Available extensions for Azure Arc-enabled Kubernetes clusters

  • Article

Cluster extensions for Azure Arc-enabled Kubernetes provide an Azure Resource Manager-driven experience for installation and lifecycle management of different Azure capabilities on top of your cluster. These extensions can be deployed to your clusters to enable different scenarios and improve cluster management.

The following extensions are currently available for use with Arc-enabled Kubernetes clusters. All of these extensions are cluster-scoped.

Azure Monitor Container Insights

  • Supported distributions: All Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters

Azure Monitor Container Insights provides visibility into the performance of workloads deployed on the Kubernetes cluster. Use this extension to collect memory and CPU utilization metrics from controllers, nodes, and containers.

For more information, see Azure Monitor Container Insights for Azure Arc-enabled Kubernetes clusters.

Azure Policy

Azure Policy extends Gatekeeper, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.

For more information, see Understand Azure Policy for Kubernetes clusters.

Azure Key Vault Secrets Provider

  • Supported distributions: AKS on Azure Stack HCI, AKS enabled by Azure Arc, Cluster API Azure, Google Kubernetes Engine, Canonical Kubernetes Distribution, OpenShift Kubernetes Distribution, Amazon Elastic Kubernetes Service, VMware Tanzu Kubernetes Grid

The Azure Key Vault Provider for Secrets Store CSI Driver allows for the integration of Azure Key Vault as a secrets store with a Kubernetes cluster via a CSI volume. For Azure Arc-enabled Kubernetes clusters, you can install the Azure Key Vault Secrets Provider extension to fetch secrets.

For more information, see Use the Azure Key Vault Secrets Provider extension to fetch secrets into Azure Arc-enabled Kubernetes clusters.

Microsoft Defender for Containers

  • Supported distributions: AKS enabled by Azure Arc, Cluster API Azure, Azure Red Hat OpenShift, Red Hat OpenShift (version 4.6 or newer), Google Kubernetes Engine Standard, Amazon Elastic Kubernetes Service, VMware Tanzu Kubernetes Grid, Rancher Kubernetes Engine, Canonical Kubernetes Distribution

Microsoft Defender for Containers is the cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications. It gathers information related to security like audit log data from the Kubernetes cluster, and provides recommendations and threat alerts based on gathered data.

For more information, see Enable Microsoft Defender for Containers.

Important

Defender for Containers support for Arc-enabled Kubernetes clusters is currently in public preview. See the Supplemental Terms of Use for Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Flux (GitOps)

  • Supported distributions: All Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters.

GitOps on AKS and Azure Arc-enabled Kubernetes uses Flux v2, a popular open-source tool set, to help manage cluster configuration and application deployment. GitOps is enabled in the cluster as a Microsoft.KubernetesConfiguration/extensions/microsoft.flux cluster extension resource.

For more information, see Tutorial: Deploy applications using GitOps with Flux v2.

The most recent version of the Flux v2 extension and the two previous versions (N-2) are supported. We generally recommend that you use the most recent version of the extension.

Important

The Flux v2.3.0 release includes API changes to the HelmRelease and HelmChart APIs, with deprecated fields removed, and an updated version of the kustomize package. An upcoming minor version update of Azure's Flux extension will include these changes, consistent with the upstream OSS Flux project.

The HelmRelease kind will be promoted from v2beta1 to v2 (GA). The v2 API is backwards compatible with v2beta1, with the exception of these deprecated fields, which will be removed:

  • .spec.chart.spec.valuesFile: replaced by .spec.chart.spec.valuesFiles
  • .spec.postRenderers.kustomize.patchesJson6902: replaced by .spec.postRenderers.kustomize.patches
  • .spec.postRenderers.kustomize.patchesStrategicMerge: replaced by .spec.postRenderers.kustomize.patches
  • .status.lastAppliedRevision: replaced by .status.history.chartVersion

The HelmChart kind will be promoted from v1beta2 to v1 (GA). The v1 API is backwards compatible with v1beta2, with the exception of the .spec.valuesFile field, which will be replaced by .spec.valuesFiles.

Use the new fields which are already available in the current version of the APIs, instead of the fields that will be removed.

The kustomize package will be updated to v5.4.0, which contains the following breaking changes:

To avoid issues due to breaking changes, we recommend updating your manifests as soon as possible to ensure that your Flux configurations remain compliant with this release.

Note

When a new version of the microsoft.flux extension is released, it may take several days for the new version to become available in all regions.

1.11.1 (August 2024)

Flux version: Release v2.3.0

  • source-controller: v1.3.0
  • kustomize-controller: v1.3.0
  • helm-controller: v1.0.1
  • notification-controller: v1.3.0
  • image-automation-controller: v0.38.0
  • image-reflector-controller: v0.32.0

Changes made for this version:

  • Update flux OSS controllers.
  • Resolved the continuous restart issue of the Fluent Bit sidecar in fluxconfig-agent and fluxconfig-controller.
  • Addressed security vulnerabilities in fluxconfig-agent and fluxconfig-controller by updating the Go packages.
  • Enabled workload identity for the Kustomize controller. For setup instructions, see Workload identity in AKS clusters.
  • Flux controller pods can now set the annotation kubernetes.azure.com/set-kube-service-host-fqdn in their pod specifications. This allows traffic to the API Server's domain name even when a Layer 7 firewall is present, facilitating deployments during extension installation. For more details, see Configure annotation on Flux extension pods.

1.10.0 (June 2024)

Flux version: Release v2.1.2

  • source-controller: v1.2.5
  • kustomize-controller: v1.1.1
  • helm-controller: v0.36.2
  • notification-controller: v1.1.0
  • image-automation-controller: v0.36.1
  • image-reflector-controller: v0.30.0

Changes made for this version:

  • The FluxConfig custom resource now includes support for OCI repositories. This enhancement means that Flux configurations can accommodate Git repository, Buckets, Azure Blob storage, or OCI repository as valid source types.

1.9.1 (April 2024)

Flux version: Release v2.1.2

  • source-controller: v1.2.5
  • kustomize-controller: v1.1.1
  • helm-controller: v0.36.2
  • notification-controller: v1.1.0
  • image-automation-controller: v0.36.1
  • image-reflector-controller: v0.30.0

Changes made for this version:

  • The log-level parameters for controllers (including fluxconfig-agent and fluxconfig-controller) are now customizable. For more information, see Configurable log-level parameters.
  • Helm chart changes to expose new SSH host key algorithm to connect to Azure operated by 21Vianet DevOps. For more information, see Azure DevOps SSH-RSA deprecation.

Next steps