AKS Cluster


The AKS Cluster builder is used to create AKS clusters.

  • Container Service (Microsoft.ContainerService/managedClusters)

AKS Builder Keywords

The AKS builder (aks) constructs AKS clusters.

nameSets the name of the AKS cluster.
dns_prefixSets the DNS prefix of the AKS cluster.
enable_private_clusterRestricts the cluster’s Kubernetes API to only be accessible from private networks.
enable_rbacEnable Kubernetes Role-Based Access Control.
add_agent_poolsAdds agent pools to the AKS cluster.
add_agent_poolAdds an agent pool to the AKS cluster.
add_identityAdds a managed identity to the the AKS cluster.
system_identityActivates the system identity of the AKS cluster.
kubelet_identityAssigns a user assigned identity to the kubelet user that pulls container images.
network_profileSets the network profile for the AKS cluster.
linux_profileSets the linux profile for the AKS cluster.
service_principal_client_idSets the client id of the service principal for the AKS cluster.
service_principal_use_msiEnables the AKS cluster to use the managed identity service principal instead of an external client secret.
windows_usernameSets the windows admin username for the AKS cluster.
add_api_server_authorized_ip_rangesAdds IP address CIDR ranges to be allowed Kubernetes API access.
addonA list with the configuration of all addons on the cluster (AciConnectorLinux, HttpApplicationRouting, KubeDashboard, IngressApplicationGateway, OmsAgent).

Agent Pool Builder keywords

The Agent Pool builder (agentPool) constructs agent pools in the AKS cluster.

nameSets the name of the agent pool.
countSets the count of VM’s in the agent pool.
user_modeSets the agent pool to user mode.
disk_sizeSets the disk size for the VM’s in the agent pool.
max_podsSets the maximum number of pods in the agent pool.
os_typeSets the OS type of the VM’s in the agent pool.
subnetSets the name of a virtual network subnet where this AKS cluster should be attached.
vm_sizeSets the size of the VM’s in the agent pool.
vnetSets the name of a virtual network in the same region where this AKS cluster should be attached.

Kubenet Builder

The Kubenet builder (kubenetNetworkProfile) creates Kubenet network profiles on the AKS cluster.

load_balancer_skuSKU for the Load Balancer - defaults to ‘Standard’

CNI Builder

The CNI builder (azureCniNetworkProfile) creates Azure CNI network profiles on the AKS cluster.

docker_bridgeSets the docker bridge CIDR to a network other than the default
dns_serviceSets the DNS service IP - must be within the service CIDR, default is the second address in the service CIDR.
service_cidrSets the service cidr to a network other than the default
load_balancer_skuSKU for the Load Balancer - defaults to ‘Standard’

Basic Example

The simplest cluster uses a system assigned managed identity and default settings for the node pool (size of 3).

open Farmer
open Farmer.Builders
open Farmer.ContainerService

let myAks = aks {
    name "aks-cluster"

Customizing agent pool and network profile

let myAks = aks {
    name "k8s-cluster"
    dns_prefix "testaks"
    add_agent_pools [
        agentPool {
            name "linuxPool"
            count 3
    linux_profile "aksuser" "public-key-here"
    network_profile (
        azureCniNetworkProfile {
            service_cidr ""

Using user asssigned identities and connecting to container registry

// Create an identity for kubelet (used to connect to container registry)
let kubeletMsi = createUserAssignedIdentity "kubeletIdentity"
// Create an identity for the AKS cluster
let clusterMsi = createUserAssignedIdentity "clusterIdentity"
// Give the AKS cluster's identity rights to assign a the kubelet MSI
let assignMsiRoleNameExpr = ArmExpression.create($"guid(concat(resourceGroup().id, '{clusterMsi.ResourceId.Name.Value}', '{Roles.ManagedIdentityOperator.Id}'))")
let assignMsiRole =
    { Name =
        |> ResourceName
        RoleDefinitionId = Roles.ManagedIdentityOperator
        PrincipalId = clusterMsi.PrincipalId
        PrincipalType = PrincipalType.ServicePrincipal
        Scope = ResourceGroup
        Dependencies = Set [ clusterMsi.ResourceId ] }
// Create a container image registry
let myAcr = containerRegistry { name "mycontainerregistry" }
let myAcrResId = (myAcr :> IBuilder).ResourceId
// Assign the AcrPull role on that registry to the identity used for kubelet.
let acrPullRoleNameExpr = ArmExpression.create($"guid(concat(resourceGroup().id, '{kubeletMsi.ResourceId.Name.Value}', '{Roles.AcrPull.Id}'))")
let acrPullRole =
    { Name = acrPullRoleNameExpr.Eval() |> ResourceName
        RoleDefinitionId = Roles.AcrPull
        PrincipalId = kubeletMsi.PrincipalId
        PrincipalType = PrincipalType.ServicePrincipal
        Scope = AssignmentScope.SpecificResource myAcrResId
        Dependencies = Set [ kubeletMsi.ResourceId ] }

// Create the cluster and assign the cluster and kubelet identities.
let myAks = aks {
    name "aks-cluster"
    add_identity clusterMsi
    kubelet_identity kubeletMsi
    depends_on clusterMsi
    depends_on myAcr
    depends_on_expression assignMsiRoleNameExpr
    depends_on_expression acrPullRoleNameExpr
// A template to deploy the MSI's, role assignemnts, container registry and AKS.
let template =
    arm {
        add_resource kubeletMsi
        add_resource clusterMsi
        add_resource myAcr
        add_resource myAks
        add_resource assignMsiRole
        add_resource acrPullRole