft.com/azure/aks/egress-outboundtype).", "enum": [ "loadBalancer", "managedNATGateway", "none", "userAssignedNATGateway", "userDefinedRouting" ], "type": "string" }, "podCidr": { "description": "PodCidr: A CIDR notation IP range from which to assign pod IPs when kubenet is used.", "pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}(\\/([0-9]|[1-2][0-9]|3[0-2]))?$", "type": "string" }, "podCidrs": { "description": "PodCidrs: One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is\nexpected for dual-stack networking.", "items": { "type": "string" }, "type": "array" }, "podLinkLocalAccess": { "description": "PodLinkLocalAccess: Defines access to special link local addresses (Azure Instance Metadata Service, aka IMDS) for pods\nwith hostNetwork=false. if not specified, the default is 'IMDS'.", "enum": [ "IMDS", "None" ], "type": "string" }, "serviceCidr": { "description": "ServiceCidr: A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP\nranges.", "pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}(\\/([0-9]|[1-2][0-9]|3[0-2]))?$", "type": "string" }, "serviceCidrs": { "description": "ServiceCidrs: One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is\nexpected for dual-stack networking. They must not overlap with any Subnet IP ranges.", "items": { "type": "string" }, "type": "array" }, "staticEgressGatewayProfile": { "description": "StaticEgressGatewayProfile: The profile for Static Egress Gateway addon. For more details about Static Egress Gateway,\nsee https://aka.ms/aks/static-egress-gateway.", "properties": { "enabled": { "description": "Enabled: Indicates if Static Egress Gateway addon is enabled or not.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "nodeProvisioningProfile": { "description": "NodeProvisioningProfile: Node provisioning settings that apply to the whole cluster.", "properties": { "mode": { "description": "Mode: Once the mode it set to Auto, it cannot be changed back to Manual.", "enum": [ "Auto", "Manual" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "nodeResourceGroup": { "description": "NodeResourceGroup: The name of the resource group containing agent pool nodes.", "type": "string" }, "nodeResourceGroupProfile": { "description": "NodeResourceGroupProfile: The node resource group configuration profile.", "properties": { "restrictionLevel": { "description": "RestrictionLevel: The restriction level applied to the cluster's node resource group", "enum": [ "ReadOnly", "Unrestricted" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "oidcIssuerProfile": { "description": "OidcIssuerProfile: The OIDC issuer profile of the Managed Cluster.", "properties": { "enabled": { "description": "Enabled: Whether the OIDC issuer is enabled.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "operatorSpec": { "description": "OperatorSpec: The specification for configuring operator behavior. This field is interpreted by the operator and not\npassed directly to Azure", "properties": { "configMapExpressions": { "description": "ConfigMapExpressions: configures where to place operator written dynamic ConfigMaps (created with CEL expressions).", "items": { "description": "DestinationExpression is a CEL expression and a destination to store the result in. The destination may\nbe a secret or a configmap. The value of the expression is stored at the specified location in\nthe destination.", "properties": { "key": { "description": "Key is the key in the ConfigMap or Secret being written to. If the CEL expression in Value returns a string\nthis is required to identify what key to write to. If the CEL expression in Value returns a map[string]string\nKey must not be set, instead the keys written will be determined dynamically based on the keys of the resulting\nmap[string]string.", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap or secret to write to.\nThe configmap or secret will be created in the same namespace as the resource.", "type": "string" }, "value": { "description": "Value is a CEL expression. The CEL expression may return a string or a map[string]string. For more information\non CEL in ASO see https://azure.github.io/azure-service-operator/guide/expressions/", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array" }, "configMaps": { "description": "ConfigMaps: configures where to place operator written ConfigMaps.", "properties": { "oidcIssuerProfile": { "description": "OIDCIssuerProfile: indicates where the OIDCIssuerProfile config map should be placed. If omitted, no config map will be\ncreated.", "properties": { "key": { "description": "Key is the key in the ConfigMap being referenced", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes ConfigMap to write to.\nThe ConfigMap will be created in the same namespace as the resource.", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "secretExpressions": { "description": "SecretExpressions: configures where to place operator written dynamic secrets (created with CEL expressions).", "items": { "description": "DestinationExpression is a CEL expression and a destination to store the result in. The destination may\nbe a secret or a configmap. The value of the expression is stored at the specified location in\nthe destination.", "properties": { "key": { "description": "Key is the key in the ConfigMap or Secret being written to. If the CEL expression in Value returns a string\nthis is required to identify what key to write to. If the CEL expression in Value returns a map[string]string\nKey must not be set, instead the keys written will be determined dynamically based on the keys of the resulting\nmap[string]string.", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap or secret to write to.\nThe configmap or secret will be created in the same namespace as the resource.", "type": "string" }, "value": { "description": "Value is a CEL expression. The CEL expression may return a string or a map[string]string. For more information\non CEL in ASO see https://azure.github.io/azure-service-operator/guide/expressions/", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array" }, "secrets": { "description": "Secrets: configures where to place Azure generated secrets.", "properties": { "adminCredentials": { "description": "AdminCredentials: indicates where the AdminCredentials secret should be placed. If omitted, the secret will not be\nretrieved from Azure.", "properties": { "key": { "description": "Key is the key in the Kubernetes secret being referenced.", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes secret to write to.\nThe secret will be created in the same namespace as the resource.", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false }, "userCredentials": { "description": "UserCredentials: indicates where the UserCredentials secret should be placed. If omitted, the secret will not be\nretrieved from Azure.", "properties": { "key": { "description": "Key is the key in the Kubernetes secret being referenced.", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes secret to write to.\nThe secret will be created in the same namespace as the resource.", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "owner": { "description": "Owner: The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also\ncontrols the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a\nreference to a resources.azure.com/ResourceGroup resource", "properties": { "armId": { "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "name": { "description": "This is the name of the Kubernetes resource to reference.", "type": "string" } }, "type": "object", "additionalProperties": false }, "podIdentityProfile": { "description": "PodIdentityProfile: See [use AAD pod identity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity) for more\ndetails on AAD pod identity integration.", "properties": { "allowNetworkPluginKubenet": { "description": "AllowNetworkPluginKubenet: Running in Kubenet is disabled by default due to the security related nature of AAD Pod\nIdentity and the risks of IP spoofing. See [using Kubenet network plugin with AAD Pod\nIdentity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity#using-kubenet-network-plugin-with-azure-active-directory-pod-managed-identities)\nfor more information.", "type": "boolean" }, "enabled": { "description": "Enabled: Whether the pod identity addon is enabled.", "type": "boolean" }, "userAssignedIdentities": { "description": "UserAssignedIdentities: The pod identities to use in the cluster.", "items": { "description": "Details about the pod identity assigned to the Managed Cluster.", "properties": { "bindingSelector": { "description": "BindingSelector: The binding selector to use for the AzureIdentityBinding resource.", "type": "string" }, "identity": { "description": "Identity: The user assigned identity details.", "properties": { "clientId": { "description": "ClientId: The client ID of the user assigned identity.", "type": "string" }, "objectId": { "description": "ObjectId: The object ID of the user assigned identity.", "type": "string" }, "resourceReference": { "description": "ResourceReference: The resource ID of the user assigned identity.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "name": { "description": "Name: The name of the pod identity.", "type": "string" }, "namespace": { "description": "Namespace: The namespace of the pod identity.", "type": "string" } }, "required": [ "identity", "name", "namespace" ], "type": "object", "additionalProperties": false }, "type": "array" }, "userAssignedIdentityExceptions": { "description": "UserAssignedIdentityExceptions: The pod identity exceptions to allow.", "items": { "description": "See [disable AAD Pod Identity for a specific\nPod/Application](https://azure.github.io/aad-pod-identity/docs/configure/application_exception/) for more details.", "properties": { "name": { "description": "Name: The name of the pod identity exception.", "type": "string" }, "namespace": { "description": "Namespace: The namespace of the pod identity exception.", "type": "string" }, "podLabels": { "additionalProperties": { "type": "string" }, "description": "PodLabels: The pod labels to match.", "type": "object" } }, "required": [ "name", "namespace", "podLabels" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "privateLinkResources": { "description": "PrivateLinkResources: Private link resources associated with the cluster.", "items": { "description": "A private link resource", "properties": { "groupId": { "description": "GroupId: The group ID of the resource.", "type": "string" }, "name": { "description": "Name: The name of the private link resource.", "type": "string" }, "reference": { "description": "Reference: The ID of the private link resource.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "requiredMembers": { "description": "RequiredMembers: The RequiredMembers of the resource", "items": { "type": "string" }, "type": "array" }, "type": { "description": "Type: The resource type.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "publicNetworkAccess": { "description": "PublicNetworkAccess: Allow or deny public network access for AKS", "enum": [ "Disabled", "Enabled", "SecuredByPerimeter" ], "type": "string" }, "safeguardsProfile": { "description": "SafeguardsProfile: The Safeguards profile holds all the safeguards information for a given cluster", "properties": { "excludedNamespaces": { "description": "ExcludedNamespaces: List of namespaces excluded from Safeguards checks", "items": { "type": "string" }, "type": "array" }, "level": { "description": "Level: The Safeguards level to be used. By default, Safeguards is enabled for all namespaces except those that AKS\nexcludes via systemExcludedNamespaces", "enum": [ "Enforcement", "Off", "Warning" ], "type": "string" }, "version": { "description": "Version: The version of constraints to use", "type": "string" } }, "required": [ "level" ], "type": "object", "additionalProperties": false }, "securityProfile": { "description": "SecurityProfile: Security profile for the managed cluster.", "properties": { "azureKeyVaultKms": { "description": "AzureKeyVaultKms: Azure Key Vault [key management\nservice](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/) settings for the security profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable Azure Key Vault key management service. The default is false.", "type": "boolean" }, "keyId": { "description": "KeyId: Identifier of Azure Key Vault key. See [key identifier\nformat](https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name)\nfor more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key\nidentifier. When Azure Key Vault key management service is disabled, leave the field empty.", "type": "string" }, "keyVaultNetworkAccess": { "description": "KeyVaultNetworkAccess: Network access of key vault. The possible values are `Public` and `Private`. `Public` means the\nkey vault allows public access from all networks. `Private` means the key vault disables public access and enables\nprivate link. The default value is `Public`.", "enum": [ "Private", "Public" ], "type": "string" }, "keyVaultResourceReference": { "description": "KeyVaultResourceReference: Resource ID of key vault. When keyVaultNetworkAccess is `Private`, this field is required and\nmust be a valid resource ID. When keyVaultNetworkAccess is `Public`, leave the field empty.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "customCATrustCertificates": { "description": "CustomCATrustCertificates: A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the\nCustom CA Trust feature enabled. For more information see [Custom CA Trust\nCertificates](https://learn.microsoft.com/en-us/azure/aks/custom-certificate-authority)", "items": { "type": "string" }, "maxItems": 10, "minItems": 0, "type": "array" }, "defender": { "description": "Defender: Microsoft Defender settings for the security profile.", "properties": { "logAnalyticsWorkspaceResourceReference": { "description": "LogAnalyticsWorkspaceResourceReference: Resource ID of the Log Analytics workspace to be associated with Microsoft\nDefender. When Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When\nMicrosoft Defender is disabled, leave the field empty.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "securityMonitoring": { "description": "SecurityMonitoring: Microsoft Defender threat detection for Cloud settings for the security profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable Defender threat detection", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "imageCleaner": { "description": "ImageCleaner: Image Cleaner settings for the security profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable Image Cleaner on AKS cluster.", "type": "boolean" }, "intervalHours": { "description": "IntervalHours: Image Cleaner scanning interval in hours.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "imageIntegrity": { "description": "ImageIntegrity: Image integrity is a feature that works with Azure Policy to verify image integrity by signature. This\nwill not have any effect unless Azure Policy is applied to enforce image signatures. See\nhttps://aka.ms/aks/image-integrity for how to use this feature via policy.", "properties": { "enabled": { "description": "Enabled: Whether to enable image integrity. The default value is false.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "nodeRestriction": { "description": "NodeRestriction: [Node\nRestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) settings\nfor the security profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable Node Restriction", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "workloadIdentity": { "description": "WorkloadIdentity: Workload identity settings for the security profile. Workload identity enables Kubernetes applications\nto access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details.", "properties": { "enabled": { "description": "Enabled: Whether to enable workload identity.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "serviceMeshProfile": { "description": "ServiceMeshProfile: Service mesh profile for a managed cluster.", "properties": { "istio": { "description": "Istio: Istio service mesh configuration.", "properties": { "certificateAuthority": { "description": "CertificateAuthority: Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin\ncertificates as described here https://aka.ms/asm-plugin-ca", "properties": { "plugin": { "description": "Plugin: Plugin certificates information for Service Mesh.", "properties": { "certChainObjectName": { "description": "CertChainObjectName: Certificate chain object name in Azure Key Vault.", "type": "string" }, "certObjectName": { "description": "CertObjectName: Intermediate certificate object name in Azure Key Vault.", "type": "string" }, "keyObjectName": { "description": "KeyObjectName: Intermediate certificate private key object name in Azure Key Vault.", "type": "string" }, "keyVaultReference": { "description": "KeyVaultReference: The resource ID of the Key Vault.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "rootCertObjectName": { "description": "RootCertObjectName: Root certificate object name in Azure Key Vault.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "components": { "description": "Components: Istio components configuration.", "properties": { "egressGateways": { "description": "EgressGateways: Istio egress gateways.", "items": { "description": "Istio egress gateway configuration.", "properties": { "enabled": { "description": "Enabled: Whether to enable the egress gateway.", "type": "boolean" } }, "required": [ "enabled" ], "type": "object", "additionalProperties": false }, "type": "array" }, "ingressGateways": { "description": "IngressGateways: Istio ingress gateways.", "items": { "description": "Istio ingress gateway configuration. For now, we support up to one external ingress gateway named\n`aks-istio-ingressgateway-external` and one internal ingress gateway named `aks-istio-ingressgateway-internal`.", "properties": { "enabled": { "description": "Enabled: Whether to enable the ingress gateway.", "type": "boolean" }, "mode": { "description": "Mode: Mode of an ingress gateway.", "enum": [ "External", "Internal" ], "type": "string" } }, "required": [ "enabled", "mode" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "revisions": { "description": "Revisions: The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value.\nWhen canary upgrade is in progress, this can only hold two consecutive values. For more information, see:\nhttps://learn.microsoft.com/en-us/azure/aks/istio-upgrade", "items": { "type": "string" }, "maxItems": 2, "type": "array" } }, "type": "object", "additionalProperties": false }, "mode": { "description": "Mode: Mode of the service mesh.", "enum": [ "Disabled", "Istio" ], "type": "string" } }, "required": [ "mode" ], "type": "object", "additionalProperties": false }, "servicePrincipalProfile": { "description": "ServicePrincipalProfile: Information about a service principal identity for the cluster to use for manipulating Azure\nAPIs.", "properties": { "clientId": { "description": "ClientId: The ID for the service principal.", "type": "string" }, "secret": { "description": "Secret: The secret password associated with the service principal in plain text.", "properties": { "key": { "description": "Key is the key in the Kubernetes secret being referenced", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes secret being referenced.\nThe secret must be in the same namespace as the resource", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false } }, "required": [ "clientId" ], "type": "object", "additionalProperties": false }, "sku": { "description": "Sku: The managed cluster SKU.", "properties": { "name": { "description": "Name: The name of a managed cluster SKU.", "enum": [ "Automatic", "Base" ], "type": "string" }, "tier": { "description": "Tier: If not specified, the default is 'Free'. See [AKS Pricing\nTier](https://learn.microsoft.com/azure/aks/free-standard-pricing-tiers) for more details.", "enum": [ "Free", "Premium", "Standard" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "storageProfile": { "description": "StorageProfile: Storage profile for the managed cluster.", "properties": { "blobCSIDriver": { "description": "BlobCSIDriver: AzureBlob CSI Driver settings for the storage profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable AzureBlob CSI Driver. The default value is false.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "diskCSIDriver": { "description": "DiskCSIDriver: AzureDisk CSI Driver settings for the storage profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable AzureDisk CSI Driver. The default value is true.", "type": "boolean" }, "version": { "description": "Version: The version of AzureDisk CSI Driver. The default value is v1.", "type": "string" } }, "type": "object", "additionalProperties": false }, "fileCSIDriver": { "description": "FileCSIDriver: AzureFile CSI Driver settings for the storage profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable AzureFile CSI Driver. The default value is true.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "snapshotController": { "description": "SnapshotController: Snapshot Controller settings for the storage profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable Snapshot Controller. The default value is true.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "supportPlan": { "description": "SupportPlan: The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'.", "enum": [ "AKSLongTermSupport", "KubernetesOfficial" ], "type": "string" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags: Resource tags.", "type": "object" }, "upgradeSettings": { "description": "UpgradeSettings: Settings for upgrading a cluster.", "properties": { "overrideSettings": { "description": "OverrideSettings: Settings for overrides.", "properties": { "forceUpgrade": { "description": "ForceUpgrade: Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade\nprotections such as checking for deprecated API usage. Enable this option only with caution.", "type": "boolean" }, "until": { "description": "Until: Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the\neffectiveness won't change once an upgrade starts even if the `until` expires as upgrade proceeds. This field is not set\nby default. It must be set for the overrides to take effect.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "windowsProfile": { "description": "WindowsProfile: The profile for Windows VMs in the Managed Cluster.", "properties": { "adminPassword": { "description": "AdminPassword: Specifies the password of the administrator account.\nMinimum-length: 8 characters\nMax-length: 123 characters\nComplexity requirements: 3 out of 4 conditions below need to be fulfilled\nHas lower characters\nHas upper characters\nHas a digit\nHas a special character (Regex match [\\W_])\nDisallowed values: \"abc@123\", \"P@$$w0rd\", \"P@ssw0rd\", \"P@ssword123\", \"Pa$$word\", \"pass@word1\", \"Password!\", \"Password1\",\n\"Password22\", \"iloveyou!\"", "properties": { "key": { "description": "Key is the key in the Kubernetes secret being referenced", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes secret being referenced.\nThe secret must be in the same namespace as the resource", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false }, "adminUsername": { "description": "AdminUsername: Specifies the name of the administrator account.\nRestriction: Cannot end in \".\"\nDisallowed values: \"administrator\", \"admin\", \"user\", \"user1\", \"test\", \"user2\", \"test1\", \"user3\", \"admin1\", \"1\", \"123\",\n\"a\", \"actuser\", \"adm\", \"admin2\", \"aspnet\", \"backup\", \"console\", \"david\", \"guest\", \"john\", \"owner\", \"root\", \"server\",\n\"sql\", \"support\", \"support_388945a0\", \"sys\", \"test2\", \"test3\", \"user4\", \"user5\".\nMinimum-length: 1 character\nMax-length: 20 characters", "type": "string" }, "enableCSIProxy": { "description": "EnableCSIProxy: For more details on CSI proxy, see the [CSI proxy GitHub\nrepo](https://github.com/kubernetes-csi/csi-proxy).", "type": "boolean" }, "gmsaProfile": { "description": "GmsaProfile: The Windows gMSA Profile in the Managed Cluster.", "properties": { "dnsServer": { "description": "DnsServer: Specifies the DNS server for Windows gMSA.\nSet it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.", "type": "string" }, "enabled": { "description": "Enabled: Specifies whether to enable Windows gMSA in the managed cluster.", "type": "boolean" }, "rootDomainName": { "description": "RootDomainName: Specifies the root domain name for Windows gMSA.\nSet it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.", "type": "string" } }, "type": "object", "additionalProperties": false }, "licenseType": { "description": "LicenseType: The license type to use for Windows VMs. See [Azure Hybrid User\nBenefits](https://azure.microsoft.com/pricing/hybrid-benefit/faq/) for more details.", "enum": [ "None", "Windows_Server" ], "type": "string" } }, "required": [ "adminUsername" ], "type": "object", "additionalProperties": false }, "workloadAutoScalerProfile": { "description": "WorkloadAutoScalerProfile: Workload Auto-scaler profile for the managed cluster.", "properties": { "keda": { "description": "Keda: KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable KEDA.", "type": "boolean" } }, "required": [ "enabled" ], "type": "object", "additionalProperties": false }, "verticalPodAutoscaler": { "properties": { "addonAutoscaling": { "description": "AddonAutoscaling: Whether VPA add-on is enabled and configured to scale AKS-managed add-ons.", "enum": [ "Disabled", "Enabled" ], "type": "string" }, "enabled": { "description": "Enabled: Whether to enable VPA add-on in cluster. Default value is false.", "type": "boolean" } }, "required": [ "enabled" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "location", "owner" ], "type": "object", "additionalProperties": false }, "status": { "description": "Managed cluster.", "properties": { "aadProfile": { "description": "AadProfile: The Azure Active Directory configuration.", "properties": { "adminGroupObjectIDs": { "description": "AdminGroupObjectIDs: The list of AAD group object IDs that will have admin role of the cluster.", "items": { "type": "string" }, "type": "array" }, "clientAppID": { "description": "ClientAppID: (DEPRECATED) The client AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.", "type": "string" }, "enableAzureRBAC": { "description": "EnableAzureRBAC: Whether to enable Azure RBAC for Kubernetes authorization.", "type": "boolean" }, "managed": { "description": "Managed: Whether to enable managed AAD.", "type": "boolean" }, "serverAppID": { "description": "ServerAppID: (DEPRECATED) The server AAD application ID. Learn more at https://aka.ms/aks/aad-legacy.", "type": "string" }, "serverAppSecret": { "description": "ServerAppSecret: (DEPRECATED) The server AAD application secret. Learn more at https://aka.ms/aks/aad-legacy.", "type": "string" }, "tenantID": { "description": "TenantID: The AAD tenant ID to use for authentication. If not specified, will use the tenant of the deployment\nsubscription.", "type": "string" } }, "type": "object", "additionalProperties": false }, "addonProfiles": { "additionalProperties": { "description": "A Kubernetes add-on profile for a managed cluster.", "properties": { "config": { "additionalProperties": { "type": "string" }, "description": "Config: Key-value pairs for configuring an add-on.", "type": "object" }, "enabled": { "description": "Enabled: Whether the add-on is enabled or not.", "type": "boolean" }, "identity": { "description": "Identity: Information of user assigned identity used by this add-on.", "properties": { "clientId": { "description": "ClientId: The client ID of the user assigned identity.", "type": "string" }, "objectId": { "description": "ObjectId: The object ID of the user assigned identity.", "type": "string" }, "resourceId": { "description": "ResourceId: The resource ID of the user assigned identity.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "description": "AddonProfiles: The profile of managed cluster add-on.", "type": "object" }, "agentPoolProfiles": { "description": "AgentPoolProfiles: The agent pool properties.", "items": { "description": "Profile for the container service agent pool.", "properties": { "artifactStreamingProfile": { "description": "ArtifactStreamingProfile: Configuration for using artifact streaming on AKS.", "properties": { "enabled": { "description": "Enabled: Artifact streaming speeds up the cold-start of containers on a node through on-demand image loading. To use\nthis feature, container images must also enable artifact streaming on ACR. If not specified, the default is false.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "availabilityZones": { "description": "AvailabilityZones: The list of Availability zones to use for nodes. This can only be specified if the AgentPoolType\nproperty is 'VirtualMachineScaleSets'.", "items": { "type": "string" }, "type": "array" }, "capacityReservationGroupID": { "description": "CapacityReservationGroupID: AKS will associate the specified agent pool with the Capacity Reservation Group.", "type": "string" }, "count": { "description": "Count: Number of agents (VMs) to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive)\nfor user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1.", "type": "integer" }, "creationData": { "description": "CreationData: CreationData to be used to specify the source Snapshot ID if the node pool will be created/upgraded using\na snapshot.", "properties": { "sourceResourceId": { "description": "SourceResourceId: This is the ARM ID of the source object to be used to create the target object.", "type": "string" } }, "type": "object", "additionalProperties": false }, "currentOrchestratorVersion": { "description": "CurrentOrchestratorVersion: If orchestratorVersion was a fully specified version , this field will be\nexactly equal to it. If orchestratorVersion was , this field will contain the full \nversion being used.", "type": "string" }, "eTag": { "description": "ETag: Unique read-only string used to implement optimistic concurrency. The eTag value will change when the resource is\nupdated. Specify an if-match or if-none-match header with the eTag value for a subsequent request to enable optimistic\nconcurrency per the normal etag convention.", "type": "string" }, "enableAutoScaling": { "description": "EnableAutoScaling: Whether to enable auto-scaler", "type": "boolean" }, "enableCustomCATrust": { "description": "EnableCustomCATrust: When set to true, AKS adds a label to the node indicating that the feature is enabled and deploys a\ndaemonset along with host services to sync custom certificate authorities from user-provided list of base64 encoded\ncertificates into node trust stores. Defaults to false.", "type": "boolean" }, "enableEncryptionAtHost": { "description": "EnableEncryptionAtHost: This is only supported on certain VM sizes and in certain Azure regions. For more information,\nsee: https://docs.microsoft.com/azure/aks/enable-host-encryption", "type": "boolean" }, "enableFIPS": { "description": "EnableFIPS: See [Add a FIPS-enabled node\npool](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more\ndetails.", "type": "boolean" }, "enableNodePublicIP": { "description": "EnableNodePublicIP: Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses.\nA common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine\nto minimize hops. For more information see [assigning a public IP per\nnode](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). The\ndefault is false.", "type": "boolean" }, "enableUltraSSD": { "description": "EnableUltraSSD: Whether to enable UltraSSD", "type": "boolean" }, "gatewayProfile": { "description": "GatewayProfile: Profile specific to a managed agent pool in Gateway mode. This field cannot be set if agent pool mode is\nnot Gateway.", "properties": { "publicIPPrefixSize": { "description": "PublicIPPrefixSize: The Gateway agent pool associates one public IPPrefix for each static egress gateway to provide\npublic egress. The size of Public IPPrefix should be selected by the user. Each node in the agent pool is assigned with\none IP from the IPPrefix. The IPPrefix size thus serves as a cap on the size of the Gateway agent pool. Due to Azure\npublic IPPrefix size limitation, the valid value range is [28, 31] (/31 = 2 nodes/IPs, /30 = 4 nodes/IPs, /29 = 8\nnodes/IPs, /28 = 16 nodes/IPs). The default value is 31.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "gpuInstanceProfile": { "description": "GpuInstanceProfile: GPUInstanceProfile to be used to specify GPU MIG instance profile for supported GPU VM SKU.", "type": "string" }, "gpuProfile": { "description": "GpuProfile: The GPU settings of an agent pool.", "properties": { "installGPUDriver": { "description": "InstallGPUDriver: The default value is true when the vmSize of the agent pool contains a GPU, false otherwise. GPU\nDriver Installation can only be set true when VM has an associated GPU resource. Setting this field to false prevents\nautomatic GPU driver installation. In that case, in order for the GPU to be usable, the user must perform GPU driver\ninstallation themselves.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "hostGroupID": { "description": "HostGroupID: This is of the form:\n/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/hostGroups/{hostGroupName}.\nFor more information see [Azure dedicated hosts](https://docs.microsoft.com/azure/virtual-machines/dedicated-hosts).", "type": "string" }, "kubeletConfig": { "description": "KubeletConfig: The Kubelet configuration on the agent pool nodes.", "properties": { "allowedUnsafeSysctls": { "description": "AllowedUnsafeSysctls: Allowed list of unsafe sysctls or unsafe sysctl patterns (ending in `*`).", "items": { "type": "string" }, "type": "array" }, "containerLogMaxFiles": { "description": "ContainerLogMaxFiles: The maximum number of container log files that can be present for a container. The number must be\n\u2265 2.", "type": "integer" }, "containerLogMaxSizeMB": { "description": "ContainerLogMaxSizeMB: The maximum size (e.g. 10Mi) of container log file before it is rotated.", "type": "integer" }, "cpuCfsQuota": { "description": "CpuCfsQuota: The default is true.", "type": "boolean" }, "cpuCfsQuotaPeriod": { "description": "CpuCfsQuotaPeriod: The default is '100ms.' Valid values are a sequence of decimal numbers with an optional fraction and\na unit suffix. For example: '300ms', '2h45m'. Supported units are 'ns', 'us', 'ms', 's', 'm', and 'h'.", "type": "string" }, "cpuManagerPolicy": { "description": "CpuManagerPolicy: The default is 'none'. See [Kubernetes CPU management\npolicies](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#cpu-management-policies) for more\ninformation. Allowed values are 'none' and 'static'.", "type": "string" }, "failSwapOn": { "description": "FailSwapOn: If set to true it will make the Kubelet fail to start if swap is enabled on the node.", "type": "boolean" }, "imageGcHighThreshold": { "description": "ImageGcHighThreshold: To disable image garbage collection, set to 100. The default is 85%", "type": "integer" }, "imageGcLowThreshold": { "description": "ImageGcLowThreshold: This cannot be set higher than imageGcHighThreshold. The default is 80%", "type": "integer" }, "podMaxPids": { "description": "PodMaxPids: The maximum number of processes per pod.", "type": "integer" }, "topologyManagerPolicy": { "description": "TopologyManagerPolicy: For more information see [Kubernetes Topology\nManager](https://kubernetes.io/docs/tasks/administer-cluster/topology-manager). The default is 'none'. Allowed values\nare 'none', 'best-effort', 'restricted', and 'single-numa-node'.", "type": "string" } }, "type": "object", "additionalProperties": false }, "kubeletDiskType": { "description": "KubeletDiskType: Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral\nstorage.", "type": "string" }, "linuxOSConfig": { "description": "LinuxOSConfig: The OS configuration of Linux agent nodes.", "properties": { "swapFileSizeMB": { "description": "SwapFileSizeMB: The size in MB of a swap file that will be created on each node.", "type": "integer" }, "sysctls": { "description": "Sysctls: Sysctl settings for Linux agent nodes.", "properties": { "fsAioMaxNr": { "description": "FsAioMaxNr: Sysctl setting fs.aio-max-nr.", "type": "integer" }, "fsFileMax": { "description": "FsFileMax: Sysctl setting fs.file-max.", "type": "integer" }, "fsInotifyMaxUserWatches": { "description": "FsInotifyMaxUserWatches: Sysctl setting fs.inotify.max_user_watches.", "type": "integer" }, "fsNrOpen": { "description": "FsNrOpen: Sysctl setting fs.nr_open.", "type": "integer" }, "kernelThreadsMax": { "description": "KernelThreadsMax: Sysctl setting kernel.threads-max.", "type": "integer" }, "netCoreNetdevMaxBacklog": { "description": "NetCoreNetdevMaxBacklog: Sysctl setting net.core.netdev_max_backlog.", "type": "integer" }, "netCoreOptmemMax": { "description": "NetCoreOptmemMax: Sysctl setting net.core.optmem_max.", "type": "integer" }, "netCoreRmemDefault": { "description": "NetCoreRmemDefault: Sysctl setting net.core.rmem_default.", "type": "integer" }, "netCoreRmemMax": { "description": "NetCoreRmemMax: Sysctl setting net.core.rmem_max.", "type": "integer" }, "netCoreSomaxconn": { "description": "NetCoreSomaxconn: Sysctl setting net.core.somaxconn.", "type": "integer" }, "netCoreWmemDefault": { "description": "NetCoreWmemDefault: Sysctl setting net.core.wmem_default.", "type": "integer" }, "netCoreWmemMax": { "description": "NetCoreWmemMax: Sysctl setting net.core.wmem_max.", "type": "integer" }, "netIpv4IpLocalPortRange": { "description": "NetIpv4IpLocalPortRange: Sysctl setting net.ipv4.ip_local_port_range.", "type": "string" }, "netIpv4NeighDefaultGcThresh1": { "description": "NetIpv4NeighDefaultGcThresh1: Sysctl setting net.ipv4.neigh.default.gc_thresh1.", "type": "integer" }, "netIpv4NeighDefaultGcThresh2": { "description": "NetIpv4NeighDefaultGcThresh2: Sysctl setting net.ipv4.neigh.default.gc_thresh2.", "type": "integer" }, "netIpv4NeighDefaultGcThresh3": { "description": "NetIpv4NeighDefaultGcThresh3: Sysctl setting net.ipv4.neigh.default.gc_thresh3.", "type": "integer" }, "netIpv4TcpFinTimeout": { "description": "NetIpv4TcpFinTimeout: Sysctl setting net.ipv4.tcp_fin_timeout.", "type": "integer" }, "netIpv4TcpKeepaliveProbes": { "description": "NetIpv4TcpKeepaliveProbes: Sysctl setting net.ipv4.tcp_keepalive_probes.", "type": "integer" }, "netIpv4TcpKeepaliveTime": { "description": "NetIpv4TcpKeepaliveTime: Sysctl setting net.ipv4.tcp_keepalive_time.", "type": "integer" }, "netIpv4TcpMaxSynBacklog": { "description": "NetIpv4TcpMaxSynBacklog: Sysctl setting net.ipv4.tcp_max_syn_backlog.", "type": "integer" }, "netIpv4TcpMaxTwBuckets": { "description": "NetIpv4TcpMaxTwBuckets: Sysctl setting net.ipv4.tcp_max_tw_buckets.", "type": "integer" }, "netIpv4TcpTwReuse": { "description": "NetIpv4TcpTwReuse: Sysctl setting net.ipv4.tcp_tw_reuse.", "type": "boolean" }, "netIpv4TcpkeepaliveIntvl": { "description": "NetIpv4TcpkeepaliveIntvl: Sysctl setting net.ipv4.tcp_keepalive_intvl.", "type": "integer" }, "netNetfilterNfConntrackBuckets": { "description": "NetNetfilterNfConntrackBuckets: Sysctl setting net.netfilter.nf_conntrack_buckets.", "type": "integer" }, "netNetfilterNfConntrackMax": { "description": "NetNetfilterNfConntrackMax: Sysctl setting net.netfilter.nf_conntrack_max.", "type": "integer" }, "vmMaxMapCount": { "description": "VmMaxMapCount: Sysctl setting vm.max_map_count.", "type": "integer" }, "vmSwappiness": { "description": "VmSwappiness: Sysctl setting vm.swappiness.", "type": "integer" }, "vmVfsCachePressure": { "description": "VmVfsCachePressure: Sysctl setting vm.vfs_cache_pressure.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "transparentHugePageDefrag": { "description": "TransparentHugePageDefrag: Valid values are 'always', 'defer', 'defer+madvise', 'madvise' and 'never'. The default is\n'madvise'. For more information see [Transparent\nHugepages](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html#admin-guide-transhuge).", "type": "string" }, "transparentHugePageEnabled": { "description": "TransparentHugePageEnabled: Valid values are 'always', 'madvise', and 'never'. The default is 'always'. For more\ninformation see [Transparent\nHugepages](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html#admin-guide-transhuge).", "type": "string" } }, "type": "object", "additionalProperties": false }, "maxCount": { "description": "MaxCount: The maximum number of nodes for auto-scaling", "type": "integer" }, "maxPods": { "description": "MaxPods: The maximum number of pods that can run on a node.", "type": "integer" }, "messageOfTheDay": { "description": "MessageOfTheDay: A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of\nthe message of the day for Linux nodes. It must not be specified for Windows nodes. It must be a static string (i.e.,\nwill be printed raw and not be executed as a script).", "type": "string" }, "minCount": { "description": "MinCount: The minimum number of nodes for auto-scaling", "type": "integer" }, "mode": { "description": "Mode: A cluster must have at least one 'System' Agent Pool at all times. For additional information on agent pool\nrestrictions and best practices, see: https://docs.microsoft.com/azure/aks/use-system-pools", "type": "string" }, "name": { "description": "Name: Windows agent pool names must be 6 characters or less.", "type": "string" }, "networkProfile": { "description": "NetworkProfile: Network-related settings of an agent pool.", "properties": { "allowedHostPorts": { "description": "AllowedHostPorts: The port ranges that are allowed to access. The specified ranges are allowed to overlap.", "items": { "description": "The port range.", "properties": { "portEnd": { "description": "PortEnd: The maximum port that is included in the range. It should be ranged from 1 to 65535, and be greater than or\nequal to portStart.", "type": "integer" }, "portStart": { "description": "PortStart: The minimum port that is included in the range. It should be ranged from 1 to 65535, and be less than or\nequal to portEnd.", "type": "integer" }, "protocol": { "description": "Protocol: The network protocol of the port.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "applicationSecurityGroups": { "description": "ApplicationSecurityGroups: The IDs of the application security groups which agent pool will associate when created.", "items": { "type": "string" }, "type": "array" }, "nodePublicIPTags": { "description": "NodePublicIPTags: IPTags of instance-level public IPs.", "items": { "description": "Contains the IPTag associated with the object.", "properties": { "ipTagType": { "description": "IpTagType: The IP tag type. Example: RoutingPreference.", "type": "string" }, "tag": { "description": "Tag: The value of the IP tag associated with the public IP. Example: Internet.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "nodeImageVersion": { "description": "NodeImageVersion: The version of node image", "type": "string" }, "nodeInitializationTaints": { "description": "NodeInitializationTaints: These taints will not be reconciled by AKS and can be removed with a kubectl call. This field\ncan be modified after node pool is created, but nodes will not be recreated with new taints until another operation that\nrequires recreation (e.g. node image upgrade) happens. These taints allow for required configuration to run before the\nnode is ready to accept workloads, for example 'key1=value1:NoSchedule' that then can be removed with `kubectl taint\nnodes node1 key1=value1:NoSchedule-`", "items": { "type": "string" }, "type": "array" }, "nodeLabels": { "additionalProperties": { "type": "string" }, "description": "NodeLabels: The node labels to be persisted across all nodes in agent pool.", "type": "object" }, "nodePublicIPPrefixID": { "description": "NodePublicIPPrefixID: This is of the form:\n/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPPrefixes/{publicIPPrefixName}", "type": "string" }, "nodeTaints": { "description": "NodeTaints: The taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule.", "items": { "type": "string" }, "type": "array" }, "orchestratorVersion": { "description": "OrchestratorVersion: Both patch version and are supported. When is\nspecified, the latest supported patch version is chosen automatically. Updating the agent pool with the same\n once it has been created will not trigger an upgrade, even if a newer patch version is available. As a\nbest practice, you should upgrade all node pools in an AKS cluster to the same Kubernetes version. The node pool version\nmust have the same major version as the control plane. The node pool minor version must be within two minor versions of\nthe control plane version. The node pool version cannot be greater than the control plane version. For more information\nsee [upgrading a node pool](https://docs.microsoft.com/azure/aks/use-multiple-node-pools#upgrade-a-node-pool).", "type": "string" }, "osDiskSizeGB": { "type": "integer" }, "osDiskType": { "description": "OsDiskType: The default is 'Ephemeral' if the VM supports it and has a cache disk larger than the requested\nOSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. For more information see [Ephemeral\nOS](https://docs.microsoft.com/azure/aks/cluster-configuration#ephemeral-os).", "type": "string" }, "osSKU": { "description": "OsSKU: Specifies the OS SKU used by the agent pool. If not specified, the default is Ubuntu if OSType=Linux or\nWindows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is\ndeprecated.", "type": "string" }, "osType": { "description": "OsType: The operating system type. The default is Linux.", "type": "string" }, "podIPAllocationMode": { "description": "PodIPAllocationMode: The IP allocation mode for pods in the agent pool. Must be used with podSubnetId. The default is\n'DynamicIndividual'.", "type": "string" }, "podSubnetID": { "description": "PodSubnetID: If omitted, pod IPs are statically assigned on the node subnet (see vnetSubnetID for more details). This is\nof the form:\n/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}", "type": "string" }, "powerState": { "description": "PowerState: When an Agent Pool is first created it is initially Running. The Agent Pool can be stopped by setting this\nfield to Stopped. A stopped Agent Pool stops all of its VMs and does not accrue billing charges. An Agent Pool can only\nbe stopped if it is Running and provisioning state is Succeeded", "properties": { "code": { "description": "Code: Tells whether the cluster is Running or Stopped", "type": "string" } }, "type": "object", "additionalProperties": false }, "provisioningState": { "description": "ProvisioningState: The current deployment or provisioning state.", "type": "string" }, "proximityPlacementGroupID": { "description": "ProximityPlacementGroupID: The ID for Proximity Placement Group.", "type": "string" }, "scaleDownMode": { "description": "ScaleDownMode: This also effects the cluster autoscaler behavior. If not specified, it defaults to Delete.", "type": "string" }, "scaleSetEvictionPolicy": { "description": "ScaleSetEvictionPolicy: This cannot be specified unless the scaleSetPriority is 'Spot'. If not specified, the default is\n'Delete'.", "type": "string" }, "scaleSetPriority": { "description": "ScaleSetPriority: The Virtual Machine Scale Set priority. If not specified, the default is 'Regular'.", "type": "string" }, "securityProfile": { "description": "SecurityProfile: The security settings of an agent pool.", "properties": { "enableSecureBoot": { "description": "EnableSecureBoot: Secure Boot is a feature of Trusted Launch which ensures that only signed operating systems and\ndrivers can boot. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.", "type": "boolean" }, "enableVTPM": { "description": "EnableVTPM: vTPM is a Trusted Launch feature for configuring a dedicated secure vault for keys and measurements held\nlocally on the node. For more details, see aka.ms/aks/trustedlaunch. If not specified, the default is false.", "type": "boolean" }, "sshAccess": { "description": "SshAccess: SSH access method of an agent pool.", "type": "string" } }, "type": "object", "additionalProperties": false }, "spotMaxPrice": { "description": "SpotMaxPrice: Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any\non-demand price. For more details on spot pricing, see [spot VMs\npricing](https://docs.microsoft.com/azure/virtual-machines/spot-vms#pricing)", "type": "number" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags: The tags to be persisted on the agent pool virtual machine scale set.", "type": "object" }, "type": { "description": "Type: The type of Agent Pool.", "type": "string" }, "upgradeSettings": { "description": "UpgradeSettings: Settings for upgrading the agentpool", "properties": { "drainTimeoutInMinutes": { "description": "DrainTimeoutInMinutes: The amount of time (in minutes) to wait on eviction of pods and graceful termination per node.\nThis eviction wait time honors waiting on pod disruption budgets. If this time is exceeded, the upgrade fails. If not\nspecified, the default is 30 minutes.", "type": "integer" }, "maxSurge": { "description": "MaxSurge: This can either be set to an integer (e.g. '5') or a percentage (e.g. '50%'). If a percentage is specified, it\nis the percentage of the total agent pool size at the time of the upgrade. For percentages, fractional nodes are rounded\nup. If not specified, the default is 1. For more information, including best practices, see:\nhttps://docs.microsoft.com/azure/aks/upgrade-cluster#customize-node-surge-upgrade", "type": "string" }, "nodeSoakDurationInMinutes": { "description": "NodeSoakDurationInMinutes: The amount of time (in minutes) to wait after draining a node and before reimaging it and\nmoving on to next node. If not specified, the default is 0 minutes.", "type": "integer" }, "undrainableNodeBehavior": { "description": "UndrainableNodeBehavior: Defines the behavior for undrainable nodes during upgrade. The most common cause of undrainable\nnodes is Pod Disruption Budgets (PDBs), but other issues, such as pod termination grace period is exceeding the\nremaining per-node drain timeout or pod is still being in a running state, can also cause undrainable nodes.", "type": "string" } }, "type": "object", "additionalProperties": false }, "virtualMachineNodesStatus": { "items": { "description": "Current status on a group of nodes of the same vm size.", "properties": { "count": { "description": "Count: Number of nodes.", "type": "integer" }, "size": { "description": "Size: The VM size of the agents used to host this group of nodes.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "virtualMachinesProfile": { "description": "VirtualMachinesProfile: Specifications on VirtualMachines agent pool.", "properties": { "scale": { "description": "Scale: Specifications on how to scale a VirtualMachines agent pool.", "properties": { "autoscale": { "description": "Autoscale: Specifications on how to auto-scale the VirtualMachines agent pool within a predefined size range. Currently,\nat most one AutoScaleProfile is allowed.", "items": { "description": "Specifications on auto-scaling.", "properties": { "maxCount": { "description": "MaxCount: The maximum number of nodes of the specified sizes.", "type": "integer" }, "minCount": { "description": "MinCount: The minimum number of nodes of the specified sizes.", "type": "integer" }, "sizes": { "description": "Sizes: The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the\nfirst available one when auto scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS\nwill use the next size.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "manual": { "description": "Manual: Specifications on how to scale the VirtualMachines agent pool to a fixed size.", "items": { "description": "Specifications on number of machines.", "properties": { "count": { "description": "Count: Number of nodes.", "type": "integer" }, "sizes": { "description": "Sizes: The list of allowed vm sizes e.g. ['Standard_E4s_v3', 'Standard_E16s_v3', 'Standard_D16s_v5']. AKS will use the\nfirst available one when scaling. If a VM size is unavailable (e.g. due to quota or regional capacity reasons), AKS will\nuse the next size.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "vmSize": { "description": "VmSize: VM size availability varies by region. If a node contains insufficient compute resources (memory, cpu, etc) pods\nmight fail to run correctly. For more details on restricted VM sizes, see:\nhttps://docs.microsoft.com/azure/aks/quotas-skus-regions", "type": "string" }, "vnetSubnetID": { "description": "VnetSubnetID: If this is not specified, a VNET and subnet will be generated and used. If no podSubnetID is specified,\nthis applies to nodes and pods, otherwise it applies to just nodes. This is of the form:\n/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{virtualNetworkName}/subnets/{subnetName}", "type": "string" }, "windowsProfile": { "description": "WindowsProfile: The Windows agent pool's specific profile.", "properties": { "disableOutboundNat": { "description": "DisableOutboundNat: The default value is false. Outbound NAT can only be disabled if the cluster outboundType is NAT\nGateway and the Windows agent pool does not have node public IP enabled.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "workloadRuntime": { "description": "WorkloadRuntime: Determines the type of workload a node can run.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "aiToolchainOperatorProfile": { "description": "AiToolchainOperatorProfile: AI toolchain operator settings that apply to the whole cluster.", "properties": { "enabled": { "description": "Enabled: Indicates if AI toolchain operator enabled or not.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "apiServerAccessProfile": { "description": "ApiServerAccessProfile: The access profile for managed cluster API server.", "properties": { "authorizedIPRanges": { "description": "AuthorizedIPRanges: IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with\nclusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer. For more information see [API\nserver authorized IP ranges](https://docs.microsoft.com/azure/aks/api-server-authorized-ip-ranges).", "items": { "type": "string" }, "type": "array" }, "disableRunCommand": { "description": "DisableRunCommand: Whether to disable run command for the cluster or not.", "type": "boolean" }, "enablePrivateCluster": { "description": "EnablePrivateCluster: For more details, see [Creating a private AKS\ncluster](https://docs.microsoft.com/azure/aks/private-clusters).", "type": "boolean" }, "enablePrivateClusterPublicFQDN": { "description": "EnablePrivateClusterPublicFQDN: Whether to create additional public FQDN for private cluster or not.", "type": "boolean" }, "enableVnetIntegration": { "description": "EnableVnetIntegration: Whether to enable apiserver vnet integration for the cluster or not.", "type": "boolean" }, "privateDNSZone": { "description": "PrivateDNSZone: The default is System. For more details see [configure private DNS\nzone](https://docs.microsoft.com/azure/aks/private-clusters#configure-private-dns-zone). Allowed values are 'system' and\n'none'.", "type": "string" }, "subnetId": { "description": "SubnetId: It is required when: 1. creating a new cluster with BYO Vnet; 2. updating an existing cluster to enable\napiserver vnet integration.", "type": "string" } }, "type": "object", "additionalProperties": false }, "autoScalerProfile": { "description": "AutoScalerProfile: Parameters to be applied to the cluster-autoscaler when enabled", "properties": { "balance-similar-node-groups": { "description": "BalanceSimilarNodeGroups: Valid values are 'true' and 'false'", "type": "string" }, "daemonset-eviction-for-empty-nodes": { "description": "DaemonsetEvictionForEmptyNodes: If set to true, all daemonset pods on empty nodes will be evicted before deletion of the\nnode. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node will be\ndeleted without ensuring that daemonset pods are deleted or evicted.", "type": "boolean" }, "daemonset-eviction-for-occupied-nodes": { "description": "DaemonsetEvictionForOccupiedNodes: If set to true, all daemonset pods on occupied nodes will be evicted before deletion\nof the node. If the daemonset pod cannot be evicted another node will be chosen for scaling. If set to false, the node\nwill be deleted without ensuring that daemonset pods are deleted or evicted.", "type": "boolean" }, "expander": { "description": "Expander: Available values are: 'least-waste', 'most-pods', 'priority', 'random'.", "type": "string" }, "ignore-daemonsets-utilization": { "description": "IgnoreDaemonsetsUtilization: If set to true, the resources used by daemonset will be taken into account when making\nscaling down decisions.", "type": "boolean" }, "max-empty-bulk-delete": { "description": "MaxEmptyBulkDelete: The default is 10.", "type": "string" }, "max-graceful-termination-sec": { "description": "MaxGracefulTerminationSec: The default is 600.", "type": "string" }, "max-node-provision-time": { "description": "MaxNodeProvisionTime: The default is '15m'. Values must be an integer followed by an 'm'. No unit of time other than\nminutes (m) is supported.", "type": "string" }, "max-total-unready-percentage": { "description": "MaxTotalUnreadyPercentage: The default is 45. The maximum is 100 and the minimum is 0.", "type": "string" }, "new-pod-scale-up-delay": { "description": "NewPodScaleUpDelay: For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler\ncould schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. The default is\n'0s'. Values must be an integer followed by a unit ('s' for seconds, 'm' for minutes, 'h' for hours, etc).", "type": "string" }, "ok-total-unready-count": { "description": "OkTotalUnreadyCount: This must be an integer. The default is 3.", "type": "string" }, "scale-down-delay-after-add": { "description": "ScaleDownDelayAfterAdd: The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than\nminutes (m) is supported.", "type": "string" }, "scale-down-delay-after-delete": { "description": "ScaleDownDelayAfterDelete: The default is the scan-interval. Values must be an integer followed by an 'm'. No unit of\ntime other than minutes (m) is supported.", "type": "string" }, "scale-down-delay-after-failure": { "description": "ScaleDownDelayAfterFailure: The default is '3m'. Values must be an integer followed by an 'm'. No unit of time other\nthan minutes (m) is supported.", "type": "string" }, "scale-down-unneeded-time": { "description": "ScaleDownUnneededTime: The default is '10m'. Values must be an integer followed by an 'm'. No unit of time other than\nminutes (m) is supported.", "type": "string" }, "scale-down-unready-time": { "description": "ScaleDownUnreadyTime: The default is '20m'. Values must be an integer followed by an 'm'. No unit of time other than\nminutes (m) is supported.", "type": "string" }, "scale-down-utilization-threshold": { "description": "ScaleDownUtilizationThreshold: The default is '0.5'.", "type": "string" }, "scan-interval": { "description": "ScanInterval: The default is '10'. Values must be an integer number of seconds.", "type": "string" }, "skip-nodes-with-local-storage": { "description": "SkipNodesWithLocalStorage: The default is true.", "type": "string" }, "skip-nodes-with-system-pods": { "description": "SkipNodesWithSystemPods: The default is true.", "type": "string" } }, "type": "object", "additionalProperties": false }, "autoUpgradeProfile": { "description": "AutoUpgradeProfile: The auto upgrade configuration.", "properties": { "nodeOSUpgradeChannel": { "description": "NodeOSUpgradeChannel: The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA.", "type": "string" }, "upgradeChannel": { "description": "UpgradeChannel: For more information see [setting the AKS cluster auto-upgrade\nchannel](https://docs.microsoft.com/azure/aks/upgrade-cluster#set-auto-upgrade-channel).", "type": "string" } }, "type": "object", "additionalProperties": false }, "azureMonitorProfile": { "description": "AzureMonitorProfile: Prometheus addon profile for the container service cluster", "properties": { "appMonitoring": { "description": "AppMonitoring: Application Monitoring Profile for Kubernetes Application Container. Collects application logs, metrics\nand traces through auto-instrumentation of the application using Azure Monitor OpenTelemetry based SDKs. See\naka.ms/AzureMonitorApplicationMonitoring for an overview.", "properties": { "autoInstrumentation": { "description": "AutoInstrumentation: Application Monitoring Auto Instrumentation for Kubernetes Application Container. Deploys web hook\nto auto-instrument Azure Monitor OpenTelemetry based SDKs to collect OpenTelemetry metrics, logs and traces of the\napplication. See aka.ms/AzureMonitorApplicationMonitoring for an overview.", "properties": { "enabled": { "description": "Enabled: Indicates if Application Monitoring Auto Instrumentation is enabled or not.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "openTelemetryLogs": { "description": "OpenTelemetryLogs: Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container Logs and\nTraces. Collects OpenTelemetry logs and traces of the application using Azure Monitor OpenTelemetry based SDKs. See\naka.ms/AzureMonitorApplicationMonitoring for an overview.", "properties": { "enabled": { "description": "Enabled: Indicates if Application Monitoring Open Telemetry Logs and traces is enabled or not.", "type": "boolean" }, "port": { "description": "Port: The Open Telemetry host port for Open Telemetry logs and traces. If not specified, the default port is 28331.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "openTelemetryMetrics": { "description": "OpenTelemetryMetrics: Application Monitoring Open Telemetry Metrics Profile for Kubernetes Application Container\nMetrics. Collects OpenTelemetry metrics of the application using Azure Monitor OpenTelemetry based SDKs. See\naka.ms/AzureMonitorApplicationMonitoring for an overview.", "properties": { "enabled": { "description": "Enabled: Indicates if Application Monitoring Open Telemetry Metrics is enabled or not.", "type": "boolean" }, "port": { "description": "Port: The Open Telemetry host port for Open Telemetry metrics. If not specified, the default port is 28333.", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "containerInsights": { "description": "ContainerInsights: Azure Monitor Container Insights Profile for Kubernetes Events, Inventory and Container stdout &\nstderr logs etc. See aka.ms/AzureMonitorContainerInsights for an overview.", "properties": { "disableCustomMetrics": { "description": "DisableCustomMetrics: Indicates whether custom metrics collection has to be disabled or not. If not specified the\ndefault is false. No custom metrics will be emitted if this field is false but the container insights enabled field is\nfalse", "type": "boolean" }, "disablePrometheusMetricsScraping": { "description": "DisablePrometheusMetricsScraping: Indicates whether prometheus metrics scraping is disabled or not. If not specified the\ndefault is false. No prometheus metrics will be emitted if this field is false but the container insights enabled field\nis false", "type": "boolean" }, "enabled": { "description": "Enabled: Indicates if Azure Monitor Container Insights Logs Addon is enabled or not.", "type": "boolean" }, "logAnalyticsWorkspaceResourceId": { "description": "LogAnalyticsWorkspaceResourceId: Fully Qualified ARM Resource Id of Azure Log Analytics Workspace for storing Azure\nMonitor Container Insights Logs.", "type": "string" }, "syslogPort": { "description": "SyslogPort: The syslog host port. If not specified, the default port is 28330.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "metrics": { "description": "Metrics: Metrics profile for the prometheus service addon", "properties": { "enabled": { "description": "Enabled: Whether to enable the Prometheus collector", "type": "boolean" }, "kubeStateMetrics": { "description": "KubeStateMetrics: Kube State Metrics for prometheus addon profile for the container service cluster", "properties": { "metricAnnotationsAllowList": { "description": "MetricAnnotationsAllowList: Comma-separated list of additional Kubernetes label keys that will be used in the resource's\nlabels metric.", "type": "string" }, "metricLabelsAllowlist": { "description": "MetricLabelsAllowlist: Comma-separated list of Kubernetes annotations keys that will be used in the resource's labels\nmetric.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "azurePortalFQDN": { "description": "AzurePortalFQDN: The Azure Portal requires certain Cross-Origin Resource Sharing (CORS) headers to be sent in some\nresponses, which Kubernetes APIServer doesn't handle by default. This special FQDN supports CORS, allowing the Azure\nPortal to function properly.", "type": "string" }, "bootstrapProfile": { "description": "BootstrapProfile: Profile of the cluster bootstrap configuration.", "properties": { "artifactSource": { "description": "ArtifactSource: The source where the artifacts are downloaded from.", "type": "string" }, "containerRegistryId": { "description": "ContainerRegistryId: The resource Id of Azure Container Registry. The registry must have private network access, premium\nSKU and zone redundancy.", "type": "string" } }, "type": "object", "additionalProperties": false }, "conditions": { "description": "Conditions: The observed state of the resource", "items": { "description": "Condition defines an extension to status (an observation) of a resource", "properties": { "lastTransitionTime": { "description": "LastTransitionTime is the last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "Message is a human readable message indicating details about the transition. This field may be empty.", "type": "string" }, "observedGeneration": { "description": "ObservedGeneration is the .metadata.generation that the condition was set based upon. For instance, if\n.metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "type": "integer" }, "reason": { "description": "Reason for the condition's last transition.\nReasons are upper CamelCase (PascalCase) with no spaces. A reason is always provided, this field will not be empty.", "type": "string" }, "severity": { "description": "Severity with which to treat failures of this type of condition.\nFor conditions which have positive polarity (Status == True is their normal/healthy state), this will be omitted when Status == True\nFor conditions which have negative polarity (Status == False is their normal/healthy state), this will be omitted when Status == False.\nThis is omitted in all cases when Status == Unknown", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, or Unknown.", "type": "string" }, "type": { "description": "Type of condition.", "type": "string" } }, "required": [ "lastTransitionTime", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "creationData": { "description": "CreationData: CreationData to be used to specify the source Snapshot ID if the cluster will be created/upgraded using a\nsnapshot.", "properties": { "sourceResourceId": { "description": "SourceResourceId: This is the ARM ID of the source object to be used to create the target object.", "type": "string" } }, "type": "object", "additionalProperties": false }, "currentKubernetesVersion": { "description": "CurrentKubernetesVersion: The version of Kubernetes the Managed Cluster is running.", "type": "string" }, "disableLocalAccounts": { "description": "DisableLocalAccounts: If set to true, getting static credentials will be disabled for this cluster. This must only be\nused on Managed Clusters that are AAD enabled. For more details see [disable local\naccounts](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts-preview).", "type": "boolean" }, "diskEncryptionSetID": { "description": "DiskEncryptionSetID: This is of the form:\n'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/diskEncryptionSets/{encryptionSetName}'", "type": "string" }, "dnsPrefix": { "description": "DnsPrefix: This cannot be updated once the Managed Cluster has been created.", "type": "string" }, "eTag": { "description": "ETag: Unique read-only string used to implement optimistic concurrency. The eTag value will change when the resource is\nupdated. Specify an if-match or if-none-match header with the eTag value for a subsequent request to enable optimistic\nconcurrency per the normal etag convention.", "type": "string" }, "enableNamespaceResources": { "description": "EnableNamespaceResources: The default value is false. It can be enabled/disabled on creation and updating of the managed\ncluster. See [https://aka.ms/NamespaceARMResource](https://aka.ms/NamespaceARMResource) for more details on Namespace as\na ARM Resource.", "type": "boolean" }, "enablePodSecurityPolicy": { "description": "EnablePodSecurityPolicy: (DEPRECATED) Whether to enable Kubernetes pod security policy (preview). PodSecurityPolicy was\ndeprecated in Kubernetes v1.21, and removed from Kubernetes in v1.25. Learn more at https://aka.ms/k8s/psp and\nhttps://aka.ms/aks/psp.", "type": "boolean" }, "enableRBAC": { "description": "EnableRBAC: Whether to enable Kubernetes Role-Based Access Control.", "type": "boolean" }, "extendedLocation": { "description": "ExtendedLocation: The extended location of the Virtual Machine.", "properties": { "name": { "description": "Name: The name of the extended location.", "type": "string" }, "type": { "description": "Type: The type of the extended location.", "type": "string" } }, "type": "object", "additionalProperties": false }, "fqdn": { "description": "Fqdn: The FQDN of the master pool.", "type": "string" }, "fqdnSubdomain": { "description": "FqdnSubdomain: This cannot be updated once the Managed Cluster has been created.", "type": "string" }, "httpProxyConfig": { "description": "HttpProxyConfig: Configurations for provisioning the cluster with HTTP proxy servers.", "properties": { "effectiveNoProxy": { "description": "EffectiveNoProxy: A read-only list of all endpoints for which traffic should not be sent to the proxy. This list is a\nsuperset of noProxy and values injected by AKS.", "items": { "type": "string" }, "type": "array" }, "httpProxy": { "description": "HttpProxy: The HTTP proxy server endpoint to use.", "type": "string" }, "httpsProxy": { "description": "HttpsProxy: The HTTPS proxy server endpoint to use.", "type": "string" }, "noProxy": { "description": "NoProxy: The endpoints that should not go through proxy.", "items": { "type": "string" }, "type": "array" }, "trustedCa": { "description": "TrustedCa: Alternative CA cert to use for connecting to proxy servers.", "type": "string" } }, "type": "object", "additionalProperties": false }, "id": { "description": "Id: Fully qualified resource ID for the resource. E.g.\n\"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}\"", "type": "string" }, "identity": { "description": "Identity: The identity of the managed cluster, if configured.", "properties": { "delegatedResources": { "additionalProperties": { "description": "Delegated resource properties - internal use only.", "properties": { "location": { "description": "Location: The source resource location - internal use only.", "type": "string" }, "referralResource": { "description": "ReferralResource: The delegation id of the referral delegation (optional) - internal use only.", "type": "string" }, "resourceId": { "description": "ResourceId: The ARM resource id of the delegated resource - internal use only.", "type": "string" }, "tenantId": { "description": "TenantId: The tenant id of the delegated resource - internal use only.", "type": "string" } }, "type": "object", "additionalProperties": false }, "description": "DelegatedResources: The delegated identity resources assigned to this managed cluster. This can only be set by another\nAzure Resource Provider, and managed cluster only accept one delegated identity resource. Internal use only.", "type": "object" }, "principalId": { "description": "PrincipalId: The principal id of the system assigned identity which is used by master components.", "type": "string" }, "tenantId": { "description": "TenantId: The tenant id of the system assigned identity which is used by master components.", "type": "string" }, "type": { "description": "Type: For more information see [use managed identities in\nAKS](https://docs.microsoft.com/azure/aks/use-managed-identity).", "type": "string" }, "userAssignedIdentities": { "additionalProperties": { "properties": { "clientId": { "description": "ClientId: The client id of user assigned identity.", "type": "string" }, "principalId": { "description": "PrincipalId: The principal id of user assigned identity.", "type": "string" } }, "type": "object", "additionalProperties": false }, "description": "UserAssignedIdentities: The keys must be ARM resource IDs in the form:\n'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.", "type": "object" } }, "type": "object", "additionalProperties": false }, "identityProfile": { "additionalProperties": { "description": "Details about a user assigned identity.", "properties": { "clientId": { "description": "ClientId: The client ID of the user assigned identity.", "type": "string" }, "objectId": { "description": "ObjectId: The object ID of the user assigned identity.", "type": "string" }, "resourceId": { "description": "ResourceId: The resource ID of the user assigned identity.", "type": "string" } }, "type": "object", "additionalProperties": false }, "description": "IdentityProfile: Identities associated with the cluster.", "type": "object" }, "ingressProfile": { "description": "IngressProfile: Ingress profile for the managed cluster.", "properties": { "webAppRouting": { "description": "WebAppRouting: Web App Routing settings for the ingress profile.", "properties": { "dnsZoneResourceIds": { "description": "DnsZoneResourceIds: Resource IDs of the DNS zones to be associated with the Web App Routing add-on. Used only when Web\nApp Routing is enabled. Public and private DNS zones can be in different resource groups, but all public DNS zones must\nbe in the same resource group and all private DNS zones must be in the same resource group.", "items": { "type": "string" }, "type": "array" }, "enabled": { "description": "Enabled: Whether to enable Web App Routing.", "type": "boolean" }, "identity": { "description": "Identity: Managed identity of the Web Application Routing add-on. This is the identity that should be granted\npermissions, for example, to manage the associated Azure DNS resource and get certificates from Azure Key Vault. See\n[this overview of the add-on](https://learn.microsoft.com/en-us/azure/aks/web-app-routing?tabs=with-osm) for more\ninstructions.", "properties": { "clientId": { "description": "ClientId: The client ID of the user assigned identity.", "type": "string" }, "objectId": { "description": "ObjectId: The object ID of the user assigned identity.", "type": "string" }, "resourceId": { "description": "ResourceId: The resource ID of the user assigned identity.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "kind": { "description": "Kind: This is primarily used to expose different UI experiences in the portal for different kinds", "type": "string" }, "kubernetesVersion": { "description": "KubernetesVersion: When you upgrade a supported AKS cluster, Kubernetes minor versions cannot be skipped. All upgrades\nmust be performed sequentially by major version number. For example, upgrades between 1.14.x -> 1.15.x or 1.15.x ->\n1.16.x are allowed, however 1.14.x -> 1.16.x is not allowed. See [upgrading an AKS\ncluster](https://docs.microsoft.com/azure/aks/upgrade-cluster) for more details.", "type": "string" }, "linuxProfile": { "description": "LinuxProfile: The profile for Linux VMs in the Managed Cluster.", "properties": { "adminUsername": { "description": "AdminUsername: The administrator username to use for Linux VMs.", "type": "string" }, "ssh": { "description": "Ssh: The SSH configuration for Linux-based VMs running on Azure.", "properties": { "publicKeys": { "description": "PublicKeys: The list of SSH public keys used to authenticate with Linux-based VMs. A maximum of 1 key may be specified.", "items": { "description": "Contains information about SSH certificate public key data.", "properties": { "keyData": { "description": "KeyData: Certificate public key used to authenticate with VMs through SSH. The certificate must be in PEM format with or\nwithout headers.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "location": { "description": "Location: The geo-location where the resource lives", "type": "string" }, "maxAgentPools": { "description": "MaxAgentPools: The max number of agent pools for the managed cluster.", "type": "integer" }, "metricsProfile": { "description": "MetricsProfile: Optional cluster metrics configuration.", "properties": { "costAnalysis": { "description": "CostAnalysis: The cost analysis configuration for the cluster", "properties": { "enabled": { "description": "Enabled: The Managed Cluster sku.tier must be set to 'Standard' or 'Premium' to enable this feature. Enabling this will\nadd Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. If not specified, the\ndefault is false. For more information see aka.ms/aks/docs/cost-analysis.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "name": { "description": "Name: The name of the resource", "type": "string" }, "networkProfile": { "description": "NetworkProfile: The network configuration profile.", "properties": { "advancedNetworking": { "description": "AdvancedNetworking: Advanced Networking profile for enabling observability on a cluster. Note that enabling advanced\nnetworking features may incur additional costs. For more information see aka.ms/aksadvancednetworking.", "properties": { "observability": { "description": "Observability: Observability profile to enable advanced network metrics and flow logs with historical contexts.", "properties": { "enabled": { "description": "Enabled: Indicates the enablement of Advanced Networking observability functionalities on clusters.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "dnsServiceIP": { "description": "DnsServiceIP: An IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address\nrange specified in serviceCidr.", "type": "string" }, "ipFamilies": { "description": "IpFamilies: IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value\nis IPv4. For dual-stack, the expected values are IPv4 and IPv6.", "items": { "description": "To determine if address belongs IPv4 or IPv6 family.", "type": "string" }, "type": "array" }, "kubeProxyConfig": { "description": "KubeProxyConfig: Holds configuration customizations for kube-proxy. Any values not defined will use the kube-proxy\ndefaulting behavior. See https://v.docs.kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/\nwhere is represented by a - string. Kubernetes version 1.23 would be '1-23'.", "properties": { "enabled": { "description": "Enabled: Whether to enable on kube-proxy on the cluster (if no 'kubeProxyConfig' exists, kube-proxy is enabled in AKS by\ndefault without these customizations).", "type": "boolean" }, "ipvsConfig": { "description": "IpvsConfig: Holds configuration customizations for IPVS. May only be specified if 'mode' is set to 'IPVS'.", "properties": { "scheduler": { "description": "Scheduler: IPVS scheduler, for more information please see http://www.linuxvirtualserver.org/docs/scheduling.html.", "type": "string" }, "tcpFinTimeoutSeconds": { "description": "TcpFinTimeoutSeconds: The timeout value used for IPVS TCP sessions after receiving a FIN in seconds. Must be a positive\ninteger value.", "type": "integer" }, "tcpTimeoutSeconds": { "description": "TcpTimeoutSeconds: The timeout value used for idle IPVS TCP sessions in seconds. Must be a positive integer value.", "type": "integer" }, "udpTimeoutSeconds": { "description": "UdpTimeoutSeconds: The timeout value used for IPVS UDP packets in seconds. Must be a positive integer value.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "mode": { "description": "Mode: Specify which proxy mode to use ('IPTABLES' or 'IPVS')", "type": "string" } }, "type": "object", "additionalProperties": false }, "loadBalancerProfile": { "description": "LoadBalancerProfile: Profile of the cluster load balancer.", "properties": { "allocatedOutboundPorts": { "description": "AllocatedOutboundPorts: The desired number of allocated SNAT ports per VM. Allowed values are in the range of 0 to 64000\n(inclusive). The default value is 0 which results in Azure dynamically allocating ports.", "type": "integer" }, "backendPoolType": { "description": "BackendPoolType: The type of the managed inbound Load Balancer BackendPool.", "type": "string" }, "clusterServiceLoadBalancerHealthProbeMode": { "description": "ClusterServiceLoadBalancerHealthProbeMode: The health probing behavior for External Traffic Policy Cluster services.", "type": "string" }, "effectiveOutboundIPs": { "description": "EffectiveOutboundIPs: The effective outbound IP resources of the cluster load balancer.", "items": { "description": "A reference to an Azure resource.", "properties": { "id": { "description": "Id: The fully qualified Azure resource id.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "enableMultipleStandardLoadBalancers": { "description": "EnableMultipleStandardLoadBalancers: Enable multiple standard load balancers per AKS cluster or not.", "type": "boolean" }, "idleTimeoutInMinutes": { "description": "IdleTimeoutInMinutes: Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120\n(inclusive). The default value is 30 minutes.", "type": "integer" }, "managedOutboundIPs": { "description": "ManagedOutboundIPs: Desired managed outbound IPs for the cluster load balancer.", "properties": { "count": { "description": "Count: The desired number of IPv4 outbound IPs created/managed by Azure for the cluster load balancer. Allowed values\nmust be in the range of 1 to 100 (inclusive). The default value is 1.", "type": "integer" }, "countIPv6": { "description": "CountIPv6: The desired number of IPv6 outbound IPs created/managed by Azure for the cluster load balancer. Allowed\nvalues must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "outboundIPPrefixes": { "description": "OutboundIPPrefixes: Desired outbound IP Prefix resources for the cluster load balancer.", "properties": { "publicIPPrefixes": { "description": "PublicIPPrefixes: A list of public IP prefix resources.", "items": { "description": "A reference to an Azure resource.", "properties": { "id": { "description": "Id: The fully qualified Azure resource id.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "outboundIPs": { "description": "OutboundIPs: Desired outbound IP resources for the cluster load balancer.", "properties": { "publicIPs": { "description": "PublicIPs: A list of public IP resources.", "items": { "description": "A reference to an Azure resource.", "properties": { "id": { "description": "Id: The fully qualified Azure resource id.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "loadBalancerSku": { "description": "LoadBalancerSku: The default is 'standard'. See [Azure Load Balancer\nSKUs](https://docs.microsoft.com/azure/load-balancer/skus) for more information about the differences between load\nbalancer SKUs.", "type": "string" }, "natGatewayProfile": { "description": "NatGatewayProfile: Profile of the cluster NAT gateway.", "properties": { "effectiveOutboundIPs": { "description": "EffectiveOutboundIPs: The effective outbound IP resources of the cluster NAT gateway.", "items": { "description": "A reference to an Azure resource.", "properties": { "id": { "description": "Id: The fully qualified Azure resource id.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "idleTimeoutInMinutes": { "description": "IdleTimeoutInMinutes: Desired outbound flow idle timeout in minutes. Allowed values are in the range of 4 to 120\n(inclusive). The default value is 4 minutes.", "type": "integer" }, "managedOutboundIPProfile": { "description": "ManagedOutboundIPProfile: Profile of the managed outbound IP resources of the cluster NAT gateway.", "properties": { "count": { "description": "Count: The desired number of outbound IPs created/managed by Azure. Allowed values must be in the range of 1 to 16\n(inclusive). The default value is 1.", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "networkDataplane": { "description": "NetworkDataplane: Network dataplane used in the Kubernetes cluster.", "type": "string" }, "networkMode": { "description": "NetworkMode: This cannot be specified if networkPlugin is anything other than 'azure'.", "type": "string" }, "networkPlugin": { "description": "NetworkPlugin: Network plugin used for building the Kubernetes network.", "type": "string" }, "networkPluginMode": { "description": "NetworkPluginMode: Network plugin mode used for building the Kubernetes network.", "type": "string" }, "networkPolicy": { "description": "NetworkPolicy: Network policy used for building the Kubernetes network.", "type": "string" }, "outboundType": { "description": "OutboundType: This can only be set at cluster creation time and cannot be changed later. For more information see\n[egress outbound type](https://docs.microsoft.com/azure/aks/egress-outboundtype).", "type": "string" }, "podCidr": { "description": "PodCidr: A CIDR notation IP range from which to assign pod IPs when kubenet is used.", "type": "string" }, "podCidrs": { "description": "PodCidrs: One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is\nexpected for dual-stack networking.", "items": { "type": "string" }, "type": "array" }, "podLinkLocalAccess": { "description": "PodLinkLocalAccess: Defines access to special link local addresses (Azure Instance Metadata Service, aka IMDS) for pods\nwith hostNetwork=false. if not specified, the default is 'IMDS'.", "type": "string" }, "serviceCidr": { "description": "ServiceCidr: A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP\nranges.", "type": "string" }, "serviceCidrs": { "description": "ServiceCidrs: One IPv4 CIDR is expected for single-stack networking. Two CIDRs, one for each IP family (IPv4/IPv6), is\nexpected for dual-stack networking. They must not overlap with any Subnet IP ranges.", "items": { "type": "string" }, "type": "array" }, "staticEgressGatewayProfile": { "description": "StaticEgressGatewayProfile: The profile for Static Egress Gateway addon. For more details about Static Egress Gateway,\nsee https://aka.ms/aks/static-egress-gateway.", "properties": { "enabled": { "description": "Enabled: Indicates if Static Egress Gateway addon is enabled or not.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "nodeProvisioningProfile": { "description": "NodeProvisioningProfile: Node provisioning settings that apply to the whole cluster.", "properties": { "mode": { "description": "Mode: Once the mode it set to Auto, it cannot be changed back to Manual.", "type": "string" } }, "type": "object", "additionalProperties": false }, "nodeResourceGroup": { "description": "NodeResourceGroup: The name of the resource group containing agent pool nodes.", "type": "string" }, "nodeResourceGroupProfile": { "description": "NodeResourceGroupProfile: The node resource group configuration profile.", "properties": { "restrictionLevel": { "description": "RestrictionLevel: The restriction level applied to the cluster's node resource group", "type": "string" } }, "type": "object", "additionalProperties": false }, "oidcIssuerProfile": { "description": "OidcIssuerProfile: The OIDC issuer profile of the Managed Cluster.", "properties": { "enabled": { "description": "Enabled: Whether the OIDC issuer is enabled.", "type": "boolean" }, "issuerURL": { "description": "IssuerURL: The OIDC issuer url of the Managed Cluster.", "type": "string" } }, "type": "object", "additionalProperties": false }, "podIdentityProfile": { "description": "PodIdentityProfile: See [use AAD pod identity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity) for more\ndetails on AAD pod identity integration.", "properties": { "allowNetworkPluginKubenet": { "description": "AllowNetworkPluginKubenet: Running in Kubenet is disabled by default due to the security related nature of AAD Pod\nIdentity and the risks of IP spoofing. See [using Kubenet network plugin with AAD Pod\nIdentity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity#using-kubenet-network-plugin-with-azure-active-directory-pod-managed-identities)\nfor more information.", "type": "boolean" }, "enabled": { "description": "Enabled: Whether the pod identity addon is enabled.", "type": "boolean" }, "userAssignedIdentities": { "description": "UserAssignedIdentities: The pod identities to use in the cluster.", "items": { "description": "Details about the pod identity assigned to the Managed Cluster.", "properties": { "bindingSelector": { "description": "BindingSelector: The binding selector to use for the AzureIdentityBinding resource.", "type": "string" }, "identity": { "description": "Identity: The user assigned identity details.", "properties": { "clientId": { "description": "ClientId: The client ID of the user assigned identity.", "type": "string" }, "objectId": { "description": "ObjectId: The object ID of the user assigned identity.", "type": "string" }, "resourceId": { "description": "ResourceId: The resource ID of the user assigned identity.", "type": "string" } }, "type": "object", "additionalProperties": false }, "name": { "description": "Name: The name of the pod identity.", "type": "string" }, "namespace": { "description": "Namespace: The namespace of the pod identity.", "type": "string" }, "provisioningInfo": { "properties": { "error": { "description": "Error: Pod identity assignment error (if any).", "properties": { "error": { "description": "Error: Details about the error.", "properties": { "code": { "description": "Code: An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "type": "string" }, "details": { "description": "Details: A list of additional details about the error.", "items": { "properties": { "code": { "description": "Code: An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "type": "string" }, "message": { "description": "Message: A message describing the error, intended to be suitable for display in a user interface.", "type": "string" }, "target": { "description": "Target: The target of the particular error. For example, the name of the property in error.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "message": { "description": "Message: A message describing the error, intended to be suitable for display in a user interface.", "type": "string" }, "target": { "description": "Target: The target of the particular error. For example, the name of the property in error.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "provisioningState": { "description": "ProvisioningState: The current provisioning state of the pod identity.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "userAssignedIdentityExceptions": { "description": "UserAssignedIdentityExceptions: The pod identity exceptions to allow.", "items": { "description": "See [disable AAD Pod Identity for a specific\nPod/Application](https://azure.github.io/aad-pod-identity/docs/configure/application_exception/) for more details.", "properties": { "name": { "description": "Name: The name of the pod identity exception.", "type": "string" }, "namespace": { "description": "Namespace: The namespace of the pod identity exception.", "type": "string" }, "podLabels": { "additionalProperties": { "type": "string" }, "description": "PodLabels: The pod labels to match.", "type": "object" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "powerState": { "description": "PowerState: The Power State of the cluster.", "properties": { "code": { "description": "Code: Tells whether the cluster is Running or Stopped", "type": "string" } }, "type": "object", "additionalProperties": false }, "privateFQDN": { "description": "PrivateFQDN: The FQDN of private cluster.", "type": "string" }, "privateLinkResources": { "description": "PrivateLinkResources: Private link resources associated with the cluster.", "items": { "description": "A private link resource", "properties": { "groupId": { "description": "GroupId: The group ID of the resource.", "type": "string" }, "id": { "description": "Id: The ID of the private link resource.", "type": "string" }, "name": { "description": "Name: The name of the private link resource.", "type": "string" }, "privateLinkServiceID": { "description": "PrivateLinkServiceID: The private link service ID of the resource, this field is exposed only to NRP internally.", "type": "string" }, "requiredMembers": { "description": "RequiredMembers: The RequiredMembers of the resource", "items": { "type": "string" }, "type": "array" }, "type": { "description": "Type: The resource type.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "provisioningState": { "description": "ProvisioningState: The current provisioning state.", "type": "string" }, "publicNetworkAccess": { "description": "PublicNetworkAccess: Allow or deny public network access for AKS", "type": "string" }, "resourceUID": { "description": "ResourceUID: The resourceUID uniquely identifies ManagedClusters that reuse ARM ResourceIds (i.e: create, delete, create\nsequence)", "type": "string" }, "safeguardsProfile": { "description": "SafeguardsProfile: The Safeguards profile holds all the safeguards information for a given cluster", "properties": { "excludedNamespaces": { "description": "ExcludedNamespaces: List of namespaces excluded from Safeguards checks", "items": { "type": "string" }, "type": "array" }, "level": { "description": "Level: The Safeguards level to be used. By default, Safeguards is enabled for all namespaces except those that AKS\nexcludes via systemExcludedNamespaces", "type": "string" }, "systemExcludedNamespaces": { "description": "SystemExcludedNamespaces: List of namespaces specified by AKS to be excluded from Safeguards", "items": { "type": "string" }, "type": "array" }, "version": { "description": "Version: The version of constraints to use", "type": "string" } }, "type": "object", "additionalProperties": false }, "securityProfile": { "description": "SecurityProfile: Security profile for the managed cluster.", "properties": { "azureKeyVaultKms": { "description": "AzureKeyVaultKms: Azure Key Vault [key management\nservice](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/) settings for the security profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable Azure Key Vault key management service. The default is false.", "type": "boolean" }, "keyId": { "description": "KeyId: Identifier of Azure Key Vault key. See [key identifier\nformat](https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name)\nfor more details. When Azure Key Vault key management service is enabled, this field is required and must be a valid key\nidentifier. When Azure Key Vault key management service is disabled, leave the field empty.", "type": "string" }, "keyVaultNetworkAccess": { "description": "KeyVaultNetworkAccess: Network access of key vault. The possible values are `Public` and `Private`. `Public` means the\nkey vault allows public access from all networks. `Private` means the key vault disables public access and enables\nprivate link. The default value is `Public`.", "type": "string" }, "keyVaultResourceId": { "description": "KeyVaultResourceId: Resource ID of key vault. When keyVaultNetworkAccess is `Private`, this field is required and must\nbe a valid resource ID. When keyVaultNetworkAccess is `Public`, leave the field empty.", "type": "string" } }, "type": "object", "additionalProperties": false }, "customCATrustCertificates": { "description": "CustomCATrustCertificates: A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the\nCustom CA Trust feature enabled. For more information see [Custom CA Trust\nCertificates](https://learn.microsoft.com/en-us/azure/aks/custom-certificate-authority)", "items": { "type": "string" }, "type": "array" }, "defender": { "description": "Defender: Microsoft Defender settings for the security profile.", "properties": { "logAnalyticsWorkspaceResourceId": { "description": "LogAnalyticsWorkspaceResourceId: Resource ID of the Log Analytics workspace to be associated with Microsoft Defender.\nWhen Microsoft Defender is enabled, this field is required and must be a valid workspace resource ID. When Microsoft\nDefender is disabled, leave the field empty.", "type": "string" }, "securityMonitoring": { "description": "SecurityMonitoring: Microsoft Defender threat detection for Cloud settings for the security profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable Defender threat detection", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "imageCleaner": { "description": "ImageCleaner: Image Cleaner settings for the security profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable Image Cleaner on AKS cluster.", "type": "boolean" }, "intervalHours": { "description": "IntervalHours: Image Cleaner scanning interval in hours.", "type": "integer" } }, "type": "object", "additionalProperties": false }, "imageIntegrity": { "description": "ImageIntegrity: Image integrity is a feature that works with Azure Policy to verify image integrity by signature. This\nwill not have any effect unless Azure Policy is applied to enforce image signatures. See\nhttps://aka.ms/aks/image-integrity for how to use this feature via policy.", "properties": { "enabled": { "description": "Enabled: Whether to enable image integrity. The default value is false.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "nodeRestriction": { "description": "NodeRestriction: [Node\nRestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) settings\nfor the security profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable Node Restriction", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "workloadIdentity": { "description": "WorkloadIdentity: Workload identity settings for the security profile. Workload identity enables Kubernetes applications\nto access Azure cloud resources securely with Azure AD. See https://aka.ms/aks/wi for more details.", "properties": { "enabled": { "description": "Enabled: Whether to enable workload identity.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "serviceMeshProfile": { "description": "ServiceMeshProfile: Service mesh profile for a managed cluster.", "properties": { "istio": { "description": "Istio: Istio service mesh configuration.", "properties": { "certificateAuthority": { "description": "CertificateAuthority: Istio Service Mesh Certificate Authority (CA) configuration. For now, we only support plugin\ncertificates as described here https://aka.ms/asm-plugin-ca", "properties": { "plugin": { "description": "Plugin: Plugin certificates information for Service Mesh.", "properties": { "certChainObjectName": { "description": "CertChainObjectName: Certificate chain object name in Azure Key Vault.", "type": "string" }, "certObjectName": { "description": "CertObjectName: Intermediate certificate object name in Azure Key Vault.", "type": "string" }, "keyObjectName": { "description": "KeyObjectName: Intermediate certificate private key object name in Azure Key Vault.", "type": "string" }, "keyVaultId": { "description": "KeyVaultId: The resource ID of the Key Vault.", "type": "string" }, "rootCertObjectName": { "description": "RootCertObjectName: Root certificate object name in Azure Key Vault.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "components": { "description": "Components: Istio components configuration.", "properties": { "egressGateways": { "description": "EgressGateways: Istio egress gateways.", "items": { "description": "Istio egress gateway configuration.", "properties": { "enabled": { "description": "Enabled: Whether to enable the egress gateway.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "ingressGateways": { "description": "IngressGateways: Istio ingress gateways.", "items": { "description": "Istio ingress gateway configuration. For now, we support up to one external ingress gateway named\n`aks-istio-ingressgateway-external` and one internal ingress gateway named `aks-istio-ingressgateway-internal`.", "properties": { "enabled": { "description": "Enabled: Whether to enable the ingress gateway.", "type": "boolean" }, "mode": { "description": "Mode: Mode of an ingress gateway.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "revisions": { "description": "Revisions: The list of revisions of the Istio control plane. When an upgrade is not in progress, this holds one value.\nWhen canary upgrade is in progress, this can only hold two consecutive values. For more information, see:\nhttps://learn.microsoft.com/en-us/azure/aks/istio-upgrade", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "mode": { "description": "Mode: Mode of the service mesh.", "type": "string" } }, "type": "object", "additionalProperties": false }, "servicePrincipalProfile": { "description": "ServicePrincipalProfile: Information about a service principal identity for the cluster to use for manipulating Azure\nAPIs.", "properties": { "clientId": { "description": "ClientId: The ID for the service principal.", "type": "string" } }, "type": "object", "additionalProperties": false }, "sku": { "description": "Sku: The managed cluster SKU.", "properties": { "name": { "description": "Name: The name of a managed cluster SKU.", "type": "string" }, "tier": { "description": "Tier: If not specified, the default is 'Free'. See [AKS Pricing\nTier](https://learn.microsoft.com/azure/aks/free-standard-pricing-tiers) for more details.", "type": "string" } }, "type": "object", "additionalProperties": false }, "storageProfile": { "description": "StorageProfile: Storage profile for the managed cluster.", "properties": { "blobCSIDriver": { "description": "BlobCSIDriver: AzureBlob CSI Driver settings for the storage profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable AzureBlob CSI Driver. The default value is false.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "diskCSIDriver": { "description": "DiskCSIDriver: AzureDisk CSI Driver settings for the storage profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable AzureDisk CSI Driver. The default value is true.", "type": "boolean" }, "version": { "description": "Version: The version of AzureDisk CSI Driver. The default value is v1.", "type": "string" } }, "type": "object", "additionalProperties": false }, "fileCSIDriver": { "description": "FileCSIDriver: AzureFile CSI Driver settings for the storage profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable AzureFile CSI Driver. The default value is true.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "snapshotController": { "description": "SnapshotController: Snapshot Controller settings for the storage profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable Snapshot Controller. The default value is true.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "supportPlan": { "description": "SupportPlan: The support plan for the Managed Cluster. If unspecified, the default is 'KubernetesOfficial'.", "type": "string" }, "systemData": { "description": "SystemData: Azure Resource Manager metadata containing createdBy and modifiedBy information.", "properties": { "createdAt": { "description": "CreatedAt: The timestamp of resource creation (UTC).", "type": "string" }, "createdBy": { "description": "CreatedBy: The identity that created the resource.", "type": "string" }, "createdByType": { "description": "CreatedByType: The type of identity that created the resource.", "type": "string" }, "lastModifiedAt": { "description": "LastModifiedAt: The timestamp of resource last modification (UTC)", "type": "string" }, "lastModifiedBy": { "description": "LastModifiedBy: The identity that last modified the resource.", "type": "string" }, "lastModifiedByType": { "description": "LastModifiedByType: The type of identity that last modified the resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags: Resource tags.", "type": "object" }, "type": { "description": "Type: The type of the resource. E.g. \"Microsoft.Compute/virtualMachines\" or \"Microsoft.Storage/storageAccounts\"", "type": "string" }, "upgradeSettings": { "description": "UpgradeSettings: Settings for upgrading a cluster.", "properties": { "overrideSettings": { "description": "OverrideSettings: Settings for overrides.", "properties": { "forceUpgrade": { "description": "ForceUpgrade: Whether to force upgrade the cluster. Note that this option instructs upgrade operation to bypass upgrade\nprotections such as checking for deprecated API usage. Enable this option only with caution.", "type": "boolean" }, "until": { "description": "Until: Until when the overrides are effective. Note that this only matches the start time of an upgrade, and the\neffectiveness won't change once an upgrade starts even if the `until` expires as upgrade proceeds. This field is not set\nby default. It must be set for the overrides to take effect.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "windowsProfile": { "description": "WindowsProfile: The profile for Windows VMs in the Managed Cluster.", "properties": { "adminUsername": { "description": "AdminUsername: Specifies the name of the administrator account.\nRestriction: Cannot end in \".\"\nDisallowed values: \"administrator\", \"admin\", \"user\", \"user1\", \"test\", \"user2\", \"test1\", \"user3\", \"admin1\", \"1\", \"123\",\n\"a\", \"actuser\", \"adm\", \"admin2\", \"aspnet\", \"backup\", \"console\", \"david\", \"guest\", \"john\", \"owner\", \"root\", \"server\",\n\"sql\", \"support\", \"support_388945a0\", \"sys\", \"test2\", \"test3\", \"user4\", \"user5\".\nMinimum-length: 1 character\nMax-length: 20 characters", "type": "string" }, "enableCSIProxy": { "description": "EnableCSIProxy: For more details on CSI proxy, see the [CSI proxy GitHub\nrepo](https://github.com/kubernetes-csi/csi-proxy).", "type": "boolean" }, "gmsaProfile": { "description": "GmsaProfile: The Windows gMSA Profile in the Managed Cluster.", "properties": { "dnsServer": { "description": "DnsServer: Specifies the DNS server for Windows gMSA.\nSet it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.", "type": "string" }, "enabled": { "description": "Enabled: Specifies whether to enable Windows gMSA in the managed cluster.", "type": "boolean" }, "rootDomainName": { "description": "RootDomainName: Specifies the root domain name for Windows gMSA.\nSet it to empty if you have configured the DNS server in the vnet which is used to create the managed cluster.", "type": "string" } }, "type": "object", "additionalProperties": false }, "licenseType": { "description": "LicenseType: The license type to use for Windows VMs. See [Azure Hybrid User\nBenefits](https://azure.microsoft.com/pricing/hybrid-benefit/faq/) for more details.", "type": "string" } }, "type": "object", "additionalProperties": false }, "workloadAutoScalerProfile": { "description": "WorkloadAutoScalerProfile: Workload Auto-scaler profile for the managed cluster.", "properties": { "keda": { "description": "Keda: KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile.", "properties": { "enabled": { "description": "Enabled: Whether to enable KEDA.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "verticalPodAutoscaler": { "properties": { "addonAutoscaling": { "description": "AddonAutoscaling: Whether VPA add-on is enabled and configured to scale AKS-managed add-ons.", "type": "string" }, "enabled": { "description": "Enabled: Whether to enable VPA add-on in cluster. Default value is false.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object" }