Available extensions for Azure Arc-enabled Kubernetes clusters

Cluster extensions for Azure Arc-enabled Kubernetes provide an Azure Resource Manager-based experience to install and manage lifecycles for different Azure capabilities in your cluster. You can deploy extensions to your clusters to support different scenarios and to improve cluster management.

The following extensions are currently available to use with Azure Arc-enabled Kubernetes clusters. All the extensions that are described in this article are cluster-scoped.

Container insights in Azure Monitor

  • Supported distributions: All Cloud Native Computing Foundation (CNCF)-certified Kubernetes clusters.

The Container insights feature in Azure Monitor gives you a view into the performance of workloads that are deployed on your Kubernetes cluster. Use this extension to collect memory and CPU utilization metrics from controllers, nodes, and containers.

For more information, see Container insights for Azure Arc-enabled Kubernetes clusters.

Azure Policy

Azure Policy extends Gatekeeper, an admission controller webhook for Open Policy Agent (OPA). Use Gatekeeper with OPA to consistently apply centralized, at-scale enforcements and safeguards on your clusters.

For more information, see Understand Azure Policy for Kubernetes clusters.

Azure Key Vault Secrets Provider

  • Supported distributions: AKS on Azure Local, AKS enabled by Azure Arc, Cluster API Azure, Google Kubernetes Engine, Canonical Kubernetes Distribution, OpenShift Kubernetes Distribution, Amazon Elastic Kubernetes Service, and VMware Tanzu Kubernetes Grid.

Use the Azure Key Vault Provider for Secrets Store CSI Driver to integrate an instance of Azure Key Vault as a secrets store with a Kubernetes cluster via a CSI volume. For Azure Arc-enabled Kubernetes clusters, you can install the Azure Key Vault Secrets Provider extension to fetch secrets.

For more information, see Use the Azure Key Vault Secrets Provider extension to fetch secrets into Azure Arc-enabled Kubernetes clusters.

Microsoft Defender for Containers

  • Supported distributions: AKS enabled by Azure Arc, Cluster API Azure, Azure Red Hat OpenShift, Red Hat OpenShift (version 4.6 or later), Google Kubernetes Engine Standard, Amazon Elastic Kubernetes Service, VMware Tanzu Kubernetes Grid, Rancher Kubernetes Engine, and Canonical Kubernetes Distribution.

Microsoft Defender for Containers is the cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications. Microsoft Defender for Containers gathers information related to security, such as audit log data, from the Kubernetes cluster. Then, it provides recommendations and threat alerts based on the gathered data.

For more information, see Enable Microsoft Defender for Containers.

Important

Defender for Containers support for Azure Arc-enabled Kubernetes clusters is currently in public preview.

See the Supplemental Terms of Use for Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

ArgoCD (GitOps)

  • Supported distributions: All CNCF-certified Kubernetes clusters.

The ArgoCD (GitOps) extension (preview) lets you use your Git repository as the source of truth for cluster configuration and application deployment.

For more information, see Tutorial: Deploy applications using GitOps with ArgoCD.

Important

ArgoCD (GitOps) is currently in public preview.

See the Supplemental Terms of Use for Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability (GA).

Flux (GitOps)

  • Supported distributions: All CNCF-certified Kubernetes clusters.

GitOps on AKS and Azure Arc-enabled Kubernetes can be enabled through Flux v2, a popular open-source tool set, to help manage cluster configuration and application deployment. With the Flux extension, GitOps is enabled in the cluster as a Microsoft.KubernetesConfiguration/extensions/microsoft.flux cluster extension resource.

For more information, see Tutorial: Deploy applications using GitOps with Flux v2.

The most recent version of the Flux v2 extension and the two previous versions (N-2) are supported. We generally recommend that you use the most recent version of the extension.

Note

When a new version of the microsoft.flux extension is released, it might take several days for the new version to become available in all regions.

Deprecation and removal notice: Upcoming changes to microsoft.flux extension

Several upstream Flux APIs that have been retired by the Flux project will be removed in an upcoming release of the microsoft.flux extension. These changes align with the Flux community's efforts to streamline and modernize the API surface.

The following Flux APIs are being deprecated and will be removed:

  • Deprecated APIs in group source.toolkit.fluxcd.io/v1beta1
  • Deprecated APIs in group kustomize.toolkit.fluxcd.io/v1beta1
  • Deprecated APIs in group helm.toolkit.fluxcd.io/v2beta1
  • Deprecated APIs in group notification.toolkit.fluxcd.io/v1beta1
  • Deprecated APIs in group image.toolkit.fluxcd.io/v1beta1

For a complete list of deprecated APIs and their replacements, see the PRs linked in https://github.com/fluxcd/flux2/issues/5474.

Required action: To ensure continued compatibility and avoid disruptions, update your sources to remove references to deprecated APIs. Use the supported API versions for all impacted resources. We strongly recommend completing these steps before October 2025 to avoid deployment failures or resource reconciliation issues.

Migrate all your resources to the Flux stable APIs in your sources (Git repositories, OCI repositories, buckets, blob storage) by replacing the API version in the manifests:

  • Kustomization to kustomize.toolkit.fluxcd.io/v1
  • HelmRelease to helm.toolkit.fluxcd.io/v2
  • Bucket to source.toolkit.fluxcd.io/v1
  • GitRepository to source.toolkit.fluxcd.io/v1
  • HelmChart to source.toolkit.fluxcd.io/v1
  • HelmRepository to source.toolkit.fluxcd.io/v1
  • OCIRepository to source.toolkit.fluxcd.io/v1
  • Receiver to notification.toolkit.fluxcd.io/v1
  • Alert to notification.toolkit.fluxcd.io/v1beta3
  • Provider to notification.toolkit.fluxcd.io/v1beta3
  • ImageRepository to image.toolkit.fluxcd.io/v1beta2
  • ImagePolicy to image.toolkit.fluxcd.io/v1beta2
  • ImageUpdateAutomation to image.toolkit.fluxcd.io/v1beta2

Note that the ImageUpdateAutomation commit template should use the fields .Changed.FileChanges, .Changed.Objects and .Changed.Changes instead of the deprecated .Updated and .Changed.ImageResult fields.

Once the manifests are updated in the sources, Flux will reconcile the new API versions.

microsoft.flux version 1.17.3 (September 2025)

Flux version: Release v2.6.4

  • source-controller: v1.6.2
  • kustomize-controller: v1.6.1
  • helm-controller: v1.3.0
  • notification-controller: v1.6.0
  • image-automation-controller: v0.41.2
  • image-reflector-controller: v0.35.2

Changes in this version include:

  • Addressed security vulnerabilities in fluxconfig-agent, fluxconfig-controller and fluent-bit-mdm by updating the Go packages.

microsoft.flux version 1.17.2 (August 2025)

Flux version: Release v2.6.4

  • source-controller: v1.6.2
  • kustomize-controller: v1.6.1
  • helm-controller: v1.3.0
  • notification-controller: v1.6.0
  • image-automation-controller: v0.41.2
  • image-reflector-controller: v0.35.2

Changes in this version include:

  • Addressed security vulnerabilities in fluxconfig-agent, fluxconfig-controller and fluent-bit-mdm by updating the Go packages.

microsoft.flux version 1.16.12 (July 2025)

Flux version: Release v2.5.1

  • source-controller: v1.5.0
  • kustomize-controller: v1.5.2
  • helm-controller: v1.2.0
  • notification-controller: v1.5.0
  • image-automation-controller: v0.40.0
  • image-reflector-controller: v0.34.0

Changes in this version include:

  • Addressed security vulnerabilities in fluent-bit-mdm by updating the Go packages.

Related content