Azure Kubernetes Service is a managed Kubernetes offering from Microsoft.


In AKS the control plane is considered a fully managed service, operating independently from a series of node pools which run networking and user pods. A cluster must be created with at least one node pool (the default node pool), and others can subsequently be added.

Microsoft recommends that the default node pool be considered tainted, since it runs system pods, and that application pods should run on additional node pools.

Each node pool has its own Kubernetes version, and they can be upgraded independently of one another. The cluster must be upgraded prior to upgrading the node pools.

Getting access

kubelogin facilitates authentication with AKS using Azure AD. The tools can be installed as follows (be mindful that default paths can be in system locations like /usr/local and the installer may overwrite files it shouldn't):

az aks install-cli \
    --install-location ~/.azure/kubernetes \
    --kubelogin-install-location ~/.azure/kubernetes

To install a kubectl context for a cluster, use the Azure CLI:

$ az aks get-credentials -g my-rg -n my-cluster
Merged "aks-dev" as current context in /Users/lukecarrier/.kube/config

AKS uses AAD, exposing Users by UPN and Groups by Object ID.

Cluster addons

Addons can be configured at creation time in the Portal and reconfigured with the Azure CLI:

az aks enable-addons -g my-rg -n my-cluster --addons name
az aks disable-addons -g my-rg -n my-cluster --addons name

Note that the Terraform provider (Private) often recreates the resource rather than applying the change directly, though this isn't necessary in the underlying API. Make the changes via the Azure CLI first and then allow Terraform to refresh its state.

Accessing ACR

To access an Azure Container Registry an AcrPull role assignment must exist for the <cluster name>-agentpool Service Principal.

Accessing Azure Key Vault

Secrets in an Azure Key Vault can be used within the cluster using the Secrets Store CSI Driver and the Azure provider.

  1. AAD Pod Identity
  2. Azure Service Operator
  3. Ingress