Try SpotterManage a managed Azure Container Service (AKS) instance
| "added in version" 0.1.2 of azure.azcollection"
Authors: Sertac Ozercan (@sozercan), Yuwei Zhou (@yuwzho)
Install with ansible-galaxy collection install azure.azcollection:==2.3.0
collections:
- name: azure.azcollection
version: 2.3.0Create, update and delete a managed Azure Container Service (AKS) instance.
- name: Create an AKS instance With A System Node Pool & A User Node Pool
azure_rm_aks:
name: myAKS
resource_group: myResourceGroup
location: eastus
dns_prefix: akstest
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
client_secret: "Password1234!"
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_B2s
enable_auto_scaling: true
type: VirtualMachineScaleSets
mode: System
max_count: 3
min_count: 1
enable_rbac: true
- name: user
count: 1
vm_size: Standard_D2_v2
enable_auto_scaling: true
type: VirtualMachineScaleSets
mode: User
max_count: 3
min_count: 1
enable_rbac: true
- name: Create a managed Azure Container Services (AKS) instance
azure_rm_aks:
name: myAKS
location: eastus
resource_group: myResourceGroup
dns_prefix: akstest
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA...
service_principal:
client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948"
client_secret: "Password123!"
agent_pool_profiles:
- name: default
count: 5
mode: System
vm_size: Standard_B2s
tags:
Environment: Production
- name: Use minimal parameters and system-assigned identity
azure_rm_aks:
name: myMinimalCluster
location: eastus
resource_group: myExistingResourceGroup
dns_prefix: akstest
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_D2_v2
- name: Create AKS with userDefinedRouting "Link:https://docs.microsoft.com/en-us/azure/aks/limit-egress-traffic#add-a-dnat-rule-to-azure-firewall"
azure_rm_aks:
name: "minimal{{ rpfx }}"
location: eastus
resource_group: "{{ resource_group }}"
kubernetes_version: "{{ versions.azure_aks_versions[0] }}"
dns_prefix: "aks{{ rpfx }}"
service_principal:
client_id: "{{ client_id }}"
client_secret: "{{ client_secret }}"
network_profile:
network_plugin: azure
load_balancer_sku: standard
outbound_type: userDefinedRouting
service_cidr: "10.41.0.0/16"
dns_service_ip: "10.41.0.10"
docker_bridge_cidr: "172.17.0.1/16"
api_server_access_profile:
authorized_ip_ranges:
- "20.106.246.252/32"
enable_private_cluster: false
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_B2s
mode: System
vnet_subnet_id: "{{ output.subnets[0].id }}"
type: VirtualMachineScaleSets
enable_auto_scaling: false
- name: Create an AKS instance wit pod_identity_profile settings
azure_rm_aks:
name: "aks{{ rpfx }}"
resource_group: "{{ resource_group }}"
location: eastus
dns_prefix: "aks{{ rpfx }}"
kubernetes_version: "{{ versions.azure_aks_versions[0] }}"
service_principal:
client_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
client_secret: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3Ip6***************
agent_pool_profiles:
- name: default
count: 1
vm_size: Standard_B2s
type: VirtualMachineScaleSets
mode: System
node_labels: {"release":"stable"}
max_pods: 42
availability_zones:
- 1
- 2
node_resource_group: "node{{ noderpfx }}"
enable_rbac: true
network_profile:
load_balancer_sku: standard
pod_identity_profile:
enabled: false
allow_network_plugin_kubenet: false
user_assigned_identities:
- name: fredtest
namespace: fredtest
binding_selector: test
identity:
client_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
object_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- name: Remove a managed Azure Container Services (AKS) instance
azure_rm_aks:
name: myAKS
resource_group: myResourceGroup
state: absent
name:
description:
- Name of the managed Azure Container Services (AKS) instance.
required: true
type: str
tags:
description:
- Dictionary of string:string pairs to assign as metadata to the object.
- Metadata tags on the object will be updated with any provided values.
- To remove tags set append_tags option to false.
- Currently, Azure DNS zones and Traffic Manager services also don't allow the use
of spaces in the tag.
- Azure Front Door doesn't support the use of
- Azure Automation and Azure CDN only support 15 tags on resources.
type: dict
addon:
description:
- Profile of managed cluster add-on.
- Key can be C(http_application_routing), C(monitoring), C(virtual_node).
- Value must be a dict contains a bool variable C(enabled).
suboptions:
http_application_routing:
aliases:
- httpApplicationRouting
description:
- The HTTP application routing solution makes it easy to access applications that
are deployed to your cluster.
suboptions:
enabled:
default: true
description:
- Whether the solution enabled.
type: bool
type: dict
monitoring:
aliases:
- omsagent
description:
- It gives you performance visibility by collecting memory and processor metrics
from controllers, nodes, and containers that are available in Kubernetes through
the Metrics API.
suboptions:
enabled:
default: true
description:
- Whether the solution enabled.
type: bool
log_analytics_workspace_resource_id:
aliases:
- logAnalyticsWorkspaceResourceID
description:
- Where to store the container metrics.
required: true
type: str
type: dict
virtual_node:
aliases:
- aciConnector
description:
- With virtual nodes, you have quick provisioning of pods, and only pay per second
for their execution time.
- You don't need to wait for Kubernetes cluster autoscaler to deploy VM compute
nodes to run the additional pods.
suboptions:
enabled:
default: true
description:
- Whether the solution enabled.
type: bool
subnet_resource_id:
aliases:
- SubnetName
description:
- Subnet associated to the cluster.
required: true
type: str
type: dict
type: dict
state:
choices:
- absent
- present
default: present
description:
- Assert the state of the AKS. Use C(present) to create or update an AKS and C(absent)
to delete it.
type: str
secret:
description:
- Azure client secret. Use when authenticating with a Service Principal.
type: str
tenant:
description:
- Azure tenant ID. Use when authenticating with a Service Principal.
type: str
ad_user:
description:
- Active Directory username. Use when authenticating with an Active Directory user
rather than service principal.
type: str
profile:
description:
- Security profile found in ~/.azure/credentials file.
type: str
location:
description:
- Valid azure location. Defaults to location of the resource group.
type: str
log_mode:
description:
- Parent argument.
type: str
log_path:
description:
- Parent argument.
type: str
password:
description:
- Active Directory user password. Use when authenticating with an Active Directory
user rather than service principal.
type: str
client_id:
description:
- Azure client ID. Use when authenticating with a Service Principal or Managed Identity
(msi).
- Can also be set via the C(AZURE_CLIENT_ID) environment variable.
type: str
dns_prefix:
description:
- DNS prefix specified when creating the managed cluster.
type: str
thumbprint:
description:
- The thumbprint of the private key specified in I(x509_certificate_path).
- Use when authenticating with a Service Principal.
- Required if I(x509_certificate_path) is defined.
type: str
version_added: 1.14.0
version_added_collection: azure.azcollection
aad_profile:
description:
- Profile of Azure Active Directory configuration.
suboptions:
admin_group_object_ids:
description:
- AAD group object IDs that will have admin role of the cluster.
elements: str
type: list
client_app_id:
description: The client AAD application ID.
type: str
managed:
default: false
description:
- Whether to enable managed AAD.
type: bool
server_app_id:
description: The server AAD application ID.
type: str
server_app_secret:
description: The server AAD application secret.
type: str
tenant_id:
description:
- The AAD tenant ID to use for authentication.
- If not specified, will use the tenant of the deployment subscription.
type: str
type: dict
api_profile:
default: latest
description:
- Selects an API profile to use when communicating with Azure services. Default value
of C(latest) is appropriate for public clouds; future values will allow use with
Azure Stack.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
append_tags:
default: true
description:
- Use to control if tags field is canonical or just appends to existing tags.
- When canonical, any tags not found in the tags parameter will be removed from the
object's metadata.
type: bool
auth_source:
choices:
- auto
- cli
- credential_file
- env
- msi
default: auto
description:
- Controls the source of the credentials to use for authentication.
- Can also be set via the C(ANSIBLE_AZURE_AUTH_SOURCE) environment variable.
- When set to C(auto) (the default) the precedence is module parameters -> C(env)
-> C(credential_file) -> C(cli).
- When set to C(env), the credentials will be read from the environment variables
- When set to C(credential_file), it will read the profile from C(~/.azure/credentials).
- When set to C(cli), the credentials will be sources from the Azure CLI profile.
C(subscription_id) or the environment variable C(AZURE_SUBSCRIPTION_ID) can be used
to identify the subscription ID if more than one is present otherwise the default
az cli subscription is used.
- When set to C(msi), the host machine must be an azure resource with an enabled MSI
extension. C(subscription_id) or the environment variable C(AZURE_SUBSCRIPTION_ID)
can be used to identify the subscription ID if the resource is granted access to
more than one subscription, otherwise the first subscription is chosen.
- The C(msi) was added in Ansible 2.6.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
enable_rbac:
default: false
description:
- Enable RBAC.
- Existing non-RBAC enabled AKS clusters cannot currently be updated for RBAC use.
type: bool
linux_profile:
description:
- The Linux profile suboptions.
- Optional, provide if you need an ssh access to the cluster nodes.
suboptions:
admin_username:
description:
- The Admin Username for the cluster.
required: true
type: str
ssh_key:
description:
- The Public SSH Key used to access the cluster.
required: true
type: str
type: dict
resource_group:
description:
- Name of a resource group where the managed Azure Container Services (AKS) exists
or will be created.
required: true
type: str
network_profile:
description:
- Profile of network configuration.
suboptions:
dns_service_ip:
description:
- An IP address assigned to the Kubernetes DNS service.
- It must be within the Kubernetes service address range specified in serviceCidr.
type: str
docker_bridge_cidr:
description:
- A CIDR notation IP range assigned to the Docker bridge network.
- It must not overlap with any Subnet IP ranges or the Kubernetes service address
range.
type: str
load_balancer_sku:
choices:
- standard
- basic
description:
- The load balancer sku for the managed cluster.
type: str
network_plugin:
choices:
- azure
- kubenet
description:
- Network plugin used for building Kubernetes network.
- This property cannot been changed.
- With C(kubenet), nodes get an IP address from the Azure virtual network subnet.
- AKS features such as Virtual Nodes or network policies aren't supported with
C(kubenet).
- C(azure) enables Azure Container Networking Interface(CNI), every pod gets an
IP address from the subnet and can be accessed directly.
type: str
network_policy:
choices:
- azure
- calico
description: Network policy used for building Kubernetes network.
type: str
outbound_type:
choices:
- loadBalancer
- userDefinedRouting
default: loadBalancer
description:
- How outbound traffic will be configured for a cluster.
type: str
pod_cidr:
description:
- A CIDR notation IP range from which to assign pod IPs when I(network_plugin=kubenet)
is used.
- It should be a large address space that isn't in use elsewhere in your network
environment.
- This address range must be large enough to accommodate the number of nodes that
you expect to scale up to.
type: str
service_cidr:
description:
- A CIDR notation IP range from which to assign service cluster IPs.
- It must not overlap with any Subnet IP ranges.
- It should be the *.10 address of your service IP address range.
type: str
type: dict
subscription_id:
description:
- Your Azure subscription Id.
type: str
cloud_environment:
default: AzureCloud
description:
- For cloud environments other than the US public cloud, the environment name (as
defined by Azure Python SDK, eg, C(AzureChinaCloud), C(AzureUSGovernment)), or a
metadata discovery endpoint URL (required for Azure Stack). Can also be set via
credential file profile or the C(AZURE_CLOUD_ENVIRONMENT) environment variable.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
service_principal:
description:
- The service principal suboptions. If not provided - use system-assigned managed
identity.
suboptions:
client_id:
description:
- The ID for the Service Principal.
required: true
type: str
client_secret:
description:
- The secret password associated with the service principal.
type: str
type: dict
adfs_authority_url:
description:
- Azure AD authority url. Use when authenticating with Username/password, and has
your own ADFS authority.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
kubernetes_version:
description:
- Version of Kubernetes specified when creating the managed cluster.
type: str
agent_pool_profiles:
description:
- The agent pool profile suboptions.
elements: dict
suboptions:
availability_zones:
choices:
- 1
- 2
- 3
description:
- Availability zones for nodes. Must use VirtualMachineScaleSets AgentPoolType.
elements: int
type: list
count:
description:
- Number of agents (VMs) to host docker containers.
- Allowed values must be in the range of C(1) to C(100) (inclusive).
required: true
type: int
dns_prefix:
description:
- DNS prefix specified when creating the managed cluster.
type: str
enable_auto_scaling:
description:
- To enable auto-scaling.
type: bool
max_count:
description:
- Maximum number of nodes for auto-scaling.
- Required if I(enable_auto_scaling=True).
type: int
max_pods:
description:
- Maximum number of pods schedulable on nodes.
type: int
min_count:
description:
- Minmum number of nodes for auto-scaling.
- Required if I(enable_auto_scaling=True).
type: int
mode:
choices:
- System
- User
description:
- AgentPoolMode represents mode of an agent pool.
- Possible values include C(System) and C(User).
- System AgentPoolMode requires a minimum VM SKU of at least 2 vCPUs and 4GB memory.
type: str
name:
description:
- Unique name of the agent pool profile in the context of the subscription and
resource group.
required: true
type: str
node_labels:
description:
- Agent pool node labels to be persisted across all nodes in agent pool.
type: dict
orchestrator_version:
description:
- Version of kubernetes running on the node pool.
type: str
os_disk_size_gb:
description:
- Size of the OS disk.
type: int
os_type:
choices:
- Linux
- Windows
description:
- The operating system type.
type: str
ports:
description:
- List of the agent pool's port.
elements: int
type: list
storage_profiles:
choices:
- StorageAccount
- ManagedDisks
description:
- Storage profile specifies what kind of storage used.
type: str
type:
choices:
- VirtualMachineScaleSets
- AvailabilitySet
description:
- AgentPoolType represents types of an agent pool.
- Possible values include C(VirtualMachineScaleSets) and C(AvailabilitySet).
type: str
vm_size:
description:
- The VM Size of each of the Agent Pool VM's (e.g. C(Standard_F1) / C(Standard_D2v2)).
required: true
type: str
vnet_subnet_id:
description:
- Specifies the VNet's subnet identifier.
type: str
type: list
node_resource_group:
description:
- Name of the resource group containing agent pool nodes.
- Unable to update.
type: str
cert_validation_mode:
choices:
- ignore
- validate
description:
- Controls the certificate validation behavior for Azure endpoints. By default, all
modules will validate the server certificate, but when an HTTPS proxy is in use,
or against Azure Stack, it may be necessary to disable this behavior by passing
C(ignore). Can also be set via credential file profile or the C(AZURE_CERT_VALIDATION)
environment variable.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
pod_identity_profile:
description:
- Config pod identities in managed Kubernetes cluster.
suboptions:
allow_network_plugin_kubenet:
description:
- Whether using Kubenet network plugin with AAD Pod Identity.
type: bool
enabled:
description:
- Whether the pod identity addon is enabled.
type: bool
user_assigned_identities:
description:
- The pod identities to use in the cluster.
elements: dict
suboptions:
binding_selector:
description:
- The binding selector to use for the AzureIdentityBinding resource.
type: str
identity:
description:
- The user assigned identity details.
required: true
suboptions:
client_id:
description:
- The client ID of the user assigned identity.
type: str
object_id:
description:
- The object ID of the user assigned identity.
type: str
resource_id:
description:
- The resource ID of the user assigned identity.
type: str
type: dict
name:
description:
- The name of the pod identity.
required: true
type: str
namespace:
description:
- The namespace of the pod identity.
required: true
type: str
type: list
type: dict
x509_certificate_path:
description:
- Path to the X509 certificate used to create the service principal in PEM format.
- The certificate must be appended to the private key.
- Use when authenticating with a Service Principal.
type: path
version_added: 1.14.0
version_added_collection: azure.azcollection
api_server_access_profile:
description:
- Profile of API Access configuration.
suboptions:
authorized_ip_ranges:
description:
- Authorized IP Ranges to kubernetes API server.
- Cannot be enabled when using private cluster
elements: str
type: list
enable_private_cluster:
description:
- Whether to create the cluster as a private cluster or not.
- Cannot be changed for an existing cluster.
type: bool
type: dict
disable_instance_discovery:
default: false
description:
- Determines whether or not instance discovery is performed when attempting to authenticate.
Setting this to true will completely disable both instance discovery and authority
validation. This functionality is intended for use in scenarios where the metadata
endpoint cannot be reached such as in private clouds or Azure Stack. The process
of instance discovery entails retrieving authority metadata from https://login.microsoft.com/
to validate the authority. By setting this to **True**, the validation of the authority
is disabled. As a result, it is crucial to ensure that the configured authority
host is valid and trustworthy.
- Set via credential file profile or the C(AZURE_DISABLE_INSTANCE_DISCOVERY) environment
variable.
type: bool
version_added: 2.3.0
version_added_collection: azure.azcollection
state:
description: Current state of the Azure Container Service (AKS).
example:
agent_pool_profiles:
- count: 1
dns_prefix: null
moode: System
name: default
node_labels:
environment: dev
release: stable
os_disk_size_gb: null
os_type: Linux
ports: null
storage_profile: ManagedDisks
vm_size: Standard_B2s
vnet_subnet_id: null
changed: false
dns_prefix: aks9860bdcd89
id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ContainerService/managedClusters/aks9860bdc
kube_config:
- '......'
kubernetes_version: 1.14.6
linux_profile:
admin_username: azureuser
ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADA.....
location: eastus
name: aks9860bdc
pod_identity_profile:
allow_network_plugin_kubenet: false
user_assigned_identities:
- binding_selector: test
identity:
client_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
object_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
name: fredtest
namespace: fredtest
provisioning_state: Updating
provisioning_state: Succeeded
service_principal_profile:
client_id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
tags: {}
type: Microsoft.ContainerService/ManagedClusters
returned: always
type: dict