Available extensions for Azure Arc-enabled Kubernetes clusters

Cluster extensions for Azure Arc-enabled Kubernetes provide an Azure Resource Manager-based experience to install and manage lifecycles for different Azure capabilities in your cluster. You can deploy extensions to your clusters to support different scenarios and to improve cluster management.

The following extensions are currently available to use with Azure Arc-enabled Kubernetes clusters. All the extensions that are described in this article are cluster-scoped.

Container insights in Azure Monitor

• Supported distributions: All Cloud Native Computing Foundation (CNCF)-certified Kubernetes clusters.

The Container insights feature in Azure Monitor gives you a view into the performance of workloads that are deployed on your Kubernetes cluster. Use this extension to collect memory and CPU utilization metrics from controllers, nodes, and containers.

For more information, see Container insights for Azure Arc-enabled Kubernetes clusters.

Azure Policy

The following Kubernetes distributions have been validated in conformance testing. This means we have explicitly validated that the Azure Policy Extension installs correctly and functions as expected on these platforms.

• Supported distributions with conformance validation: AKS on Azure Local (AKS enabled by Azure Arc), Kind, Rancher Government (RKE2), Minikube, K3s, AKS Edge, TKG (VMware Tanzu Kubernetes Grid).

The following Kubernetes distributions have NOT been validated in conformance testing. This means Azure Policy extension installation is supported, but there is no guarantee of full functionality or behavioral consistency until conformance validation is complete.

• Supported distributions without conformance validation: EKS (Amazon Elastic Kubernetes Service), GKE (Google Kubernetes Engine), RKE (Rancher Kubernetes Engine)

Azure Policy extends Gatekeeper, an admission controller webhook for Open Policy Agent (OPA). Use Gatekeeper with OPA to consistently apply centralized, at-scale enforcements and safeguards on your clusters.

For more information, see Understand Azure Policy for Kubernetes clusters.

Azure Policy Extension Release Notes

1.18.0

Introducing Validating Admission Policy (VAP) generation. Validating Admission Policies are Kubernetes-native validating policy resources that are evaluated in-process, allowing for reduced latency and fail-close evaluation. Azure Policies that contain Common Expression Language (CEL) will automatically generate VAPs for Kubernetes version 1.30+

Security improvements.

• Released: May 2026
• Policy Image: v1.15.5
• Gatekeeper Image: v3.22.1-1

1.17.1

Security improvements.

• Released: Apr 2026
• Policy Image: v1.15.5
• Gatekeeper Image: v3.22.0-1

1.16.1

Fixed policy extension installation bug in AKS on Azure Local (AKS enabled by Azure Arc). Added RKE2 support. Enabled mutation. Enabled external data.

Security improvements.

• Released: Jan 2026
• Policy Image: v1.15.4
• Gatekeeper Image: v3.21.0-1

Azure Key Vault Secrets Provider

• Supported distributions: AKS on Azure Local, AKS enabled by Azure Arc, Cluster API Azure, Google Kubernetes Engine, Canonical Kubernetes Distribution, OpenShift Kubernetes Distribution, Amazon Elastic Kubernetes Service, and VMware Tanzu Kubernetes Grid.

Use the Azure Key Vault Provider for Secrets Store CSI Driver to integrate an instance of Azure Key Vault as a secrets store with a Kubernetes cluster via a CSI volume. For Azure Arc-enabled Kubernetes clusters, you can install the Azure Key Vault Secrets Provider extension to fetch secrets.

For more information, see Use the Azure Key Vault Secrets Provider extension to fetch secrets into Azure Arc-enabled Kubernetes clusters.

Microsoft Defender for Containers

• Supported distributions: AKS enabled by Azure Arc, Cluster API Azure, Azure Red Hat OpenShift, Red Hat OpenShift (version 4.6 or later), Google Kubernetes Engine Standard, Amazon Elastic Kubernetes Service, VMware Tanzu Kubernetes Grid, Rancher Kubernetes Engine, and Canonical Kubernetes Distribution.

Microsoft Defender for Containers is the cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications. Microsoft Defender for Containers gathers information related to security, such as audit log data, from the Kubernetes cluster. Then, it provides recommendations and threat alerts based on the gathered data.

For more information, see Enable Microsoft Defender for Containers.

Argo CD (GitOps)

• Supported distributions: All CNCF-certified Kubernetes clusters.

The Argo CD (GitOps) extension (preview) lets you use your Git repository as the source of truth for cluster configuration and application deployment.

For more information, see Tutorial: Deploy applications using GitOps with Argo CD.

Flux (GitOps)

• Supported distributions: All CNCF-certified Kubernetes clusters.

GitOps on AKS and Azure Arc-enabled Kubernetes can be enabled through Flux v2, a popular open-source tool set, to help manage cluster configuration and application deployment. With the Flux extension, GitOps is enabled in the cluster as a Microsoft.KubernetesConfiguration/extensions/microsoft.flux cluster extension resource.

For more information, see Tutorial: Deploy applications using GitOps with Flux v2.

The most recent version of the Flux v2 extension and the two previous versions (N-2) are supported. We generally recommend that you use the most recent version of the extension.

Related content

• Read more about cluster extensions for Azure Arc-enabled Kubernetes.
• Learn how to deploy extensions to an Azure Arc-enabled Kubernetes cluster.