Available extensions for Azure Arc-enabled Kubernetes clusters
Cluster extensions for Azure Arc-enabled Kubernetes provide an Azure Resource Manager-based experience to install and manage lifecycles for different Azure capabilities in your cluster. You can deploy extensions to your clusters to support different scenarios and to improve cluster management.
The following extensions are currently available to use with Azure Arc-enabled Kubernetes clusters. All the extensions that are described in this article are cluster-scoped.
Container insights in Azure Monitor
- Supported distributions: All Cloud Native Computing Foundation (CNCF)-certified Kubernetes clusters.
The Container insights feature in Azure Monitor gives you a view into the performance of workloads that are deployed on your Kubernetes cluster. Use this extension to collect memory and CPU utilization metrics from controllers, nodes, and containers.
For more information, see Container insights for Azure Arc-enabled Kubernetes clusters.
Azure Policy
Azure Policy extends Gatekeeper, an admission controller webhook for Open Policy Agent (OPA). Use Gatekeeper with OPA to consistently apply centralized, at-scale enforcements and safeguards on your clusters.
For more information, see Understand Azure Policy for Kubernetes clusters.
Azure Key Vault Secrets Provider
- Supported distributions: AKS on Azure Stack HCI, AKS enabled by Azure Arc, Cluster API Azure, Google Kubernetes Engine, Canonical Kubernetes Distribution, OpenShift Kubernetes Distribution, Amazon Elastic Kubernetes Service, and VMware Tanzu Kubernetes Grid.
Use the Azure Key Vault Provider for Secrets Store CSI Driver to integrate an instance of Azure Key Vault as a secrets store with a Kubernetes cluster via a CSI volume. For Azure Arc-enabled Kubernetes clusters, you can install the Azure Key Vault Secrets Provider extension to fetch secrets.
For more information, see Use the Azure Key Vault Secrets Provider extension to fetch secrets into Azure Arc-enabled Kubernetes clusters.
Microsoft Defender for Containers
- Supported distributions: AKS enabled by Azure Arc, Cluster API Azure, Azure Red Hat OpenShift, Red Hat OpenShift (version 4.6 or later), Google Kubernetes Engine Standard, Amazon Elastic Kubernetes Service, VMware Tanzu Kubernetes Grid, Rancher Kubernetes Engine, and Canonical Kubernetes Distribution.
Microsoft Defender for Containers is the cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications. Microsoft Defender for Containers gathers information related to security, such as audit log data, from the Kubernetes cluster. Then, it provides recommendations and threat alerts based on the gathered data.
For more information, see Enable Microsoft Defender for Containers.
Important
Defender for Containers support for Azure Arc-enabled Kubernetes clusters is currently in public preview.
See the Supplemental Terms of Use for Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Flux (GitOps)
- Supported distributions: All CNCF-certified Kubernetes clusters.
GitOps on AKS and Azure Arc-enabled Kubernetes uses Flux v2, a popular open-source tool set, to help manage cluster configuration and application deployment. GitOps is enabled in the cluster as a Microsoft.KubernetesConfiguration/extensions/microsoft.flux cluster extension resource.
For more information, see Tutorial: Deploy applications using GitOps with Flux v2.
The most recent version of the Flux v2 extension and the two previous versions (N-2) are supported. We generally recommend that you use the most recent version of the extension.
Important
The release Flux v2.3.0 includes API changes to the HelmRelease and HelmChart APIs, with deprecated fields removed, and an updated version of the Kustomize package. An upcoming minor version update of the Microsoft Flux extension will include these changes, consistent with the upstream open-source software (OSS) Flux project.
The HelmRelease API will be promoted from v2beta1 to v2 (GA). The v2 API is backward compatible with v2beta1, with the exception of these deprecated fields:
.spec.chart.spec.valuesFile: Replaced by.spec.chart.spec.valuesFilesinv2..spec.postRenderers.kustomize.patchesJson6902: Replaced by.spec.postRenderers.kustomize.patchesinv2..spec.postRenderers.kustomize.patchesStrategicMerge: Replaced by.spec.postRenderers.kustomize.patchesinv2..status.lastAppliedRevision: Replaced by.status.history.chartVersioninv2.
The HelmChart API will be promoted from v1beta2 to v1 (GA). The v1 API is backward compatible with v1beta2, with the exception of the .spec.valuesFile field, which is replaced by .spec.valuesFiles.
The new fields are already available in the current version of the APIs. Use the new fields instead of the fields that will be removed in the upcoming release.
The Kustomize package will be updated to v5.4.0. The version contains the following breaking changes:
- Kustomization build fails when the resources key is missing
- Components are now applied after generators and before transformers in v5.1.0
- Null YAML values are replaced by "null" in v5.4.0
To avoid issues caused by breaking changes, we recommend that you update your manifest to ensure that your Flux configurations remain compliant with this release.
Note
When a new version of the microsoft.flux extension is released, it might take several days for the new version to become available in all regions.
1.13.0 (October 2024)
Flux version: Release v2.4.0
- source-controller: v1.4.1
- kustomize-controller: v1.4.0
- helm-controller: v1.1.0
- notification-controller: v1.4.0
- image-automation-controller: v0.39.0
- image-reflector-controller: v0.33.0
Changes made for this version:
- Implemented fix to retrieve certificates from the correct location, resolving failures that occurred after switching the image from Alpine to Mariner.
1.12.0 (September 2024)
Flux version: Release v2.3.0
- source-controller: v1.3.0
- kustomize-controller: v1.3.0
- helm-controller: v1.0.1
- notification-controller: v1.3.0
- image-automation-controller: v0.38.0
- image-reflector-controller: v0.32.0
Changes made for this version:
- Addressed security vulnerabilities in
fluxconfig-agentandfluxconfig-controllerby updating the Go packages. - Fixed issue with software bill of materials (SBOM) generation for
fluxconfig-agentandfluxconfig-controller. - Added support for vertical scaling. Currently, only specific parameters that are described in the Flux vertical scaling documentation are natively supported.
1.11.1 (August 2024)
Flux version: Release v2.3.0
- source-controller: v1.3.0
- kustomize-controller: v1.3.0
- helm-controller: v1.0.1
- notification-controller: v1.3.0
- image-automation-controller: v0.38.0
- image-reflector-controller: v0.32.0
Changes made for this version:
- Updated Flux OSS controllers.
- Resolved the continuous restart issue of the Fluent Bit sidecar in
fluxconfig-agentandfluxconfig-controller. - Addressed security vulnerabilities in
fluxconfig-agentandfluxconfig-controllerby updating the Go packages. - Enabled workload identity for the Kustomize controller. For setup instructions, see Workload identity in AKS clusters.
- Flux controller pods can now set the annotation
kubernetes.azure.com/set-kube-service-host-fqdnin their pod specifications. This change allows traffic to the API server's domain name, even when a Layer 7 firewall is present, facilitating deployments during extension installation. For more information, see Configure annotation on Flux extension pods.
Related content
- Read more about cluster extensions for Azure Arc-enabled Kubernetes.
- Learn how to deploy extensions to an Azure Arc-enabled Kubernetes cluster.