Deploy and manage cluster extensions for Azure Kubernetes Service (AKS)

Cluster extensions provide an Azure Resource Manager driven experience for installation and lifecycle management of services like Azure Machine Learning or Kubernetes applications on an AKS cluster. This feature enables:

Azure Resource Manager-based deployment of extensions, including at-scale deployments across AKS clusters.
Lifecycle management of the extension (Update, Delete) from Azure Resource Manager.

Categories of cluster extensions

There are two categories of cluster extensions, Core and Standard that can be deployed onto AKS clusters.

Core extensions

Core Kubernetes extensions have broader region availability, a more integrated AKS experience, and release alignment to AKS version releases. Azure Backup is a core extension.

AKS native experience

Core extensions can be managed using az aks CLI command.

az aks extension create \
  --name <core extension name> \
  --extension-type <type> \
  --cluster-name <name> \
  --resource-group <group>

For more information about the commands, see az aks.

Release policy

Minor and major upgrades of core extensions occur alongside AKS minor and major version updates to avoid introducing breaking changes and provide better reliability.

Standard extensions

For information about the other cluster extensions, see the table in Currently available extensions.

Standard extensions can be managed using the az k8s-extension CLI command. For more information, see Deploy and manage cluster extensions by using Azure CLI.

az k8s-extension create \
  --name <standard extension name> \
  --extension-type <extension-type> \
  --scope cluster \
  --cluster-name <clusterName> \
  --resource-group <resourceGroupName> \
  --cluster-type managedClusters

Cluster extension requirements

The cluster extensions platform is supported in all regions where AKS is deployed, except Qatar Central and US air gapped clouds. Although the platform is available in all regions, check the region availability for individual extensions.

Important

Ensure that your AKS cluster is created with a managed identity, as cluster extensions don't work with service principal-based clusters.

For new clusters created with az aks create, managed identity is configured by default. For existing service principal-based clusters that need to be switched over to managed identity, it can be enabled by running az aks update with the --enable-managed-identity flag. For more information, see Use managed identity.

Note

If you enabled Microsoft Entra pod-managed identity on your AKS cluster or are considering implementing it, we recommend you first review [Workload identity overview][workload-identity-overview] to understand our recommendations and options to set up your cluster to use a Microsoft Entra Workload ID (preview). This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities to federate with any external identity providers.

Currently available extensions

Extension	Description
Azure App Configuration	Use Azure App Configuration to centrally manage application settings and feature flags.
Azure Machine Learning	Use Azure Kubernetes Service clusters to train, inference, and manage machine learning models in Azure Machine Learning.
Flux (GitOps)	Use GitOps with Flux to manage cluster configuration and application deployment. See also supported versions of Flux (GitOps) and Tutorial: Deploy applications using GitOps with Flux v2.
Azure Backup for AKS	Use Azure Backup for AKS to protect your containerized applications and data stored in Persistent Volumes deployed in the AKS clusters.