Available extensions for Azure Arc-enabled Kubernetes clusters
Cluster extensions for Azure Arc-enabled Kubernetes provide an Azure Resource Manager-driven experience for installation and lifecycle management of different Azure capabilities on top of your cluster. These extensions can be deployed to your clusters to enable different scenarios and improve cluster management.
The following extensions are currently available for use with Arc-enabled Kubernetes clusters. All of these extensions are cluster-scoped.
Azure Monitor Container Insights
- Supported distributions: All Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters
Azure Monitor Container Insights provides visibility into the performance of workloads deployed on the Kubernetes cluster. Use this extension to collect memory and CPU utilization metrics from controllers, nodes, and containers.
For more information, see Azure Monitor Container Insights for Azure Arc-enabled Kubernetes clusters.
Azure Policy
Azure Policy extends Gatekeeper, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
For more information, see Understand Azure Policy for Kubernetes clusters.
Azure Key Vault Secrets Provider
- Supported distributions: AKS on Azure Stack HCI, AKS enabled by Azure Arc, Cluster API Azure, Google Kubernetes Engine, Canonical Kubernetes Distribution, OpenShift Kubernetes Distribution, Amazon Elastic Kubernetes Service, VMware Tanzu Kubernetes Grid
The Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of Azure Key Vault as a secrets store with a Kubernetes cluster via a CSI volume. For Azure Arc-enabled Kubernetes clusters, you can install the Azure Key Vault Secrets Provider extension to fetch secrets.
For more information, see Use the Azure Key Vault Secrets Provider extension to fetch secrets into Azure Arc-enabled Kubernetes clusters.
Microsoft Defender for Containers
- Supported distributions: AKS enabled by Azure Arc, Cluster API Azure, Azure Red Hat OpenShift, Red Hat OpenShift (version 4.6 or newer), Google Kubernetes Engine Standard, Amazon Elastic Kubernetes Service, VMware Tanzu Kubernetes Grid, Rancher Kubernetes Engine, Canonical Kubernetes Distribution
Microsoft Defender for Containers is the cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications. It gathers information related to security like audit log data from the Kubernetes cluster, and provides recommendations and threat alerts based on gathered data.
For more information, see Enable Microsoft Defender for Containers.
Important
Defender for Containers support for Arc-enabled Kubernetes clusters is currently in public preview. See the Supplemental Terms of Use for Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Flux (GitOps)
- Supported distributions: All Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters.
GitOps on AKS and Azure Arc-enabled Kubernetes uses Flux v2, a popular open-source tool set, to help manage cluster configuration and application deployment. GitOps is enabled in the cluster as a Microsoft.KubernetesConfiguration/extensions/microsoft.flux
cluster extension resource.
For more information, see Tutorial: Deploy applications using GitOps with Flux v2.
The most recent version of the Flux v2 extension and the two previous versions (N-2) are supported. We generally recommend that you use the most recent version of the extension.
Important
The Flux v2.3.0 release includes API changes to the HelmRelease and HelmChart APIs, with deprecated fields removed, and an updated version of the kustomize package. An upcoming minor version update of Azure's Flux extension will include these changes, consistent with the upstream OSS Flux project.
The HelmRelease kind will be promoted from v2beta1
to v2
(GA). The v2
API is backwards compatible with v2beta1
, with the exception of these deprecated fields, which will be removed:
.spec.chart.spec.valuesFile
: replaced by.spec.chart.spec.valuesFiles
.spec.postRenderers.kustomize.patchesJson6902
: replaced by.spec.postRenderers.kustomize.patches
.spec.postRenderers.kustomize.patchesStrategicMerge
: replaced by.spec.postRenderers.kustomize.patches
.status.lastAppliedRevision
: replaced by.status.history.chartVersion
The HelmChart kind will be promoted from v1beta2
to v1
(GA). The v1
API is backwards compatible with v1beta2
, with the exception of the .spec.valuesFile
field, which will be replaced by .spec.valuesFiles
.
Use the new fields which are already available in the current version of the APIs, instead of the fields that will be removed.
The kustomize package will be updated to v5.4.0, which contains the following breaking changes:
- Kustomization build fails when resources key is missing
- Components are now applied after generators and before transformers in v5.1.0
- Null yaml values are replaced by "null" in v5.4.0
To avoid issues due to breaking changes, we recommend updating your manifests as soon as possible to ensure that your Flux configurations remain compliant with this release.
Note
When a new version of the microsoft.flux
extension is released, it may take several days for the new version to become available in all regions.
1.11.1 (August 2024)
Flux version: Release v2.3.0
- source-controller: v1.3.0
- kustomize-controller: v1.3.0
- helm-controller: v1.0.1
- notification-controller: v1.3.0
- image-automation-controller: v0.38.0
- image-reflector-controller: v0.32.0
Changes made for this version:
- Update flux OSS controllers.
- Resolved the continuous restart issue of the Fluent Bit sidecar in
fluxconfig-agent
andfluxconfig-controller
. - Addressed security vulnerabilities in
fluxconfig-agent
andfluxconfig-controller
by updating the Go packages. - Enabled workload identity for the Kustomize controller. For setup instructions, see Workload identity in AKS clusters.
- Flux controller pods can now set the annotation
kubernetes.azure.com/set-kube-service-host-fqdn
in their pod specifications. This allows traffic to the API Server's domain name even when a Layer 7 firewall is present, facilitating deployments during extension installation. For more details, see Configure annotation on Flux extension pods.
1.10.0 (June 2024)
Flux version: Release v2.1.2
- source-controller: v1.2.5
- kustomize-controller: v1.1.1
- helm-controller: v0.36.2
- notification-controller: v1.1.0
- image-automation-controller: v0.36.1
- image-reflector-controller: v0.30.0
Changes made for this version:
- The
FluxConfig
custom resource now includes support for OCI repositories. This enhancement means that Flux configurations can accommodate Git repository, Buckets, Azure Blob storage, or OCI repository as valid source types.
1.9.1 (April 2024)
Flux version: Release v2.1.2
- source-controller: v1.2.5
- kustomize-controller: v1.1.1
- helm-controller: v0.36.2
- notification-controller: v1.1.0
- image-automation-controller: v0.36.1
- image-reflector-controller: v0.30.0
Changes made for this version:
- The log-level parameters for controllers (including
fluxconfig-agent
andfluxconfig-controller
) are now customizable. For more information, see Configurable log-level parameters. - Helm chart changes to expose new SSH host key algorithm to connect to Azure operated by 21Vianet DevOps. For more information, see Azure DevOps SSH-RSA deprecation.
Next steps
- Read more about cluster extensions for Azure Arc-enabled Kubernetes.
- Learn how to deploy extensions to an Arc-enabled Kubernetes cluster.